Enable Authentication

Authentication is the process where login accounts and their passwords are verified and the user is allowed access into the databse. Authentication is done internally within Scylla and is not done with a third party. Users and passwords are created with roles using a CREATE ROLE statement. Refer to Grant Authorization CQL Reference for details.

This procedure enables authentication on the Scylla servers. It is intended to be used when you do not have applications running in with Scylla/Cassandra drivers

Warning

Once you enable authentication, all clients (such as applications using Scylla/Apache Cassandra drivers) will stop working, until they are updated or reconfigured to work with Authentication.

If this downtime is not an option, you can follow the instructions in Enable and Disable Authentication Without Downtime which, using a transient state, allows clients work with or without authentication at the same time. In this state, you can update the clients (application using Scylla/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce authentication on all Scylla nodes as well.

Procedure

  1. For each Scylla node in the cluster edit the /etc/scylla/scylla.yaml file, and change the authenticator parameter from AllowAllAuthenticator to PasswordAuthenticator.
authenticator: PasswordAuthenticator
  1. Set the system_auth keyspace replication factor to be equal to the number of nodes in the datacenter. This makes sure that the user’s information is kept highly available for the cluster. If you do not do this and the node that holds this information fails, any user whose information is on that node (including yours) will be denied access.

For production environments use only NetworkTopologyStrategy.

  • Single DC (SimpleStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
  { 'class' : 'SimpleStrategy', 'replication_factor' : <new_rf> };

For example

ALTER KEYSPACE system_auth WITH REPLICATION =
  { 'class' : 'SimpleStrategy', 'replication_factor' : 3 };
  • Multi - DC (NetworkTopologyStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
  {'class' : 'NetworkTopologyStrategy', 'dc1' : <new_rf>, 'dc2' : <new_rf>};

For example

ALTER KEYSPACE system_auth WITH REPLICATION =
  {'class' : 'NetworkTopologyStrategy', 'dc1' : 3, 'dc2' : 3};
  1. Restart Scylla

CentOS, RHEL or Ubuntu 16.04

sudo systemctl restart scylla-server

Ubuntu 14.04 or Debian

sudo service scylla-server restart

Docker (without restarting some-scylla container)

docker exec -it some-scylla supervisorctl restart scylla
  1. Start cqlsh with the default superuser username and password The default username is cassandra default password is cassandra. You can change this later if you are enabling authorization.
cqlsh -u cassandra -p cassandra
  1. Run a repair on the system_auth keyspace on all the nodes in the cluster.

For example:

nodetool repair system_auth
  1. If you want to create users and roles, continue to Enable Authorization.