Authentication and Authorization

By default, Cassandra does not require password authentication nor does it limit operations on objects or data. If you want to limit who can login to Cassandra and the types of operations they can perform, you need to enable authentication and authorization. The changes listed below should be made before the cluster is opened for production

Enabling Password Authentication

Pick a single node in the cluster on which to perform the initial configuration. Open a cqlsh session and change the replication factor of the system_auth keyspace. In this example, we assume the cluster has one datacenter named, DC1, and you are using replication factor of 3 (recommended).

  1. From the shell, type:
cqlsh
  1. After the login message, you will see the prompt cqlsh>. Type:
ALTER KEYSPACE system_auth WITH replication = {'class': 'NetworkTopologyStrategy',my_datacenter**: 3};
  1. Type quit, to exit cqlsh.

  2. Edit cassandra.yaml to change the following the authenticator, role_manager, and authorizer options:

  • authenticator: PasswordAuthenticator
  • role_manager: CassandraRoleManager
  • authorizer: CassandraAuthorizer
  1. Restart the node.
    Open a new cqlsh session using the credentials of the default superuser:
cqlsh -u cassandra -p cassandra 0.112.3.20 
  1. Create a new superuser

cqlsh>

CREATE ROLE dba WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'super';
  1. It is recommended to change the default cassandra password (cassandra)

cqlsh>

ALTER ROLE cassandra WITH  PASSWORD=<new password>
  1. Now go to the other two nodes and make the same changes to the cassandra.yaml file.

  2. After the changes are made, restart the node.