As I understand it, Cassandra offers you the opportunity to implement the two interfaces:
org.apache.cassandra.auth.IAuthenticator.java
org.apache.cassandra.auth.IAuthority.java
to allow for authentication and that you extend these interfaces. A simple example (not secure) implementation exists in the source code that can be used.
But as I understand it, the IAuthenticator-extended class gets the credentials from the client in a map containing plaintext "username" and "password" fields. As communication to port 9160 is not encrypted, this means that even if you implement a secure class for the IAuthenticator and IAuthority interfaces, your password from your client will be sent in plaintext and is vulnerable to snooping.
Have I got my understanding of this situation correct and is there any way of securing your password as it is sent across the network to authorise your cassandra session without tunnelling it through an SSH session?