Configuring and using internal authentication¶

Configuring and using authentication¶

PasswordAuthenticator is an IAuthorizer implementation, available in Cassandra 1.2.2 and later, that you can use to configure Cassandra for internal authentication out-of-the-box. You make a few changes to the cassandra.yaml as described in this procedure. Then, to use authentication, you start up the client using the default superuser name and password (cassandra/cassandra).

The syntax for starting up the client is:

<client startup string> -u cassandra -p cassandra

Change the superuser password:

1. Create another superuser (not named cassandra).
2. Log in as that new superuser.
3. Change the user password, cassandra, to something long and incomprehensible, and then forget about it. It won't be used again.
4. Take away the superuser status of the user named cassandra.

To configure and use internal authentication

1. Change the cassandra.yaml authenticator setting to PasswordAuthenticator:

   authenticator: org.apache.cassandra.auth.PasswordAuthenticator
   

2. Configure the replication factor for the system_auth keyspace.

3. Restart Cassandra.

   A default superuser name and password (cassandra) that you use to start the supported client is stored in Cassandra. For example, to start cqlsh:

   ./cqlsh -u cassandra -p cassandra
   

   You can now set up user accounts and authorize users to access the database objects by using CQL to grant them permissions on those objects.

CQL 3 supports the following authentication statements:

• ALTER USER
• CREATE USER
• DROP USER
• LIST USERS