Was this page helpful?
The default ScyllaDB superuser role is cassandra
with password cassandra
.
Users with the cassandra
role have full access to the database and can run
any CQL command on the database resources.
During login, the credentials for the default superuser cassandra
are read with
a consistency level of QUORUM, whereas those for all other roles are read at LOCAL_ONE.
QUORUM may significantly impact performance, especially in multi-datacenter deployments.
To prevent performance degradation and ensure better secuirty, we highly recommend creating a custom superuser. You should:
Use the default cassandra
superuser to log in.
Create a custom superuser.
Log in as the custom superuser.
Remove the cassandra
role.
In the above procedure, you only need to use the cassandra
superuser once, during
the initial RBAC set up.
To completely eliminate the need to use cassandra
, you can configure the initial
custom superuser in the scylla.yaml configuration file.
Start cqlsh with the default superuser settings:
cqlsh -u cassandra -p cassandra
Create a new superuser:
CREATE ROLE <custom_superuser name> WITH SUPERUSER = true AND LOGIN = true and PASSWORD = '<custom_superuser_password>';
For example:
CREATE ROLE dba WITH SUPERUSER = true AND LOGIN = true and PASSWORD = '39fksah!';
Warning
You must set a PASSWORD when creating a role with LOGIN privileges. Otherwise, you will not be able to log in to the database using that role.
Exit cqlsh:
EXIT;
Log in as the new superuser:
cqlsh -u <custom_superuser name> -p <custom_superuser_password>
For example:
cqlsh -u dba -p 39fksah!
Show all the roles to verify that the new superuser was created:
LIST ROLES;
Remove the cassandra superuser:
DROP ROLE cassandra;
Show all the roles to verify that the cassandra role was deleted:
LIST ROLES;
Operating ScyllaDB using the default superuser cassandra
with password cassandra
is insecure and impacts performance. For this reason, the default should be used only once -
to create a custom superuser role, following the CQL procedure above.
To avoid executing with the default credentials for the period before you can make
the CQL modifications, you can configure the custom superuser name and password
in the scylla.yaml
configuration file:
auth_superuser_name: <superuser name>
auth_superuser_salted_password: <superuser salted password as processed by mkpassword or similar - cleartext is not allowed>
Caution
The superuser credentials in the scylla.yaml
file will be ignored:
If any superuser other than cassandra
is already defined in the cluster.
After you create a custom superuser with the CQL procedure.
Was this page helpful?