Enabling DSE Unified Authentication

DSE Unified Authentication facilitates connectivity to three primary backend authentication and authorization services. DSE Unified Authentication uses the following services:

  • DSE Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and Kerberos authentication.

  • DSE Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.

  • DSE Authorizer: Provides access to control for database objects.

By default, DSE Authenticator and DSE Authorizer are disabled. Authenticators other than DSE Authenticator are not supported.

OpsCenter also provides support for LDAP configuration, authenticating users.

Prerequisites

Complete the following procedures before enabling authentication:

  • When configuring an external authentication method such as Kerberos or LDAP ensure that the service is active and available.

    DSE fails to start when an authentication scheme or role management mode is configured but not available.

  • Configure the system_auth and dse_security keyspaces to use a replication factor of 3-5 for each datacenter, see Setting security keyspaces replication factors.

  • When enabling authentication in an existing environment, upgrade drivers and configure applications to provide credentials. Consider using the transitional mode to allow connections using the anonymous role, see Implementing without downtime in production for more details.

  • Configure caching. Adjust the credentials_validity_in_ms and credentials_update_interval_in_ms as required for you environment in the dse.yaml.

Procedure

Apply the following updates to each node:

  1. In the cassandra.yaml file, verify that DSE Unified Authentication and Authorization features are configured:

    1. Verify that authenticator is set to DseAuthenticator in cassandra.yaml.

      authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator

    2. Verify that authorizer is set to DseAuthorizer in cassandra.yaml.

      authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer

    3. Verify that role_manager is set to DseRoleManager in cassandra.yaml.

      role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager

    4. If you are Setting row-level permissions with RLAC, tune these Security-related cache settings:

      permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
permissions_cache_max_entries: 1000

  2. In the dse.yaml file, configure the corresponding options:

    1. Configure the DSE Authenticator by uncommenting the authentication_options and changing the settings.

      # authentication_options:
#     enabled: false
#     default_scheme: internal
#     allow_digest_with_kerberos: true
#     plain_text_without_ssl: warn
#     transitional_mode: disabled
#     other_schemes:
#     scheme_permissions: false

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required settings. Enable DSE Authenticator and select a scheme:

            enabled: true
    default_scheme: internal

        If you plan to use only LDAP or Kerberos, include the internal scheme in other_schemes to allow access to the default cassandra account and complete the initial set up.
        Required authentication_options
        Option Description

        auth_enabled in dse.yaml

        Turns on authentication using the default scheme.

        default_scheme in dse.yaml

        Specifies the authentication scheme when not defined in the connection:

        • internal - Basic authentication using internal login role with password, supply the role name and password as credentials. No additional configuration required.

        • ldap - Plain text authentication using pass-through LDAP authentication. See Defining an LDAP scheme.

        • kerberos - GSSAPI authentication using the Kerberos authenticator. See Defining a Kerberos scheme.

      • Optional settings:

            other_schemes:
      - kerberos
      - ldap
    scheme_permissions: false
    allow_digest_with_kerberos: false
    plain_text_without_ssl: warn
    transitional_mode: disabled

        scheme_permissions require EXECUTE permission for the selected scheme. Do not enable this option until after configuring your own root account.
        Optional authentication_options
        Option Description

        other_schemes in dse.yaml

        You cannot use other_schemes with DSE components that use Thrift, such as CFS and the CassandraHiveMetastore in Analytics datacenters. Only the default_scheme is used when using components that use Thrift drivers.

        scheme_permissions in dse.yaml

        Validate that the role mapped to user matches the authentication scheme. Grant the role permission to the scheme.

        allow_digest_with_kerberos in dse.yaml

        Allow Kerberos digest-md5 authentication.

        plain_text_without_ssl in dse.yaml

        Handling of plain text connection requests:

        • block - Block the request with an authentication error.

        • warn - Log a warning about the request but allow it to continue. Default.

        • allow - Allow the request without any warning.

        transitional_mode in dse.yaml

        Allow access to the database using the anonymous role:

        • permissive - Allow all connections that provide credentials. Maps authenticated superusers to their role AND maps all other users to anonymous.

        • normal - Allow all connections that provide credentials. Maps all authenticated users to their role AND maps all other connections to anonymous.

        • strict - Allow only authenticated connections that map to a login enabled role OR connections that provide a blank username and password as anonymous.

    2. Configure the DSE Role Manager by uncommenting role_management_options and setting the mode:

      # role_management_options:
#    mode: internal

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      Role Management Modes
      scheme Description

      internal

      Assign the user name supplied by the authenticator a role that matches the user name, 1 to 1 mapping.

      ldap

      Look up the user name in LDAP using the ldap scheme and get the group membership, assign all roles that match a group name, 1 to many mapping.

      When using Kerberos authentication, identify users by their email address in the LDAP search. The Kerberos Realm must match the domain in the email address.

    3. Configure the DSE Authorizer by uncommenting the authorization_options and changing the settings.

      # authorization_options:
#     enabled: false
#     transitional_mode: disabled
#     allow_row_level_security: false

      Remove all pound signs (#) at the beginning of the line while preserving the spacing.

      • Required settings: Enable authorizer:

        enabled: true

      • Optional settings:

        transitional_mode: normal
  allow_row_level_security: true
        authorization_options
        Option Description

        enabled
        Enabled

        Enables the use of DSE Authorizer for role-based access control (RBAC).

        transitional_mode
        transitional_mode

        Allows the DSE Authorizer to operate in a temporary mode during authorization setup in a cluster. Set to one of the following values:

        • disabled - Transitional mode is disabled.

        • normal - Permissions can be passed to resources, but are not enforced.

        • strict - Permissions can be passed to resources, and are enforced on authenticated users. Permissions are not enforced against anonymous users.

        allow_row_level_security
        allow_row_level_security

        Default: false. True enables row-level access control (RLAC) permissions; use the same setting on all nodes.

  1. Configure selected authentication scheme options:

    For DSE to start, the external service referenced in the kerberos_options and/or ldap_options must be accessible. If you are not using Kerberos-based authentication, comment out the kerberos_options.

  2. Set up JMX authentication to allow nodetool and dsetool operations, see Enabling DSE Unified Authentication.

  3. Restart DSE, see Starting DataStax Enterprise as a service or Starting DataStax Enterprise as a stand-alone process.

What’s next

After restarting DSE, log into CQL shell and complete the set up:

Defining a Kerberos scheme

Configure DataStax Enterprise nodes to use Kerberos authentication.

Defining an LDAP scheme

Configure an external LDAP server for authentication and/or role management.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com