cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: Set up authentication on a live production cluster
Date Wed, 13 Apr 2016 20:54:05 GMT
Do the clients already send the credentials? That is the first thing to address.

Setting up a cluster for authentication (and authorization) requires a restart with the properties
turned on in cassandra.yaml. However, the actual keyspace (system_auth) and tables are not
created until the last node is restarted with the parameters changed. So, as you are changing
each node, what you get is individual nodes that are requiring a password, but have no system_auth
keyspace to authenticate against. Thus, clients cannot connect to these nodes.

With open source Cassandra you cannot implement authentication without at least a brief degradation
of service (as nodes can’t authenticate) and an outage (while the keyspace and tables are
created, users are created, and permissions are granted). The outage can be relatively brief,
depending on cluster size, CL, speed to restart, etc.

With DataStax Enterprise, there is a TransitionalAuthenticator (and Authorizer) that lets
you implement security without a full outage. You basically switch to the Transitional classes
so that system_auth gets created. You create all your security objects. Then you switch to
PasswordAuthenticator and CassandraAuthorizer. It takes two rolling bounces to get it done,
but no outage.

I have done both of the above. The DataStax stuff is very helpful, when downtime is a concern.
Perhaps you could write your own implementation of the various interfaces to do something
like TransitionalAuthenticator, but we have seen that the security interfaces change, so you
will probably break/rewrite in later versions. (For one-time use, maybe it is worth a shot?)

For anyone setting up new clusters, just start with security turned on so that you don’t
end up in the It’s-Production-Can’t-Stop quandary above.

Sean Durity

From: Vigneshwaran []
Sent: Wednesday, April 13, 2016 3:36 AM
Subject: Set up authentication on a live production cluster


I have setup a 16 node cluster (8 per DC; C* 2.2.4) up and running in our production setup.
We use Datastax Java driver 2.1.8.

I would like to set up Authentication and Authorization in the cluster without breaking the
live clients.

From the references I found by googling, I can setup credentials for a new cluster. But it
is not clear to me what steps I should take for setting up credentials in an already running
cluster without breaking existing clients.

Can someone clarify me or link me to a reference I may have missed? I'd really appreciate

Thank you,


The information in this Internet Email is confidential and may be legally privileged. It is
intended solely for the addressee. Access to this Email by anyone else is unauthorized. If
you are not the intended recipient, any disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed
to our clients any opinions or advice contained in this Email are subject to the terms and
conditions expressed in any applicable governing The Home Depot terms of business or client
engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy
and content of this attachment and for any damages or losses arising from any inaccuracies,
errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature,
which may be contained in this attachment and shall not be liable for direct, indirect, consequential
or special damages in connection with this e-mail message or its attachment.
View raw message