Enable and Disable Authentication Without Downtime

New in version 2.1.

Enable Authentication Without Downtime

This procedure allows you to enable authentication on a live Scylla cluster without downtime.

Prerequisites

For production environment use only NetworkTopologyStrategy.

Set the system_auth keyspace replication factor to 3 - 5 nodes per datacenter:

For example:

  • Single DC (NetworkTopologyStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
  { 'class' : 'NetworkTopologyStrategy', 'replication_factor' : <new_rf> };
  • Multi - DC (NetworkTopologyStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
  {'class' : 'NetworkTopologyStrategy', 'dc1' : <new_rf>, 'dc2' : <new_rf>};

Procedure

  1. Update the scylla.yaml parameters authenticator and authorizer for all the nodes in the cluster.
  • authenticator: AllowAllAuthenticator to com.scylladb.auth.TransitionalAuthenticator
  • authorizer: AllowAllAuthorizer to com.scylladb.auth.TransitionalAuthorizer
authenticator:  com.scylladb.auth.TransitionalAuthenticator
authorizer:  com.scylladb.auth.TransitionalAuthorizer
  1. Restart the nodes one by one to apply the effect.

CentOS, RHEL or Ubuntu 16.04

sudo systemctl restart scylla-server

Ubuntu 14.04 or Debian

sudo service scylla-server restart
  1. Login with the default super user credentials and create an authenticated user with strong password.

For example:

cqlsh -ucassandra -pcassandra

cassandra@cqlsh> CREATE USER scylla WITH PASSWORD '123456' SUPERUSER ;
cassandra@cqlsh> list users;

name      |super
----------+-------
cassandra |True
scylla    |True
  1. Login with the new user created and drop the superuser cassandra.
cqlsh -u scylla -p 123456

scylla@cqlsh> DROP USER cassandra;

scylla@cqlsh> list users;

name      |super
----------+-------
scylla    |True
  1. Update the scylla.yaml parameters authenticator and authorizer for all the nodes in the cluster.
  • authenticator: com.scylladb.auth.TransitionalAuthenticator to PasswordAuthenticator
  • authorizer: com.scylladb.auth.TransitionalAuthorizer to CassandraAuthorizer
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
  1. Restart the nodes one by one to apply the effect.

CentOS, RHEL or Ubuntu 16.04

sudo systemctl restart scylla-server

Ubuntu 14.04 or Debian

sudo service scylla-server restart
  1. Run repair on the system_auth keyspace, one node at a time on all the nodes in the cluster.

For example:

nodetool repair system_auth
  1. Verify that all the client applications are working correctly with authentication enabled.

Disable Authentication Without Downtime

This procedure allows you to disable authentication on a live Scylla cluster without downtime.

Procedure

  1. Update the scylla.yaml parameters authenticator and authorizer for all the nodes in the cluster.
  • authenticator: PasswordAuthenticator -> ‘com.scylladb.auth.TransitionalAuthenticator’
  • authorizer: CassandraAuthorizer ‘com.scylladb.auth.TransitionalAuthorizer’
authenticator: com.scylladb.auth.TransitionalAuthenticator
authorizer: com.scylladb.auth.TransitionalAuthorizer
  1. Restart the nodes one by one to apply the effect.
sudo systemctl restart scylla-server
  1. Update the scylla.yaml parameters authenticator and authorizer for all the nodes in the cluster.
authenticator: 'com.scylladb.auth.TransitionalAuthenticator' -> AllowAllAuthenticator
authorizer: 'com.scylladb.auth.TransitionalAuthorizer' -> AllowAllAuthorizer
  1. Restart the nodes one by one to apply the effect.

CentOS, RHEL or Ubuntu 16.04

sudo systemctl restart scylla-server

Ubuntu 14.04 or Debian

sudo service scylla-server restart
  1. Run repair on the system_auth keyspace, one node at a time on all the nodes in the cluster.

For example:

nodetool repair system_auth
  1. Verify that all the client applications are working correctly with authentication disabled.

Authorization