Security highlights

More authentication options

On 4 March 2021, we updated Astra authentication to simplify how you connect with your database. Free and serverless databases were migrated to free plans with a $25 credit that renews each month. If your database was included in this migration, you will need to reset your database password.

Changes to your Astra database password

As of 4 March 2021, your existing database username and password will not work for your upgraded serverless databases. You will need to generate an application token to connect to your database with cqlsh, your existing driver, or any of our REST or GraphQL APIs. To access your database via cqlsh or your existing driver, you will need to use the “Client ID” and “Client Secret” pair, that can be found when generating the application token, in place of your username and password respectively. This same Client ID and Client Secret pair can also be used as before when generating tokens to use with the REST or GraphQL APIs or you can use the new “Token” generated as part of the application token. The new Token can be used in place of the existing authorization token generated by making a request to https://${ASTRA_DB_ID}-${ASTRA_DB_REGION} There is also one final option for authentication which is to use your existing Astra username and password in lieu of the previously mentioned Client ID and Client Secret but this is only recommended for development and testing use cases, not in production.

Easily manage complex user roles

To improve your security, you now have control over your user groups with custom roles and can assign roles by organization, database, keyspace, or tables. Your existing CQL roles will be mapped into new roles and can continue to be used in your local CQLSH. Other existing permissions have been mapped to an equivalent role with the same access.
You can also set up an application token for each role to interact with the Document, REST, and GraphQL APIs. If you are connecting to your database using a driver, you will need to download a new secure connect bundle.
To continue using the DevOps API, you must regenerate your service account token.