Enable Cassandra authentication

Edge for Private Cloud v. 4.17.09

By default, Cassandra installs without authentication enabled. That means anyone can access Cassandra. You can enable authentication after installing Edge, or as part of the installation process.

If you decide to enable authentication on Cassandra, it uses the following default credentials:

  • username = 'cassandra'
  • password = 'cassandra'

You can use this account, set a different password for this account, or create a new Cassandra user. Add, remove, and modify users by using the Cassandra CREATE/ALTER/DROP USER statements.

For more information, see Cassandra SQL shell commands.

Enable Cassandra authentication during installation

You can enable Cassandra authentication as install time. However, while you can enable authentication when you install Cassandra, you cannot change the default username and password. You have to perform that step manually after installation of Cassandra completes.

Note: Use this procedure when installing Cassandra by using the "-p c", "-p ds", "-p sa", "-p aio", "-p asa", and "-p ebp" options.

To enable Cassandra authentication at install time, include the CASS_AUTH property in the configuration file for all Cassandra nodes:

CASS_AUTH=y # The default value is n.

The following Edge components access Cassandra:

  • Management Server
  • Message Processors
  • Routers
  • Qpid servers
  • Postgres servers
  • BaaS Stack

Therefore, when you install these components, you must set the following properties in the configuration file to specify the Cassandra credentials:

CASS_USERNAME=cassandra 
CASS_PASSWORD=cassandra

You can change the Cassandra credentials after installing Cassandra. However, if you have already installed the Management Server, Message Processors, Routers, Qpid servers, Postgres servers, or BaaS Stack, you must also update those components to use the new credentials.

To change the Cassandra credentials after installing Cassandra:

  1. Log into any one Cassandra node using the cqlsh tool and the default credentials. You only have to change the password on one node and it will be broadcast to all Cassandra nodes in the ring:
    > /opt/apigee/apigee-cassandra/bin/cqlsh cassIP 9042 -u cassandra -p cassandra
    Where:
    1. cassIP is the IP address of the Cassandra node.
    2. 9042 is the default Cassandra port.
    3. The default user is cassandra.
    4. The default password is cassandra. If you changed the password previously, use the current password.
  2. Run the following command as the cqlsh> prompt to update the password:
    cqlsh> ALTER USER cassandra WITH PASSWORD 'NEW_PASSWORD';
  3. Exit the cqlsh tool:
    cqlsh> exit
  4. If you have not yet installed the Management Server, Message Processors, Routers, Qpid servers, Postgres servers, or BaaS Stack, set the following properties in the config file and then install those components:
    CASS_USERNAME=cassandra
    CASS_PASSWORD=NEW_PASSWORD
  5. If you have already installed the Management Server, Message Processors, Routers, Qpid servers, Postgres servers, or BaaS Stack, then see Resetting Edge Passwords for the procedure to update those components to use the new password.

Enable Cassandra authentication post installation

To enable authentication:

  • Update all Edge components that connect to Cassandra with the Cassandra username and password.
  • On all Cassandra nodes, enable authentication.
  • Set the Cassandra username and password on any one node. You only have to change the credentials on one Cassandra node and they will be broadcast to all Cassandra nodes in the ring.

Use the following procedure to update all Edge components that communicate with Cassandra with the new credentials. Note that you do this step before you actually update the Cassandra credentials:

  1. On the Management Server node, run the following command:
    > /opt/apigee/apigee-service/bin/apigee-service edge-management-server store_cassandra_credentials -u CASS_USERNAME -p CASS_PASSWORD

    Optionally, you can pass a file to the command containing the new username and password:
    > apigee-service edge-management-server store_cassandra_credentials -f configFile

    Where the configFile contains the following:
    CASS_USERNAME=cassandra
    CASS_PASSWORD=CASS_PASSWROD


    This command automatically restarts the Management Server.
  2. Repeat step 1 on:
    • All Message Processors
    • All Routers
    • All Qpid servers (edge-qpid-server)
    • Postgres servers (edge-postgres-server)
  3. On the BaaS Stack node for version 4.16.05.04 and later:
    1. Run the following command to generate an encrypted password:
      > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid secure_password

      This command prompts you for the plain text password and returns the encrypted password in the form:
      SECURE:ae1b6dedbf6b26aaab8bee815a910737c1c15b55f3505c239e43bc09f8050
    2. Set the following tokens in /opt/apigee/customer/application/usergrid.properties. If that file does not exist, create it:
      usergrid-deployment_cassandra.username=cassandra
      usergrid-deployment_cassandra.password=SECURE:ae1b6dedbf6b26aaab8bee815a910737c1c15b55f3505c239e43bc09f8050


      This example uses the default username for Cassandra. If you changed the username, set the value of usergrid-deployment_cassandra.username accordingly.

      Ensure that you include the "SECURE:" prefix on the password. Otherwise, the BaaS Stack interprets the value as unencrypted.

      Note: Each BaaS Stack node has its own unique key used to encrypt the password. Therefore, you must generate the encrypted value on each BaaS Stack node separetly.
    3. Change ownership of the usergrid.properties file to the 'apigee' user:
      > chown apigee:apigee /opt/apigee/customer/application/usergrid.properties
    4. Configure the Stack node:
      > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid configure
    5. Restart the BaaS Stack:
      > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid restart
    6. Repeat these steps for all BaaS Stack nods.

Use the following procedure to enable Cassandra authentication and set the username and password:

  1. Log in to the first Cassandra node.
  2. Run the following command:
    /opt/apigee/apigee-service/bin/apigee-service apigee-cassandra
      enable_cassandra_authentication -e y

    This command enables authentication and restarts Cassandra.

  3. Repeat steps 1 and 2 on all Cassandra nodes.
  4. Log into any one Cassandra node using the cqlsh tool and the default credentials. You only have to change the password on one Cassandra node and it will be broadcast to all Cassandra nodes in the ring:
    /opt/apigee/apigee-cassandra/bin/cqlsh cassIP 9042 -u cassandra -p cassandra

    Where

    • cassIP is the IP address of the Cassandra node.
    • 9042 is the Cassandra port.
    • The default user is cassandra.
    • The default password is cassandra. If you changed the password previously, use the current password.
  5. Run the following command at the cqlsh> prompt to update the password:
    ALTER USER cassandra WITH PASSWORD 'NEW_PASSWORD';
  6. Run the following command at the cqlsh> prompt to ensure that the keyspace is always available. For a single data center:
    ALTER KEYSPACE system_auth WITH replication = {'class': 'NetworkTopologyStrategy', 'dc-1': '3'};
    For a two data centers:
    ALTER KEYSPACE system_auth WITH replication = {'class': 'NetworkTopologyStrategy', 'dc-1': '3', 'dc-2': '3'};
  7. Exit the cqlsh tool:
    exit
  8. Run nodetool repair to make sure that the change is propagated to all Cassandra nodes:
    /opt/apigee/apigee-cassandra/bin/nodetool repair system_auth