Cassandra:configuring internal authorization and authentication

configuring internal authorization

CassandraAuthorizer is one of many possible IAuthorizer implementations, and the one that stores permissions in the system_auth.permissions table to support all authorization-related CQL statements. Configuration consists mainly of changing the authorizer option in the cassandra.yaml to use the CassandraAuthorizer.

Procedure

1.In the cassandra.yaml file, comment out the default AllowAllAuthorizer and add the CassandraAuthorizer. authorizer: CassandraAuthorizer You can use any authenticator except AllowAll. 2.Configure the replication factor for the system_auth keyspace to increase the replication factor to a number greater than 1. 3.Adjust the validity period for permissions caching by setting the permissions_validity_in_ms option in the cassandra.yaml file. Alternatively, disable permission caching by setting this option to 0.

Configuring authentication

To configure Cassandra to use internal authentication, first make a change to the cassandra.yaml file and increase the replication factor of the system_auth keyspace, as described in this procedure. Next, start up Cassandra using the default user name and password (cassandra/cassandra), and start cqlsh using the same credentials. Finally, use these CQL statements to set up user accounts to authorize users to access the database objects:

  • ALTER USER

    ALTER USER user_name
    WITH PASSWORD ‘password’ ( NOSUPERUSER | SUPERUSER )

  • CREATE USER

    CREATE USER IF NOT EXISTS user_name _WITH PASSWORD ‘password’

     ( NOSUPERUSER_ | _SUPERUSER )_

Procedure

  1. Change the authenticator option in the cassandra.yaml to PasswordAuthenticator.

    By default, the authenticator option is set to AllowAllAuthenticator.

    authenticator: PasswordAuthenticator

  2. Increase the replication factor for the system_auth keyspace to N (number of nodes).

    If you use the default, 1, and the node with the lone replica goes down, you will not be able to log into the cluster because the system_auth keyspace was not replicated.

  3. Restart the Cassandra client.

    The default superuser name and password that you use to start the client is stored in Cassandra.

    -u cassandra -p cassandra

  4. Start cqlsh using the superuser name and password.

    ./cqlsh -u cassandra -p cassandra

  5. Create another superuser, not named cassandra. This step is optional but highly recommended.

  6. Log in as that new superuser.

  7. Change the cassandra user password to something long and incomprehensible, and then forget about it. It won’t be used again.

  8. Take away the cassandra user’s superuser status.

  9. Use the CQL statements listed previously to set up user accounts and then grant permissions to access the database objects.

来源:http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secure_config_native_authorize_t.html