Enable Cassandra authentication

By default, Cassandra installs without authentication enabled. That means anyone can access Cassandra. You can enable authentication after installing Edge, or as part of the installation process.

If you decide to enable authentication on Cassandra, it uses the following default credentials:

username = 'cassandra'
password = 'cassandra'

You can use this account, set a different password for this account, or create a new Cassandra user. Add, remove, and modify users by using the Cassandra CREATE/ALTER/DROP USER statements.

For more information, see Cassandra SQL shell commands.

Enable Cassandra authentication during installation

You can enable Cassandra authentication at install time. However, while you can enable authentication when you install Cassandra, you cannot change the default username and password. You have to perform that step manually after installation of Cassandra completes.

To enable Cassandra authentication at install time, include the CASS_AUTH property in the configuration file for all Cassandra nodes:

CASS_AUTH=y # The default value is n.

The following Edge components access Cassandra:

Management Server
Message Processors
Routers
Qpid servers
Postgres servers

Therefore, when you install these components, you must set the following properties in the configuration file to specify the Cassandra credentials:

CASS_USERNAME=cassandra
CASS_PASSWORD=cassandra

You can change the Cassandra credentials after installing Cassandra. However, if you have already installed the Management Server, Message Processors, Routers, Qpid servers, or Postgres servers, you must also update those components to use the new credentials.

To change the Cassandra credentials after installing Cassandra:

Log into any one Cassandra node using the cqlsh tool and the default credentials. You only have to change the password on one node and it will be broadcast to all Cassandra nodes in the ring:
```
/opt/apigee/apigee-cassandra/bin/cqlsh cassIP 9042 -u cassandra -p cassandra
```
Where:
1. cassIP is the IP address of the Cassandra node.
2. 9042 is the default Cassandra port.
3. The default user is cassandra.
4. The default password is cassandra. If you changed the password previously, use the current password. If the password contains any special characters, wrap it in single quotes.
Execute the following command at the cqlsh> prompt to update the password:
```
ALTER USER cassandra WITH PASSWORD 'NEW_PASSWORD';
```
Exit the cqlsh tool, as the following example shows:
```
exit
```
If you have not yet installed the Management Server, Message Processors, Routers, Qpid servers, or Postgres servers, set the following properties in the config file and then install those components:
```
CASS_USERNAME=cassandra
CASS_PASSWORD=NEW_PASSWORD
```
If you have already installed the Management Server, Message Processors, Routers, Qpid servers, or Postgres servers, then see Resetting Edge Passwords for the procedure to update those components to use the new password.

Enable Cassandra authentication post installation

To enable authentication after an installation:

Update all Edge components that connect to Cassandra with the Cassandra username and password.
Enable authentication on all Cassandra nodes, and set the Cassandra username and password on any one node. You only have to change the credentials on one Cassandra node and they will be broadcast to all Cassandra nodes in the ring.

Update Edge components that connect to Cassandra

Use the following procedure to update all Edge components that communicate with Cassandra with the new credentials. Note that you do this step before you actually update the Cassandra credentials:

On the Management Server node, run the following command:

/opt/apigee/apigee-service/bin/apigee-service edge-management-server
  store_cassandra_credentials -u cassandra_username -p cassandra_password

Optionally, you can pass a file to the command containing the new username and password:

apigee-service edge-management-server store_cassandra_credentials  -f configFile

Where the configFile contains the following:

CASS_USERNAME=cassandra_username # Default is cassandra
CASS_PASSWORD='cassandra_password' # Default is cassandra; wrap in single quotes if it includes special chars

This command automatically restarts the Management Server.

For each of the following services, repeat Step 1:
- All Message Processors
- All Routers
- All Qpid servers (edge-qpid-server)
- Postgres servers (edge-postgres-server)
When you repeat Step 1 for each service, replace edge-management-server in the command above with the appropriate service name. For example, when you execute the step for a Router service, use the following command:
```
/opt/apigee/apigee-service/bin/apigee-service edge-router
  store_cassandra_credentials -u cassandra -p cassandra
```

Enable authentication

Use the following procedure to enable Cassandra authentication and set the username and password:

Create a silent configuration file with the contents shown below:

# Specify IP address or DNS name of cassandra node
IP1=192.168.1.1
IP2=192.168.1.2
IP3=192.168.1.3
# Must resolve to IP address or DNS name of host
HOSTIP=$(hostname -i)
# Set to ‘y’ to enable Cassandra authentication.
CASS_AUTH=y # Possible values are ‘y/n’
# Cassandra username. If it does not exists, this user would be created as a SUPERUSER
CASS_USERNAME=cassandra # Default value is cassandra
# Cassandra Password. If CASS_USERNAME does not exist, create SUPERUSER with this as password
CASS_PASSWORD=cassandra # Default value is cassandra
# Space-separated IP/DNS names of the Cassandra hosts
CASS_HOSTS="$IP1:1,1 $IP2:1,1 $IP3:1,1"

# Username of an existing C* user. Only needed if you have disabled or change details of the default cassandra user(‘cassandra’)
CASS_EXISTING_USERNAME=cassandra  # The default username is cassandra
# Password of an existing C* user. Only needed if you have disabled or change password of the default cassandra user(‘cassandra’)
CASS_EXISTING_PASSWORD=cassandra  # The default password is cassandra
# Cassandra port
CASS_PORT=9042 # The default port is 9042.

Log in to the first Cassandra node and execute the following command:
```
apigee-service apigee-cassandra enable_cassandra_authentication -f CONFIG
```
Optionally, you can pass the properties as command arguments to the script, as shown in the following example:
```
CASS_AUTH=y HOSTIP=$(hostname -i) CASS_PORT=9042 CASS_EXISTING_USERNAME=cassandra CASS_EXISTING_PASSWORD=cassandra CASS_USERNAME=cassandra CASS_PASSWORD=cassandra  CASS_HOSTS="192.168.1.1:1,1 192.168.1.2:1,1 192.168.1.3:1,1" apigee-service apigee-cassandra enable_cassandra_authentication
```
Notes:
- For default Cassandra credentials, the command above enables Cassandra authentication and restarts Cassandra.
- For non-default credentials, the command also alters the replication factor, creates a superuser, and runs a repair on system_auth keyspace.
Repeat steps 1 and 2 on all Cassandra nodes.