cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Tunnicliffe <>
Subject Re: Turning on internal security with no downtime
Date Tue, 03 Mar 2015 18:55:39 GMT
If you're able to configure your clients so that they don't send requests
to 1 node in the cluster you can enable PasswordAuthenticator &
CassandraAuthorizer on that node only and use cqlsh to setup all your users
& permissions. The rest of the cluster will continue to serve client
requests as normal. Once you've done configuring, alter the RF on
system_auth then run repair on the rest of the nodes (just for the
system_auth ks). Finally, do a rolling restart to enable auth on the nodes
that don't yet have it.

On 25 February 2015 at 22:03, <> wrote:

>  Cassandra 1.2.19
> We would like to turn on Cassandra’s internal security
> (PasswordAuthenticator and CassandraAuthorizer) on the ring (away from
> AllowAll). (Clients are already passing credentials in their connections.)
> However, I know all nodes have to be switched to those before the basic
> security objects (system_auth) are created. So, an outage would be required
> to change all the nodes, let system_auth get created, alter system_auth for
> replication strategy, create all the users/permissions, repair system_auth.
> For DataStax, there is a TransitionalAuthorizer that allows the
> system_auth to get created, but doesn’t really require passwords. So, with
> a double, rolling bounce, you can implement security with no downtime.
> Anything like that for open source? Any other ways you have activated
> security without downtime?
> Sean R. Durity
> ------------------------------
> The information in this Internet Email is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this Email
> by anyone else is unauthorized. If you are not the intended recipient, any
> disclosure, copying, distribution or any action taken or omitted to be
> taken in reliance on it, is prohibited and may be unlawful. When addressed
> to our clients any opinions or advice contained in this Email are subject
> to the terms and conditions expressed in any applicable governing The Home
> Depot terms of business or client engagement letter. The Home Depot
> disclaims all responsibility and liability for the accuracy and content of
> this attachment and for any damages or losses arising from any
> inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other
> items of a destructive nature, which may be contained in this attachment
> and shall not be liable for direct, indirect, consequential or special
> damages in connection with this e-mail message or its attachment.

View raw message