Skip to content

Enabling Authentication and Authorization on Cassandra

By default, Priam does NOT enable authentication or authorization to Cassandra cluster. Any running Cassandra cluster can be converted to authenticated and/or authorized cluster.

  1. Make sure following parameters are either commented or do not exist in cassandra.yaml before enabling authentication / authorization on Cassandra, if not done will generate huge schema differences. 
auth_replication_strategy
auth_replication_options
replication_factor
  1. Set Cassandra in transitional mode by setting the following properties:
priam.authenticator = com.datastax.bdp.cassandra.auth.TransitionalAuthenticator
priam.authorizer = com.datastax.bdp.cassandra.auth.TransitionalAuthorizer

This is important as it will allow existing clients to connect to Cassandra while we make all the changes.

  1. Re-start Priam and C* on a node and ensure that the system_auth KS is created by logging using the default cassandra user/password.

    ```sql cqlsh -u cassandra -p cassandra cqlsh> use system_auth ; cqlsh:system_auth> desc TABLEs credentials permissions users cqlsh:system_auth> select * from system_auth.users ;

    name | super -----------+------- cassandra | True ```

  2. Alter the system_auth KS to all the DC's your cluster is in. For example: 

Alter KEYSPACE system_auth WITH replication = { 'class': 'NetworkTopologyStrategy',  'us-east': '3', 'us-east-2': '3'};
  1. Create the users and alter the default password for user "cassandra".
Alter user cassandra with password XYZ 
CREATE USER appuser1 WITH PASSWORD 'password';
  1. Repair the keyspace to ensure data is propogated to all the instances. 
nodetool repair system_auth
  1. Change the authenticator and authorizer property in Priam to following values: 
priam.auto.bootstrap = true
priam.authenticator = org.apache.cassandra.auth.PasswordAuthenticator
priam.authorizer = org.apache.cassandra.auth.CassandraAuthorizer
  1. Perform a rolling restart of Priam and Cassandra on all the instances.