How do you create the first user in Cassandra DB

Question

How does one create the first user in a cassandra database?

I tried:

CREATE USER username WITH PASSWORD "";

and its says:

Bad Request: Only superusers are allowed to perform CREATE USER queries

But I have never created a user before this attempt, so how do you create the first user in a cassandra database?

This seems a little strange because it's like a chicken and egg problem, but people use Cassandra so I am sure there must be a solution somewhere.

Answer 1

Once you have enabled Authentication and Authorization, you can log-in (to your local Cassandra instance) as the default Cassandra admin user like this:

./cqlsh localhost -u cassandra -p cassandra

If you are running Cassandra on a Windows Server, I believe you need to invoke it with Python:

python cqlsh localhost -u cassandra -p cassandra

Once you get in, your first task should be to create another super user account.

CREATE USER dba WITH PASSWORD 'bacon' SUPERUSER;

Next, it is a really good idea to set the current Cassandra super user's password to something else...preferably something long and incomprehensible. With your new super user, you shouldn't need the default Cassandra account again.

ALTER USER cassandra WITH PASSWORD 'dfsso67347mething54747long67a7ndincom4574prehensi562ble';

For more information, check out this DataStax article: A Quick Tour of Internal Authentication and Authorization Security in DataStax Enterprise and Apache Cassandra

Answer 2

Change

authenticator: AllowAllAuthenticator 

To

authenticator: PasswordAuthenticator 

in cassandra.yamlconfiguration file and restart Cassandra.

This will create a superuser cassandra for you with the restart. Make sure you have Phthon27, thrift-0.91, Cassandra ( datastax community edition 2.0.9 ) etc installed. Now when you login to cassandra, it will let you enter as superuser. You can now create new superuser and change existing superuser's password as well.

python cqlsh localhost -u cassandra -p cassandra 
Connected to Test Cluster at localhost:9160. 
[cqlsh 4.1.1 | Cassandra 2.0.9 | CQL spec 3.1.1 | Thrift protocol 19.39.0]

Use HELP for help.

cqlsh> create user abc with password 'xyz' superuser; 
cqlsh> alter user cassandra with password 'gaurav'; 
cqlsh> exit

Answer 3

To start to use authentication, the default superuser username/password pair is cassandra/cassandra. This should fix the chicken and egg problem.

Source: http://www.datastax.com/docs/datastax_enterprise3.0/security/native_authentication

Answer 4

Re: Once you have enabled Authentication and Authorization (from the Mar 6 at 14:41 comment by BryceAtNetwork23)

First, is changing authorization required in order to setup authentication? I'm guessing not.

Second, setting up authorization is not exactly trivial if you have data center style replication setup. I setup authorization using the following steps:

• In conf/cassandra.yaml, changed authenticator from AllowAllAuthenticator to PasswordAuthenticator for all nodes
• Rebooted all nodes
• Changed the default 'cassandra' password as described above and added other superusers
• Altered the system_auth keyspace to be redundant (as per instructions in the cassandra.yaml file) by running: "ALTER KEYSPACE system_auth WITH REPLICATION = {'class': 'NetworkTopologyStrategy', 'MY_DATACENTER_NAME':N }"
• I set N was set to the number of nodes in my datacenter (ie., fully redundant)
• Ran bin/nodetool repair on each node serially

Does this sound reasonable to people who know what they're doing?