DataStax Enterprise 3.0 Documentation
Configuring dse_auth keyspace replication¶
You need to configure the default dse_auth keyspace replication factor to prevent a potential problem logging into a secure cluster. Do not use the default replication factor of 1 for the dse_auth keyspace if you use any of these authenticators and/or this authorizer:
- authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
- authenticator: com.datastax.bdp.cassandra.auth.PasswordAuthenticator
- authorizer: com.datastax.bdp.cassandra.auth.CassandraAuthorizer
In a multi-node cluster, using the default of 1 precludes logging into any node when the node that stores the user data is down.
For all dse_auth-related queries, Cassandra uses a consistency level of QUORUM. For more information, see About Data Consistency in Cassandra.
Setting the replication factor¶
Open the cassandra.yaml configuration file for editing.
Change the auth_replication_options using the same options that you would use when creating a keyspace.
Example for SimpleStrategy:
auth_replication_options: replication_factor: 3
Example for NetworkTopologyStrategy:
auth_replication_options: DC1: 3 DC2: 3
If you change the auth_replication_options on an existing cluster:
- Make sure every node uses the same settings.
- Restart every node after updating the cassandra.yaml file.
- Run a nodetool repair on each node.
About the dse_auth keyspace¶
Cassandra uses the dse_auth keyspace for storing security authentication and authorization information:
- Cassandra: the internal user list (in dse_auth.users column family).
- PasswordAuthenticator: the users' hashed passwords (in dse_auth.credentials column family)
- CassandraAuthorizer: the users' permissions (in dse_auth.permissions column family)