DataStax Enterprise 3.0 Documentation

Configuring dse_auth keyspace replication

This documentation corresponds to an earlier product version. Make sure this document corresponds to your version.

Latest DSE documentation | Earlier DSE documentation

You need to configure the default dse_auth keyspace replication factor to prevent a potential problem logging into a secure cluster. Do not use the default replication factor of 1 for the dse_auth keyspace if you use any of these authenticators and/or this authorizer:

  • authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
  • authenticator: com.datastax.bdp.cassandra.auth.PasswordAuthenticator
  • authorizer: com.datastax.bdp.cassandra.auth.CassandraAuthorizer

In a multi-node cluster, using the default of 1 precludes logging into any node when the node that stores the user data is down.

For all dse_auth-related queries, Cassandra uses a consistency level of QUORUM. For more information, see About Data Consistency in Cassandra.

Setting the replication factor

  1. Open the cassandra.yaml configuration file for editing.

  2. Change the auth_replication_options using the same options that you would use when creating a keyspace.

    Example for SimpleStrategy:

    auth_replication_options:
       replication_factor: 3
    

    Example for NetworkTopologyStrategy:

    auth_replication_options:
       DC1: 3
       DC2: 3
    
  3. If you change the auth_replication_options on an existing cluster:

    1. Make sure every node uses the same settings.
    2. Restart every node after updating the cassandra.yaml file.
    3. Run a nodetool repair on each node.

About the dse_auth keyspace

Cassandra uses the dse_auth keyspace for storing security authentication and authorization information:

  • Cassandra: the internal user list (in dse_auth.users column family).
  • PasswordAuthenticator: the users' hashed passwords (in dse_auth.credentials column family)
  • CassandraAuthorizer: the users' permissions (in dse_auth.permissions column family)