Enable Cassandra authentication

By default, Cassandra installs without authentication enabled. That means anyone with access to your Cassandra server can query the Cassandra database without any authentication. You can enable authentication after installing Edge, or as part of the installation process.

If you decide to enable authentication on Cassandra without providing any credentials of your own, it uses the following default credentials:

  • username = 'cassandra'
  • password = 'cassandra'

You can use this user account, set a different password for this user account, or create a new Cassandra user. Add, remove, and modify users by using the Cassandra CREATE/ALTER/DROP USER statements.

For more information, see Cassandra SQL shell commands.

Enable Cassandra authentication during installation

You can enable Cassandra authentication at install time. However, while you can enable authentication when you install Cassandra, you should always use the default cassandra username and password (‘cassandra’:’cassandra’) during installation. If you want to use non-default Cassandra credentials, you must re-enable Cassandra authentication after the installation by following the steps listed here.

If you want to enable Cassandra authentication during a fresh Cassandra installation, include the properties below in the configuration file for all Cassandra nodes:

CASS_AUTH=y
CASS_USERNAME=cassandra
CASS_PASSWORD=cassandra

The installation will then set up Cassandra with authentication enabled and with default cassandra:cassandra credentials.

After the initial installation is complete, you can follow one or more of the following steps:

  • Create an alternate user to be used for Cassandra authentication by following the procedure here.
  • Change the password of the default Cassandra user by following the steps here.
  • Install Edge components that use Cassandra to use the credentials you set above.

Edge components that connect to Cassandra

The following Edge components access Cassandra:

  • Management Server
  • Message Processors
  • Routers
  • Qpid servers
  • Postgres servers

Install Edge components when Cassandra authentication is enabled

If you have Cassandra authentication enabled when you install these Edge components for the first time, you need to provide the following settings in the silent configuration file:

CASS_AUTH=Y
CASS_USERNAME=<valid username in Cassandra>
CASS_PASSWORD=<password for the above username>

You can change the Cassandra credentials after installing Cassandra. However, if you have already installed the Management Server, Message Processors, Routers, Qpid servers, or Postgres servers, you must also update those components to use the new credentials, as described in the next section.

Update Edge components that connect to Cassandra

Use the following procedure to update all Edge components that communicate with Cassandra with the new credentials. Note that you must do this step before you actually update the Cassandra credentials:

  1. On the Management Server node, run the following command:
    /opt/apigee/apigee-service/bin/apigee-service edge-management-server store_cassandra_credentials -u cassandra_username -p cassandra_password

    Optionally, you can pass a file containing the new username and password to the command:

    apigee-service edge-management-server store_cassandra_credentials  -f configFile

    where configFile contains the following:

    CASS_USERNAME=cassandra_username # Default is cassandra
    CASS_PASSWORD='cassandra_password' # Default is cassandra; wrap in single quotes if it includes special characters.

    This command automatically restarts the Management Server.

  2. Repeat step 1 for each of the following services:
    • All Message Processors
    • All Routers
    • All Qpid servers (edge-qpid-server)
    • Postgres servers (edge-postgres-server)

    When you repeat step 1 for each service, replace edge-management-server in the command above with the appropriate service name. For example, when you execute the step for a Router service, use the following command:

    /opt/apigee/apigee-service/bin/apigee-service edge-router store_cassandra_credentials -u cassandra -p cassandra

    Enable Cassandra authentication after installation

    The following sections explain how to enable Cassandra authentication after the installation.

    Enable Cassandra authentication on a single data center setup

    For a single data center based Apigee setup which already has Cassandra installed, you can:

    Note: 'Cassandra' user is a special user in Cassandra. Authentication using this user requires QUORUM consistency. See About the Cassandra consistency levels.

    Enable Cassandra authentication when there are multiple data centers

    When expanding data center's, follow the steps in one of the following scenarios, depending on which corresponds to your setup.

    Scenario 1: Existing data center has Cassandra authentication enabled

    If Cassandra authentication is already enabled in an existing data center with default cassandra:cassandra credentials, follow the steps below:

    1. Set up a new data center with default Cassandra:Cassandra credentials & CASS_AUTH=y. See Enable Cassandra authentication for the first time.
    2. Install Edge components in the new data center by using default Cassandra credentials.

    If Cassandra authentication is already enabled in existing data center with non-default credentials, follow the steps below:

    1. Set up a new data center with default Cassandra:Cassandra credentials & CASS_AUTH=y. See Enable Cassandra authentication for the first time.
    2. Follow the steps Enable Cassandra authentication for the first time to re-use the credential from an existing data center (if the existing is using a non-default credential).
    3. Install Edge components in the new data center by using non-default Cassandra credential.

    Scenario 2: Existing data center does not have Cassandra authentication enabled

    If cassandra authentication is not enabled, do the following steps:

    1. Set up a new data center without Cassandra authentication.
    2. Follow the steps Enable Cassandra authentication for the first time to enable Cassandra authentication across the cluster (post expansion).
    3. Update Edge components that connect to Cassandra by following the steps here.

    Enable Cassandra authentication for the first time

    Use the following procedure to enable Cassandra authentication for the first time, or to create a new Cassandra username and password:

    1. Create a silent configuration file with the contents shown below:
      # Specify IP address or DNS name of cassandra node
      IP1=192.168.1.1
      IP2=192.168.1.2
      IP3=192.168.1.3
      
      # Must resolve to IP address or DNS name of host
      HOSTIP=$(hostname -i)
      
      # Set to ‘y’ to enable Cassandra authentication.
      CASS_AUTH=y # Possible values are ‘y/n’
      
      # Cassandra username. If it does not exist, this user would be created as a SUPERUSER
      CASS_USERNAME=cassandra # Default value is cassandra
      # Cassandra Password. If CASS_USERNAME does not exist, create SUPERUSER with this as password
      CASS_PASSWORD=cassandra # Default value is cassandra
      
      # Space-separated IP/DNS names of the Cassandra hosts
      CASS_HOSTS="$IP1:1,1 $IP2:1,1 $IP3:1,1"
      
      # Username of an existing C* user. Only needed if you have disabled or change details of the default cassandra user(‘cassandra’)
      CASS_EXISTING_USERNAME=cassandra  # The default username is cassandra
      # Password of an existing C* user. Only needed if you have disabled or change password of the default cassandra user(‘cassandra’)
      CASS_EXISTING_PASSWORD=cassandra  # The default password is cassandra
      
      # Cassandra port
      CASS_PORT=9042 # The default port is 9042.
    2. Log in to the first Cassandra node and execute the following command:
      apigee-service apigee-cassandra enable_cassandra_authentication -f CONFIG

      Optionally, you can pass the properties as command arguments to the script, as shown in the following example:

      CASS_AUTH=y HOSTIP=$(hostname -i) CASS_PORT=9042 CASS_EXISTING_USERNAME=cassandra CASS_EXISTING_PASSWORD=cassandra CASS_USERNAME=cassandra CASS_PASSWORD=cassandra  CASS_HOSTS="192.168.1.1:1,1 192.168.1.2:1,1 192.168.1.3:1,1" apigee-service apigee-cassandra enable_cassandra_authentication

      Notes:

      • For default Cassandra credentials, the command above enables Cassandra authentication and restarts Cassandra.
      • For non-default credentials, the command also alters the replication factor, creates a superuser, and runs a repair on system_auth keyspace.
    3. Repeat steps 1 and 2 on all Cassandra nodes one by one.

    Change Cassandra credentials after installing Cassandra

    To change the Cassandra credentials after installing Cassandra:

    1. Log into any one Cassandra node using the cqlsh tool and the default credentials. You only have to change the password on one node and it will be broadcast to all Cassandra nodes in the ring:
      /opt/apigee/apigee-cassandra/bin/cqlsh cassIP 9042 -u cassandra -p cassandra

      Where:

      1. cassIP is the IP address of the Cassandra node.
      2. 9042 is the default Cassandra port.
      3. The default user is cassandra.
      4. The default password is cassandra. If you changed the password previously, use the current password. If the password contains any special characters, wrap it in single quotes.
    2. Execute the following command at the cqlsh> prompt to update the password:
      ALTER USER cassandra WITH PASSWORD 'NEW_PASSWORD';
    3. Exit the cqlsh tool, as the following example shows:
      exit
    4. If you have not yet installed the Management Server, Message Processors, Routers, Qpid servers, or Postgres servers, set the following properties in the config file and then install those components:
      CASS_USERNAME=cassandra
      CASS_PASSWORD=NEW_PASSWORD
    5. If you have already installed the Management Server, Message Processors, Routers, Qpid servers, or Postgres servers, then see Resetting Edge Passwords for the procedure to update those components to use the new password.