Additional security roles: security_auth_activate_internal
and security_install
to implement the core configuration settings for DSE Unified Authentication.
The default SCHEME is internal
, please re-configure for LDAP and Kerberos SCHEMES, see the documentation here on how to do this:
Special note: default install cassandra superuser account:
- This account needs to be removed and replaced with a new superuser on all exposed installs of DSE, it is there to facilitate initial install and user/role configuration.
- Automation of this superuser remove/replace is not currently available in this solution, please follow the manual process here: Replace root account
- A possible automation approach is to use this user/role library: ansible-module-cassandra
- A candidate role for this process is
roles:security_install
Creating Roles for Internal Authentication
Once the security_auth_activate_internal role has run you should have a system that challenges user access at all levels, its now time to create your roles and open your system back up, you will need your superuser account to edit these roles. See the above link to create roles, not that you want ot use the "internal" option on that page, with the SCHEME: internal
e.g.
CREATE ROLE jane WITH LOGIN = true AND PASSWORD = 'Abc123Jane';
Addition of role: security_spark_auth_activate
DSE Analytics security checklist
Enabling security and authentication:
Security is enabled using the spark_security_enabled
option in dse.yaml
. Setting it to enabled turns on authentication between the Spark Master and Worker nodes, and allows you to enable encryption. To encrypt Spark connections for all components except the web UI, enable spark_security_encryption_enabled
. The length of the shared secret used to secure Spark components is set using the spark_shared_secret_bit_length
option, with a default value of 256 bits. These options are described in DSE Analytics options. For production clusters, enable these authentication and encryption. Doing so does not significantly affect performance.
Authentication and Spark applications:
If authentication is enabled, users need to be authenticated in order to submit an application. Note: DSE 5.1.4, DSE 5.1.5, and 5.1.6 users should refer to the release notes for information on using Spark SQL applications and DSE authentication.