cassandra Security Configuring internal authentication


Cassandra will not require users to login using the default configuration. Instead password-less, anonymous logins are permitted for anyone able to connect to the native_transport_port. This behaviour can be changed by editing the cassandra.yaml config to use a different authenticator:

# Allow anonymous logins without authentication
# authenticator: AllowAllAuthenticator

# Use username/password based logins
authenticator: PasswordAuthenticator

The login credentials validated by PasswordAuthenticator will be stored in the internal system_auth keyspace. By default, the keyspace will not be replicated accross all nodes. You'll have to change the replication settings to make sure that Cassandra will still be able to read user credentials from local storage in case other nodes in the cluster cannot be reached, or else you might not be able to login!

For SimpleStrategy (where N is the number of nodes in your cluster):

ALTER KEYSPACE system_auth WITH replication = {'class': 'SimpleStrategy', 'replication_factor': N};

For NetworkTopologyStrategy (where N is the number of nodes in the corresponding data center):

ALTER KEYSPACE system_auth WITH replication =  { 'class' : 'NetworkTopologyStrategy', 'datacenter1' : N };

Restart each node after the changes described above. You'll now only be able to login using the default superuser:

cqlsh -u cassandra -p cassandra

(Optional) Replace default superuser with custom user

Using a default superuser with a standard password isn't much safer than using no user at all. You should create your own user instead using a safe and unique password:

CREATE ROLE myadminuser WITH PASSWORD = 'admin123' AND LOGIN = true AND SUPERUSER = true;

Log in using your new user: cqlsh -u myadminuser -p admin123

Now disable login for the standard cassandra user and remove the superuser status:

ALTER ROLE cassandra WITH LOGIN = false AND SUPERUSER = false;