Securing overview
Authentication based on internally controlled rolename/passwords
Internal authentication allows roles-based access control (RBAC) to CQL keyspaces and tables using an associated password. Users with an appropriate role and password can use CQL commands to create, alter, drop, or list roles. Users can be assigned one or more roles for authentication purposes. Roles can be created with superuser, non-superuser, and login privileges. CQL authentication values are stored internally in CQL system tables.
It is also used by cqlsh
to authenticate connections to Apache Cassandra® clusters and sstableloader
to load SSTables.
Authorization based on object permission management
Authorization grants access privileges to CQL commands based on role authentication. Authorization can grant permission to access the entire database or restrict a role to an individual table access. Roles can grant authorization to authorize other roles. Roles can be granted to roles. Roles can also be revoked to delete permissions.
Using authentication and authorization
If roles exist and Apache Cassandra® is configured to use authentication, cqlsh
must be executed with optional authentication options.
See cqlsh with authentication for additional information.
Once roles and passwords have been set, Cassandra can be configured to use authentication in the cassandra.yaml
file.