Enable and Disable Authentication Without Downtime¶
New in version 2.1.
Enable Authentication Without Downtime¶
This procedure allows you to enable authentication on a live Scylla cluster without downtime.
Prerequisites¶
For production environment use only NetworkTopologyStrategy.
Set the system_auth keyspace replication factor to 3 - 5 nodes per datacenter:
For example:
- Single DC (NetworkTopologyStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
{ 'class' : 'NetworkTopologyStrategy', 'replication_factor' : <new_rf> };
- Multi - DC (NetworkTopologyStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
{'class' : 'NetworkTopologyStrategy', 'dc1' : <new_rf>, 'dc2' : <new_rf>};
Procedure¶
- Update the scylla.yaml parameters
authenticatorandauthorizerfor all the nodes in the cluster.
- authenticator: AllowAllAuthenticator to com.scylladb.auth.TransitionalAuthenticator
- authorizer: AllowAllAuthorizer to com.scylladb.auth.TransitionalAuthorizer
authenticator: com.scylladb.auth.TransitionalAuthenticator
authorizer: com.scylladb.auth.TransitionalAuthorizer
- Restart the nodes one by one to apply the effect.
CentOS, RHEL or Ubuntu 16.04
sudo systemctl restart scylla-server
Ubuntu 14.04 or Debian
sudo service scylla-server restart
- Login with the default super user credentials and create an authenticated user with strong password.
For example:
cqlsh -ucassandra -pcassandra
cassandra@cqlsh> CREATE USER scylla WITH PASSWORD '123456' SUPERUSER ;
cassandra@cqlsh> list users;
name |super
----------+-------
cassandra |True
scylla |True
- Login with the new user created and drop the superuser cassandra.
cqlsh -u scylla -p 123456
scylla@cqlsh> DROP USER cassandra;
scylla@cqlsh> list users;
name |super
----------+-------
scylla |True
- Update the scylla.yaml parameters
authenticatorandauthorizerfor all the nodes in the cluster.
- authenticator: com.scylladb.auth.TransitionalAuthenticator to PasswordAuthenticator
- authorizer: com.scylladb.auth.TransitionalAuthorizer to CassandraAuthorizer
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
- Restart the nodes one by one to apply the effect.
CentOS, RHEL or Ubuntu 16.04
sudo systemctl restart scylla-server
Ubuntu 14.04 or Debian
sudo service scylla-server restart
- Run repair on the
system_authkeyspace, one node at a time on all the nodes in the cluster.
For example:
nodetool repair system_auth
- Verify that all the client applications are working correctly with authentication enabled.
Disable Authentication Without Downtime¶
This procedure allows you to disable authentication on a live Scylla cluster without downtime.
Procedure¶
- Update the scylla.yaml parameters
authenticatorandauthorizerfor all the nodes in the cluster.
- authenticator: PasswordAuthenticator -> ‘com.scylladb.auth.TransitionalAuthenticator’
- authorizer: CassandraAuthorizer ‘com.scylladb.auth.TransitionalAuthorizer’
authenticator: com.scylladb.auth.TransitionalAuthenticator
authorizer: com.scylladb.auth.TransitionalAuthorizer
- Restart the nodes one by one to apply the effect.
sudo systemctl restart scylla-server
- Update the scylla.yaml parameters
authenticatorandauthorizerfor all the nodes in the cluster.
authenticator: 'com.scylladb.auth.TransitionalAuthenticator' -> AllowAllAuthenticator
authorizer: 'com.scylladb.auth.TransitionalAuthorizer' -> AllowAllAuthorizer
- Restart the nodes one by one to apply the effect.
CentOS, RHEL or Ubuntu 16.04
sudo systemctl restart scylla-server
Ubuntu 14.04 or Debian
sudo service scylla-server restart
- Run repair on the
system_authkeyspace, one node at a time on all the nodes in the cluster.
For example:
nodetool repair system_auth
- Verify that all the client applications are working correctly with authentication disabled.