Cassandra Authentication
Authentication in Cassandra verifies the identity of clients and tools connecting to the cluster. By default, Cassandra ships with authentication disabled — any client can connect without credentials. Enabling authentication is a critical first step before exposing a Cassandra cluster outside a trusted network.
Authentication Mechanisms
Authenticator What It Does ────────────────────────────────────────────────────────────── AllowAllAuthenticator Default; no credentials required PasswordAuthenticator Username/password stored in Cassandra CassandraLoginModule JAAS-based authentication Custom Implement IAuthenticator interface
Enabling Password Authentication
Step 1: Edit cassandra.yaml
# cassandra.yaml authenticator: PasswordAuthenticator
Step 2: Restart Cassandra
sudo systemctl restart cassandra
Step 3: Connect with Default Credentials
After enabling PasswordAuthenticator, Cassandra creates one superuser: username cassandra, password cassandra.
cqlsh -u cassandra -p cassandra
Step 4: Change the Default Password Immediately
ALTER USER cassandra WITH PASSWORD 'StrongP@ssw0rd!2024';
Creating Users
-- Create a regular user: CREATE USER alice WITH PASSWORD 'Al1ce$ecure!'; -- Create a superuser (has all privileges): CREATE USER admin_user WITH PASSWORD 'Adm1n$ecure!' SUPERUSER; -- Create a non-superuser explicitly: CREATE USER read_only_user WITH PASSWORD 'R3adOnly!' NOSUPERUSER;
Modifying Users
-- Change a user's password: ALTER USER alice WITH PASSWORD 'N3wP@ssword!'; -- Promote a user to superuser: ALTER USER alice SUPERUSER; -- Demote a superuser: ALTER USER alice NOSUPERUSER;
Dropping Users
DROP USER alice; DROP USER IF EXISTS alice;
Listing Users
LIST USERS; name | super ───────────────────────── cassandra | True admin_user | True alice | False read_only_user | False
Roles (Recommended over Users in Cassandra 2.2+)
Cassandra 2.2 introduced roles, which replace the older user model. Roles can be granted to other roles, creating hierarchical permission groups. Roles replace CREATE USER with CREATE ROLE and grant better permission management.
-- Create roles:
CREATE ROLE readonly_role WITH PASSWORD = 'R3adOnly!' AND LOGIN = true;
CREATE ROLE admin_role WITH PASSWORD = 'Adm1n!' AND LOGIN = true
AND SUPERUSER = true;
-- Create a non-login role (acts as a permission group):
CREATE ROLE ecommerce_reader;
-- Grant role to another role:
GRANT ecommerce_reader TO readonly_role;
Role Authentication vs User Authentication
Feature CREATE USER CREATE ROLE ────────────────────────────────────────────────────────────── Can log in Always Only with LOGIN = true Can own privileges Yes Yes Can be nested (inherit) No Yes Recommended for Legacy compat New deployments
Viewing Current User
SELECT login FROM system.local; -- OR cqlsh> LOGIN alice; -- switch current session user
How Credentials Are Stored
PasswordAuthenticator stores credentials in the system_auth.roles table. Passwords are hashed using bcrypt before storage — they are never stored in plain text.
SELECT role, salted_hash FROM system_auth.roles; role | salted_hash ─────────────────+──────────────────────────────────────── cassandra | $2a$10$KV5... (bcrypt hash) alice | $2a$10$XZ7... (bcrypt hash)
Replication Factor for system_auth
The system_auth keyspace stores credentials and permissions. Its default replication factor of 1 means a node failure can lock users out of the cluster. Always set its replication factor to match the cluster's fault tolerance requirements.
ALTER KEYSPACE system_auth
WITH replication = {
'class': 'NetworkTopologyStrategy',
'us_east': 3
};
-- Then run repair:
nodetool repair system_auth
Connecting Applications with Authentication
Java Driver
CqlSession session = CqlSession.builder()
.withAuthCredentials("alice", "Al1ce$ecure!")
.addContactPoint(new InetSocketAddress("10.0.0.1", 9042))
.withLocalDatacenter("us-east")
.build();
Python Driver
from cassandra.auth import PlainTextAuthProvider from cassandra.cluster import Cluster auth_provider = PlainTextAuthProvider( username='alice', password='Al1ce$ecure!') cluster = Cluster(['10.0.0.1'], auth_provider=auth_provider) session = cluster.connect()
Authentication Checklist for Production
✓ Set authenticator: PasswordAuthenticator in cassandra.yaml ✓ Change default cassandra/cassandra credentials immediately ✓ Create named users/roles for each application and operator ✓ Set system_auth replication factor to 3+ ✓ Run nodetool repair system_auth after replication changes ✓ Use strong, unique passwords per user ✓ Rotate passwords regularly ✓ Enable TLS to protect credentials in transit (see Encryption topic)
Summary
Cassandra's default AllowAllAuthenticator permits unauthenticated connections — always replace it with PasswordAuthenticator in production. Create named roles for applications and operators with the minimum required privileges. Store credentials safely outside your application code (environment variables or secrets management tools). Set the system_auth keyspace replication factor to at least 3 so that node failures do not lock users out. Pair authentication with TLS encryption to prevent credentials from travelling in plain text over the network.
