Authentication and Authorization
By default, Cassandra does not require password authentication nor does it limit operations on objects or data. If you want to limit who can login to Cassandra and the types of operations they can perform, you need to enable authentication and authorization. The changes listed below should be made before the cluster is opened for production
Enabling Password Authentication
Pick a single node in the cluster on which to perform the initial configuration. Open a cqlsh session and change the replication factor of the system_auth keyspace. In this example, we assume the cluster has one datacenter named, DC1, and you are using replication factor of 3 (recommended).
- From the shell, type:
cqlsh
- After the login message, you will see the prompt cqlsh>. Type:
ALTER KEYSPACE system_auth WITH replication = {'class': 'NetworkTopologyStrategy',my_datacenter**: 3};
-
Type
quit
, to exit cqlsh. -
Edit
cassandra.yaml
to change the following the authenticator, role_manager, and authorizer options:
- authenticator: PasswordAuthenticator
- role_manager: CassandraRoleManager
- authorizer: CassandraAuthorizer
- Restart the node.
Open a new cqlsh session using the credentials of the default superuser:
cqlsh -u cassandra -p cassandra 0.112.3.20
- Create a new superuser
cqlsh>
CREATE ROLE dba WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'super';
- It is recommended to change the default cassandra password (cassandra)
cqlsh>
ALTER ROLE cassandra WITH PASSWORD=<new password>
-
Now go to the other two nodes and make the same changes to the
cassandra.yaml
file. -
After the changes are made, restart the node.
Updated 7 months ago