ALL About Cassandra: Configuring Authentication

Difference between authenticator and authorizer

There is a difference between authenticator and authorizer. People always getting confuse between these two terms. In Cassandra authenticator means how Users will connect to cassandra database. Its related to login to database system whereas authorizer comes to picture after login. Once user is loged in what permissions user have is controlled by authorizer.

authenticator

AllowAllAuthenticator

This is default for any cassandra installation and should be changed to restrict cassandra cluster for public.

PasswordAuthenticator

When you set "PasswordAuthenticator" that means you are telling cassandra to use database internal tables to authenticate user. Usernames and hashed passwords are stored in system_auth.credentials table or system_auth.roles table in newer versions.

authenticator: PasswordAuthenticator

If you have set PasswordAuthentication and then you try to connect to cassandra without password then you will get below error :-

root@node1:~# cqlsh node1
Connection error: ('Unable to connect to any servers', {'node1': AuthenticationFailed('Remote end requires authentication.',)})

Please increase system_auth keyspace replication factor if you use this authenticator. If using PasswordAuthenticator, CassandraRoleManager must also be used. Use below settings in cassandra.yaml for role_manager.

role_manager: CassandraRoleManager

CassandraRoleManager stores role data in the system_auth keyspace.

Now you should use username and password to connect to cassandra. By default "cassandra" is username and password is also "cassandra"

root@node1:~# cqlsh -u cassandra -p cassandra node1
Connected to Test Cluster at node1:9042.
[cqlsh 5.0.1 | Cassandra 3.6 | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>

authorizer:-

authorizer : AllowAllAuthorize (Default)

authorizer : CassandraAuthorizer(Recommended)

In case of CassandraAuthorizer cassandra usages system_auth.role_permissions  or system_auth.permissions table to validate all permissions .

Hence increase the replication factor for the system_auth keyspace if not already configured.

cassandra@cqlsh> select * from system_auth.role_permissions;

role | resource | permissions
-----------+---------------------------------+--------------------------------------------------------------
cassandra | data/test | {'ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/account | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/acg_id | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/cpcode | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/dimension | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/event | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/event_account | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/media_data | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/media_data_new | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/media_data_stable | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/media_info | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/media_info_optimized | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/media_traffic | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/pipeline_info | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/real_time_info | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/real_time_info_cpcode | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/rule_idname_map | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/rum_das | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/rum_pie_data | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/rum_url | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/secmon_session | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | data/test/wafreport_pack | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}
cassandra | functions/test | {'ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'EXECUTE'}
cassandra | roles/admin | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/ashu | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/demo1 | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/joe | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/manager | {'ALTER', 'AUTHORIZE', 'DROP'}
cassandra | roles/sam | {'ALTER', 'AUTHORIZE', 'DROP'}
read_only | data | {'SELECT'}

If you notice that everywhere we are taking about Increase the replication factor for the system_auth keyspace.

Why ?

Suppose if you have not configured replication and replica of this keyspace goes down then you wouldn't able to access the cluster because it usases quorum consistency.

Securing Cassandra Account :-

To prevent security breaches, replace the default superuser, cassandra, with another superuser with a different name:

cqlsh> CREATE ROLE <new_super_user> WITH PASSWORD = '<some_secure_password>' AND SUPERUSER = true AND LOGIN = true

The default user cassandra reads with a consistency level of QUORUM by default, whereas another superuser reads with a consistency level of LOCAL_ONE.

Log in as the newly created superuser:

$ cqlsh -u <new_super_user> -p <some_secure_password>

The cassandra superuser cannot be deleted from Cassandra. To neutralize the account, change the password to something long and incomprehensible, and alter the user's status to NOSUPERUSER:

cqlsh> ALTER ROLE cassandra WITH PASSWORD='SomeNonsenseThatNoOneWillThinkOf'
AND SUPERUSER=false;

ALL About Cassandra

MenuBar

Configuring Authentication

2 comments: