afafb8a8fa
Update create superuser procedure: - Remove notes about default `cassandra` superuser - Add create superuser using existing superuser section - Update create superuser by using `scylla.yaml` config - Add create superuser using maintenance socket Update password reset procedure: - Add maintenance socket approach - Remove the old approach with deleting all the roles Update enabling authentication with downtime and during runtime: - Mention creating new superuser over the maintenance socket - Remove default superuser usage Update enable authorization: - Mention creating new superuser over the maintenance socket - Remove mention of default superuser Reasoning for deletion of the old approach: - [old] Needs cluster downtime, removes all roles, needs recreation of roles, needs maintenance socket anyways, if config values are not used for superuser - [new] No cluster downtime, possibly one node restart to enable maintenance socket, faster Refs SCYLLADB-409
94 lines
4.2 KiB
ReStructuredText
94 lines
4.2 KiB
ReStructuredText
Enable and Disable Authentication Without Downtime
|
|
==================================================
|
|
|
|
Authentication is the process where login accounts and their passwords are verified, and the user is allowed access into the database. Authentication is done internally within ScyllaDB and is not done with a third party. Users and passwords are created with :doc:`roles </operating-scylla/security/authorization>` using a ``CREATE ROLE`` statement. This procedure enables Authentication on the ScyllaDB servers using a transit state, allowing clients to work with or without Authentication at the same time. In this state, you can update the clients (application using ScyllaDB/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce Authentication on all ScyllaDB nodes as well. If you would rather perform a faster authentication procedure where all clients (application using ScyllaDB/Apache Cassandra drivers) will stop working until they are updated to work with Authentication, refer to :doc:`Enable Authentication </operating-scylla/security/runtime-authentication>`.
|
|
|
|
|
|
|
|
Enable Authentication Without Downtime
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
This procedure allows you to enable authentication on a live ScyllaDB cluster without downtime.
|
|
|
|
Procedure
|
|
---------
|
|
|
|
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: AllowAllAuthenticator`` to ``authenticator: com.scylladb.auth.TransitionalAuthenticator``.
|
|
|
|
.. code-block:: yaml
|
|
|
|
authenticator: com.scylladb.auth.TransitionalAuthenticator
|
|
|
|
#. Run the :doc:`nodetool drain </operating-scylla/nodetool-commands/drain>` command (ScyllaDB stops listening to its connections from the client and other nodes).
|
|
|
|
#. Restart the nodes one by one to apply the effect.
|
|
|
|
.. include:: /rst_include/scylla-commands-restart-index.rst
|
|
|
|
#. Login over the maintenance socket and create an authenticated user with strong password.
|
|
|
|
See :ref:`Setting Up a Superuser Using the Maintenance Socket <create-superuser-using-maintenance-socket>` for instructions.
|
|
|
|
.. code-block:: cql
|
|
|
|
cqlsh /path/to/maintenance/socket/cql.m
|
|
|
|
cassandra@cqlsh> CREATE ROLE scylla WITH PASSWORD = '123456' AND LOGIN = true AND SUPERUSER = true;
|
|
cassandra@cqlsh> LIST ROLES;
|
|
|
|
name |super
|
|
----------+-------
|
|
scylla |True
|
|
|
|
Optionally, assign the role to your user. For example:
|
|
|
|
.. code-block:: cql
|
|
|
|
cassandra@cqlsh> GRANT scylla TO myuser
|
|
|
|
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: com.scylladb.auth.TransitionalAuthenticator`` to ``authenticator: PasswordAuthenticator``.
|
|
|
|
.. code-block:: yaml
|
|
|
|
authenticator: PasswordAuthenticator
|
|
|
|
#. Restart the nodes one by one to apply the effect.
|
|
|
|
.. include:: /rst_include/scylla-commands-restart-index.rst
|
|
|
|
#. Verify that all the client applications are working correctly with authentication enabled.
|
|
|
|
|
|
Disable Authentication Without Downtime
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
This procedure allows you to disable authentication on a live ScyllaDB cluster without downtime. Once disabled, you will have to re-enable authentication where required.
|
|
|
|
Procedure
|
|
---------
|
|
|
|
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: PasswordAuthenticator`` to ``authenticator: com.scylladb.auth.TransitionalAuthenticator``.
|
|
|
|
.. code-block:: yaml
|
|
|
|
authenticator: com.scylladb.auth.TransitionalAuthenticator
|
|
|
|
#. Restart the nodes one by one to apply the effect.
|
|
|
|
.. code-block:: shell
|
|
|
|
sudo systemctl restart scylla-server
|
|
|
|
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: com.scylladb.auth.TransitionalAuthenticator`` to ``authenticator: AllowAllAuthenticator``.
|
|
|
|
.. code-block:: yaml
|
|
|
|
authenticator: AllowAllAuthenticator
|
|
|
|
#. Restart the nodes one by one to apply the effect.
|
|
|
|
.. include:: /rst_include/scylla-commands-restart-index.rst
|
|
|
|
#. Verify that all the client applications are working correctly with authentication disabled.
|
|
|