mirrors/scylladb
1
0
Fork 0
mirror of https://github.com/scylladb/scylladb.git synced 2026-04-25 02:50:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
293cf355df875f1c66fb2b8abe04b9bd9b2aea17
scylladb/docs/operating-scylla/security/authentication.rst
Marcin Maliszkiewicz 9adf74ae6c docs: remove note about performance degradation with default superuser 
This doesn't apply for auth-v2 as we improved data placement and
removed cassandra quirk which was setting different CL for some
default superuser involved operations.

Fixes #18773

Closes scylladb/scylladb#18785
2024-05-23 13:16:11 +03:00

55 lines
2.6 KiB
ReStructuredText
Raw Blame History

Enable Authentication
=====================
.. scylladb_include_flag:: upgrade-note-authentication.rst
Authentication is the process where login accounts and their passwords are verified, and the user is allowed access to the database. Authentication is done internally within Scylla and is not done with a third party. Users and passwords are created with roles using a ``CREATE ROLE`` statement. Refer to :doc:`Grant Authorization CQL Reference </operating-scylla/security/authorization>` for details.
The procedure described below enables Authentication on the Scylla servers. It is intended to be used when you do **not** have applications running with Scylla/Cassandra drivers.
.. warning:: Once you enable authentication, all clients (such as applications using Scylla/Apache Cassandra drivers) will **stop working** until they are updated or reconfigured to work with authentication.
If this downtime is not an option, you can follow the instructions in :doc:`Enable and Disable Authentication Without Downtime </operating-scylla/security/runtime-authentication>`, which using a transient state, allows clients to work with or without Authentication at the same time. In this state, you can update the clients (application using Scylla/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce Authentication on all Scylla nodes as well.
Procedure
----------
#. For each Scylla node in the cluster, edit the ``/etc/scylla/scylla.yaml`` file to change the ``authenticator`` parameter from ``AllowAllAuthenticator`` to ``PasswordAuthenticator``.
.. code-block:: yaml
authenticator: PasswordAuthenticator
#. Restart Scylla.
.. include:: /rst_include/scylla-commands-restart-index.rst
#. Start cqlsh with the default superuser username and password.
.. code-block:: cql
cqlsh -u cassandra -p cassandra
.. note::
Before proceeding to the next step, we recommend creating a custom superuser
to improve security.
See :doc:`Creating a Custom Superuser </operating-scylla/security/create-superuser/>` for instructions.
#. If you want to create users and roles, continue to :doc:`Enable Authorization </operating-scylla/security/enable-authorization>`.
.. _authentication-upgrade-info:
.. scylladb_include_flag:: upgrade-warning-authentication.rst
Additional Resources
--------------------
* :doc:`Enable and Disable Authentication Without Downtime </operating-scylla/security/runtime-authentication/>`
* :doc:`Enable Authorization </operating-scylla/security/enable-authorization/>`
* :doc:`Authorization </operating-scylla/security/authorization/>`
Reference in New Issue View Git Blame Copy Permalink