Was this page helpful?
Enable Authentication¶
Note
If you upgraded your cluster from version 2024.1, see After Upgrading from 2024.1.
Authentication is the process where login accounts and their passwords are verified, and the user is allowed access to the database. Authentication is done internally within Scylla and is not done with a third party. Users and passwords are created with roles using a CREATE ROLE statement. Refer to Grant Authorization CQL Reference for details.
The procedure described below enables Authentication on the Scylla servers. It is intended to be used when you do not have applications running with Scylla/Cassandra drivers.
Warning
Once you enable authentication, all clients (such as applications using Scylla/Apache Cassandra drivers) will stop working until they are updated or reconfigured to work with authentication.
If this downtime is not an option, you can follow the instructions in Enable and Disable Authentication Without Downtime, which using a transient state, allows clients to work with or without Authentication at the same time. In this state, you can update the clients (application using Scylla/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce Authentication on all Scylla nodes as well.
Procedure¶
For each Scylla node in the cluster, edit the
/etc/scylla/scylla.yamlfile to change theauthenticatorparameter fromAllowAllAuthenticatortoPasswordAuthenticator.authenticator: PasswordAuthenticator
Restart Scylla.
sudo systemctl restart scylla-server
docker exec -it some-scylla supervisorctl restart scylla
(without restarting some-scylla container)
Start cqlsh with the default superuser username and password.
cqlsh -u cassandra -p cassandra
Note
Before proceeding to the next step, we recommend creating a custom superuser to improve security. See Creating a Custom Superuser for instructions.
If you want to create users and roles, continue to Enable Authorization.
After Upgrading from 2024.1¶
The procedure described above applies to clusters where consistent topology updates are enabled. The feature is automatically enabled in new clusters.
If you’ve upgraded an existing cluster from version 2024.1, ensure that you manually enabled consistent topology updates. Without consistent topology updates enabled, you must take additional steps to enable authentication:
Before you start the procedure, set the
system_authkeyspace replication factor to the number of nodes in the datacenter via cqlsh. It allows you to ensure that the user’s information is kept highly available for the cluster. Ifsystem_authis not equal to the number of nodes and a node fails, the user whose information is on that node will be denied access.After you start cqlsh with the default superuser username and password, run a repair on the
system_authkeyspace on all the nodes in the cluster, for example:nodetool repair -pr system_auth