Cassandra.yaml has four basic parameters that used to manage user authentication.
Authenticator verifies the identity of the user to try to connect the Cassandra cluster.
- The default value of this config parameter is set to “AllowAllAuthenticator”. This setting does not perform any check and allows all requests to connect to the Cassandra cluster.
- Replace the value with “PasswordAuthenticator” to validate every request before they get access to the Cassandra cluster.
On the other hand, Authorizer determines their access rights or level of access.
- The default value for the config parameter is set to “AllowAllAuthorizer”. This setting does not check what permission/role the requesting user has, which means all users will have the same sysadmin role.
- Replace the values with “CassandraAuthorizer” so that Cassandra (org.apache.cassandra.auth.) will validate the level of access the user holds.
There are two more config parameters related to the security that is used to maintain authentication and authorization in the cache.
Fetching permission/roles from keyspace.column_family on each request would be an expensive task (as data is stored on disk, it’ll by addition disk IO). To avoid it, Cassandra cache the roles, and this parameter helps to manage the duration for how long it’ll be cached. The default value is 2000 milliseconds. We can replace the value with what suits our environment.
4. and permissions_update_interval_in_ms
It’s obvious that when we’ll be enabling authenticator and authorizer, we’ll be managing users, and their roles and from time to time we may update permission/roles. If we don’t refresh the latest roles in the cache users may face access-related challenges. To make it happen we need to enable this parameter and define the value equal to permissions_validity_in_ms. By default, this parameter is commented.
So when we enable authenticator and authorizer, we should also enable permissions_validity_in_ms and permissions_update_interval_in_ms. To make the feature function properly.
Note: Cassandra service restart is recommended after making the above changes.