mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-19 16:15:07 +00:00
afafb8a8fa
Update create superuser procedure: - Remove notes about default `cassandra` superuser - Add create superuser using existing superuser section - Update create superuser by using `scylla.yaml` config - Add create superuser using maintenance socket Update password reset procedure: - Add maintenance socket approach - Remove the old approach with deleting all the roles Update enabling authentication with downtime and during runtime: - Mention creating new superuser over the maintenance socket - Remove default superuser usage Update enable authorization: - Mention creating new superuser over the maintenance socket - Remove mention of default superuser Reasoning for deletion of the old approach: - [old] Needs cluster downtime, removes all roles, needs recreation of roles, needs maintenance socket anyways, if config values are not used for superuser - [new] No cluster downtime, possibly one node restart to enable maintenance socket, faster Refs SCYLLADB-409
43 lines
2.4 KiB
ReStructuredText
43 lines
2.4 KiB
ReStructuredText
Enable Authentication
|
|
=====================
|
|
|
|
Authentication is the process where login accounts and their passwords are verified, and the user is allowed access to the database. Authentication is done internally within ScyllaDB and is not done with a third party. Users and passwords are created with roles using a ``CREATE ROLE`` statement. Refer to :doc:`Grant Authorization CQL Reference </operating-scylla/security/authorization>` for details.
|
|
|
|
The procedure described below enables Authentication on the ScyllaDB servers. It is intended to be used when you do **not** have applications running with ScyllaDB/Cassandra drivers.
|
|
|
|
.. warning:: Once you enable authentication, all clients (such as applications using ScyllaDB/Apache Cassandra drivers) will **stop working** until they are updated or reconfigured to work with authentication.
|
|
|
|
If this downtime is not an option, you can follow the instructions in :doc:`Enable and Disable Authentication Without Downtime </operating-scylla/security/runtime-authentication>`, which using a transient state, allows clients to work with or without Authentication at the same time. In this state, you can update the clients (application using ScyllaDB/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce Authentication on all ScyllaDB nodes as well.
|
|
|
|
Procedure
|
|
----------
|
|
|
|
#. For each ScyllaDB node in the cluster, edit the ``/etc/scylla/scylla.yaml`` file to change the ``authenticator`` parameter from ``AllowAllAuthenticator`` to ``PasswordAuthenticator``.
|
|
|
|
.. code-block:: yaml
|
|
|
|
authenticator: PasswordAuthenticator
|
|
|
|
|
|
#. Restart ScyllaDB.
|
|
|
|
.. include:: /rst_include/scylla-commands-restart-index.rst
|
|
|
|
#. Start cqlsh over the maintenance socket and create a new superuser. See :ref:`Setting Up a Superuser Using the Maintenance Socket <create-superuser-using-maintenance-socket>` for instructions.
|
|
|
|
.. code-block:: cql
|
|
|
|
cqlsh <maintenance_socket_path>
|
|
|
|
#. If you want to create users and roles, continue to :doc:`Enable Authorization </operating-scylla/security/enable-authorization>`.
|
|
|
|
Additional Resources
|
|
--------------------
|
|
|
|
* :doc:`Enable and Disable Authentication Without Downtime </operating-scylla/security/runtime-authentication/>`
|
|
* :doc:`Enable Authorization </operating-scylla/security/enable-authorization/>`
|
|
* :doc:`Authorization </operating-scylla/security/authorization/>`
|
|
|
|
|
|
|