Cassandra Authentication

Authentication in Cassandra verifies the identity of clients and tools connecting to the cluster. By default, Cassandra ships with authentication disabled — any client can connect without credentials. Enabling authentication is a critical first step before exposing a Cassandra cluster outside a trusted network.

Authentication Mechanisms

Authenticator               What It Does
──────────────────────────────────────────────────────────────
AllowAllAuthenticator       Default; no credentials required
PasswordAuthenticator       Username/password stored in Cassandra
CassandraLoginModule        JAAS-based authentication
Custom                      Implement IAuthenticator interface

Enabling Password Authentication

Step 1: Edit cassandra.yaml

# cassandra.yaml
authenticator: PasswordAuthenticator

Step 2: Restart Cassandra

sudo systemctl restart cassandra

Step 3: Connect with Default Credentials

After enabling PasswordAuthenticator, Cassandra creates one superuser: username cassandra, password cassandra.

cqlsh -u cassandra -p cassandra

Step 4: Change the Default Password Immediately

ALTER USER cassandra WITH PASSWORD 'StrongP@ssw0rd!2024';

Creating Users

-- Create a regular user:
CREATE USER alice WITH PASSWORD 'Al1ce$ecure!';

-- Create a superuser (has all privileges):
CREATE USER admin_user WITH PASSWORD 'Adm1n$ecure!' SUPERUSER;

-- Create a non-superuser explicitly:
CREATE USER read_only_user WITH PASSWORD 'R3adOnly!' NOSUPERUSER;

Modifying Users

-- Change a user's password:
ALTER USER alice WITH PASSWORD 'N3wP@ssword!';

-- Promote a user to superuser:
ALTER USER alice SUPERUSER;

-- Demote a superuser:
ALTER USER alice NOSUPERUSER;

Dropping Users

DROP USER alice;
DROP USER IF EXISTS alice;

Listing Users

LIST USERS;

 name            | super
─────────────────────────
 cassandra       | True
 admin_user      | True
 alice           | False
 read_only_user  | False

Roles (Recommended over Users in Cassandra 2.2+)

Cassandra 2.2 introduced roles, which replace the older user model. Roles can be granted to other roles, creating hierarchical permission groups. Roles replace CREATE USER with CREATE ROLE and grant better permission management.

-- Create roles:
CREATE ROLE readonly_role WITH PASSWORD = 'R3adOnly!' AND LOGIN = true;
CREATE ROLE admin_role    WITH PASSWORD = 'Adm1n!'    AND LOGIN = true
                          AND SUPERUSER = true;

-- Create a non-login role (acts as a permission group):
CREATE ROLE ecommerce_reader;

-- Grant role to another role:
GRANT ecommerce_reader TO readonly_role;

Role Authentication vs User Authentication

Feature                  CREATE USER     CREATE ROLE
──────────────────────────────────────────────────────────────
Can log in               Always          Only with LOGIN = true
Can own privileges        Yes             Yes
Can be nested (inherit)  No              Yes
Recommended for          Legacy compat   New deployments

Viewing Current User

SELECT login FROM system.local;
-- OR
cqlsh> LOGIN alice;    -- switch current session user

How Credentials Are Stored

PasswordAuthenticator stores credentials in the system_auth.roles table. Passwords are hashed using bcrypt before storage — they are never stored in plain text.

SELECT role, salted_hash FROM system_auth.roles;

 role            | salted_hash
─────────────────+────────────────────────────────────────
 cassandra       | $2a$10$KV5... (bcrypt hash)
 alice           | $2a$10$XZ7... (bcrypt hash)

Replication Factor for system_auth

The system_auth keyspace stores credentials and permissions. Its default replication factor of 1 means a node failure can lock users out of the cluster. Always set its replication factor to match the cluster's fault tolerance requirements.

ALTER KEYSPACE system_auth
  WITH replication = {
    'class': 'NetworkTopologyStrategy',
    'us_east': 3
  };

-- Then run repair:
nodetool repair system_auth

Connecting Applications with Authentication

Java Driver

CqlSession session = CqlSession.builder()
  .withAuthCredentials("alice", "Al1ce$ecure!")
  .addContactPoint(new InetSocketAddress("10.0.0.1", 9042))
  .withLocalDatacenter("us-east")
  .build();

Python Driver

from cassandra.auth import PlainTextAuthProvider
from cassandra.cluster import Cluster

auth_provider = PlainTextAuthProvider(
  username='alice', password='Al1ce$ecure!')
cluster = Cluster(['10.0.0.1'], auth_provider=auth_provider)
session = cluster.connect()

Authentication Checklist for Production

✓ Set authenticator: PasswordAuthenticator in cassandra.yaml
✓ Change default cassandra/cassandra credentials immediately
✓ Create named users/roles for each application and operator
✓ Set system_auth replication factor to 3+
✓ Run nodetool repair system_auth after replication changes
✓ Use strong, unique passwords per user
✓ Rotate passwords regularly
✓ Enable TLS to protect credentials in transit (see Encryption topic)

Summary

Cassandra's default AllowAllAuthenticator permits unauthenticated connections — always replace it with PasswordAuthenticator in production. Create named roles for applications and operators with the minimum required privileges. Store credentials safely outside your application code (environment variables or secrets management tools). Set the system_auth keyspace replication factor to at least 3 so that node failures do not lock users out. Pair authentication with TLS encryption to prevent credentials from travelling in plain text over the network.

Leave a Comment

Your email address will not be published. Required fields are marked *