Enable Authentication Without Downtime

Production ready in Scylla 2.1

This procedure allows you to enable authentication on a live Scylla cluster without downtime.

Procedure

  1. Update the scylla.yaml parameters authenticator and authorizer for all the nodes in the cluster.
authenticator: 'com.scylladb.auth.TransitionalAuthenticator'
authorizer: 'com.scylladb.auth.TransitionalAuthorizer'
  1. Restart the nodes one by one to apply the effect.
sudo systemctl start scylla-server
  1. Login with the default super user credentials and create an authenticated user with strong password.

For example:

cqlsh -ucassandra -pcassandra

cassandra@cqlsh> CREATE USER scylla WITH PASSWORD '123456' SUPERUSER ;
cassandra@cqlsh> list users;

name      |super
----------+-------
cassandra |True
scylla    |True
  1. Login with the new user created and drop the superuser cassandra.
cqlsh -u scylla -p 123456

scylla@cqlsh> DROP USER cassandra;

scylla@cqlsh> list users;

name      |super
----------+-------
scylla    |True
  1. Update the scylla.yaml parameters PasswordAuthenticator and CassandraAuthorizer for all the nodes in the cluster.
authenticator: 'PasswordAuthenticator'
authorizer: 'CassandraAuthorizer'
  1. Restart the nodes one by one to apply the effect.
sudo systemctl start scylla-server
  1. Run repair to the system_auth keyspace on all the nodes in the cluster.

For example:

nodetool repair system_auth
  1. Verify that all the client applications are working correctly with authentication enabled.

Security