Enable Authentication

Authentication is the process where login accounts and their passwords are verified and the user is allowed access into the databse. Authentication is done internally within Scylla and is not done with a third party. Users and passwords are created with roles using a GRANT statement.

This procedure enables authentication on the Scylla servers. However, once complete, all clients (application using Scylla/Apache Cassandra drivers) will stop working, until they are updated to work with Authentication as well.

If this is not an option, you can follow the instructions in Enable and Disable Authentication Without Downtime which, using a transit state, allows clients work with or without authentication at the same time. In this state, you can update the clients (application using Scylla/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce authentication on all Scylla nodes as well.

1. For each Scylla node in the cluster edit the scylla.yaml file, edit the authenticator parameter from AllowAllAuthenticator to PasswordAuthenticator, the file can be found under /etc/scylla/

authenticator: PasswordAuthenticator
  1. Set the system_auth keyspace replication factor to 3 - 5 nodes per datacenter:

For production environment use only NetworkTopologyStrategy.

  • Single DC (SimpleStrategy)
  { 'class' : 'SimpleStrategy', 'replication_factor' : <new_rf> };
  • Multi - DC (NetworkTopologyStrategy)
  {'class' : 'NetworkTopologyStrategy', 'dc1' : <new_rf>, 'dc2' : <new_rf>};

Without this step, one node failure can cause denial of access to the cluster.

  1. Restart Scylla
sudo systemctl restart scylla-server
  1. Start cqlsh with the username and password (default username is cassandra default password is cassandra)
cqlsh -u cassandra -p cassandra

It is highly recommended to use secured username and password.

  1. Run a repair on the system_auth keyspace on all the nodes in the cluster.

For example:

nodetool repair system_auth