Enable and Disable Authentication Without Downtime

New in version 2.1.

Authentication is the process where login accounts and their passwords are verified and the user is allowed access into the databse. Authentication is done internally within Scylla and is not done with a third party. Users and passwords are created with roles using a CREATE ROLE statement. This procedure enables authentication on the Scylla servers using a transit state, allowing clients work with or without authentication at the same time. In this state, you can update the clients (application using Scylla/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce authentication on all Scylla nodes as well. If you would rather perform a faster authentication procedure where all clients (application using Scylla/Apache Cassandra drivers) will stop working, until they are updated to work with Authentication, refer to Enable Authentication.

Enable Authentication Without Downtime

This procedure allows you to enable authentication on a live Scylla cluster without downtime.

Prerequisites

Set the system_auth keyspace replication factor the number of nodes in the datacenter and set the class to NetworkTopologyStrategy (required in production environments):

For example:

  • Single DC (NetworkTopologyStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
  { 'class' : 'NetworkTopologyStrategy', 'dc1' : <new_rf> };
  • Multi - DC (NetworkTopologyStrategy)
ALTER KEYSPACE system_auth WITH REPLICATION =
  {'class' : 'NetworkTopologyStrategy', 'dc1' : <new_rf>, 'dc2' : <new_rf>};

Procedure

  1. Update the scylla.yaml authenticator parameter for all the nodes in the cluster. Change authenticator: AllowAllAuthenticator to authenticator: com.scylladb.auth.TransitionalAuthenticator
authenticator:  com.scylladb.auth.TransitionalAuthenticator
  1. Run the nodetool drain command (Scylla stops listening to its connections from the client and other nodes).
  2. Restart the nodes one by one to apply the effect.
CentOS 7, Ubuntu 16.04/18.04, Debain 8/9
Ubuntu 14.04, Debian 7
Docker
sudo systemctl restart scylla-server

sudo service scylla-server restart

docker exec -it some-scylla supervisorctl restart scylla

(without restarting some-scylla container)

  1. Login with the default superuser credentials and create an authenticated user with strong password.

For example:

cqlsh -ucassandra -pcassandra

cassandra@cqlsh> CREATE USER scylla WITH PASSWORD '123456' AND LOGIN = true AND SUPERUSER = true;
cassandra@cqlsh> list users;

name      |super
----------+-------
cassandra |True
scylla    |True
  1. Login with the new user created and drop the superuser cassandra.
cqlsh -u scylla -p 123456

scylla@cqlsh> DROP USER cassandra;

scylla@cqlsh> list users;

name      |super
----------+-------
scylla    |True
  1. Update the scylla.yaml authenticator parameter for all the nodes in the cluster.
  • change authenticator: com.scylladb.auth.TransitionalAuthenticator to authenticator: PasswordAuthenticator
authenticator: PasswordAuthenticator
  1. Restart the nodes one by one to apply the effect.
CentOS 7, Ubuntu 16.04/18.04, Debain 8/9
Ubuntu 14.04, Debian 7
Docker
sudo systemctl restart scylla-server

sudo service scylla-server restart

docker exec -it some-scylla supervisorctl restart scylla

(without restarting some-scylla container)

  1. Run repair on the system_auth keyspace, one node at a time on all the nodes in the cluster.

    For example:

    nodetool repair system_auth

  2. Verify that all the client applications are working correctly with authentication enabled.

Disable Authentication Without Downtime

This procedure allows you to disable authentication on a live Scylla cluster without downtime. Once disabled, you will have to re-enable authentication where required.

Procedure

  1. Update the scylla.yaml authenticator parameter for all the nodes in the cluster.
  • change authenticator: PasswordAuthenticator to authenticator: com.scylladb.auth.TransitionalAuthenticator
authenticator: com.scylladb.auth.TransitionalAuthenticator
  1. Restart the nodes one by one to apply the effect.
sudo systemctl restart scylla-server
  1. Update the scylla.yaml authenticator parameter for all the nodes in the cluster. Change authenticator: com.scylladb.auth.TransitionalAuthenticator to authenticator: AllowAllAuthenticator
authenticator: AllowAllAuthenticator
  1. Restart the nodes one by one to apply the effect.
CentOS 7, Ubuntu 16.04/18.04, Debain 8/9
Ubuntu 14.04, Debian 7
Docker
sudo systemctl restart scylla-server

sudo service scylla-server restart

docker exec -it some-scylla supervisorctl restart scylla

(without restarting some-scylla container)

  1. Run repair on the system_auth keyspace, one node at a time on all the nodes in the cluster.

For example:

nodetool repair system_auth
  1. Verify that all the client applications are working correctly with authentication disabled.