23

How does one create the first user in a cassandra database?

I tried:

CREATE USER username WITH PASSWORD "";

and its says:

Bad Request: Only superusers are allowed to perform CREATE USER queries

But I have never created a user before this attempt, so how do you create the first user in a cassandra database?

This seems a little strange because it's like a chicken and egg problem, but people use Cassandra so I am sure there must be a solution somewhere.

Aaron
  • 55,518
  • 11
  • 116
  • 132
Charlie Parker
  • 5,884
  • 57
  • 198
  • 323

4 Answers4

35

Once you have enabled Authentication and Authorization, you can log-in (to your local Cassandra instance) as the default Cassandra admin user like this:

./cqlsh localhost -u cassandra -p cassandra

If you are running Cassandra on a Windows Server, I believe you need to invoke it with Python:

python cqlsh localhost -u cassandra -p cassandra

Once you get in, your first task should be to create another super user account.

CREATE USER dba WITH PASSWORD 'bacon' SUPERUSER;

Next, it is a really good idea to set the current Cassandra super user's password to something else...preferably something long and incomprehensible. With your new super user, you shouldn't need the default Cassandra account again.

ALTER USER cassandra WITH PASSWORD 'dfsso67347mething54747long67a7ndincom4574prehensi562ble';

For more information, check out this DataStax article: A Quick Tour of Internal Authentication and Authorization Security in DataStax Enterprise and Apache Cassandra

Aaron
  • 55,518
  • 11
  • 116
  • 132
  • 1
    why is localhost argument necessary for logging in? I've never had to put it in before – Charlie Parker Mar 06 '14 at 15:44
  • 5
    Actually, it isn't. I just included it in case you wanted to connect to a remote Cassandra server, then you'd know where to specify that. But doing `./cqlsh -u cassandra -p cassandra` should work just fine. – Aaron Mar 06 '14 at 15:48
  • 1
    when you say enable authentication and Authorization, what do you mean explicitly? Currently what I do is change authenticator: PasswordAuthenticator and authrizer: AllowAllAuthorizer? – Charlie Parker Mar 06 '14 at 15:55
  • 2
    @Pinocchio "Currently what I do is change authenticator: PasswordAuthenticator and authrizer: AllowAllAuthorizer?"...yes, that is what I meant. – Aaron Mar 06 '14 at 16:01
  • Microsoft Azure instance didn't allow login with cassandra/cassandra... I needed to edit the yaml file and reset the password – patrick Jul 13 '17 at 20:08
7

Change 

authenticator: AllowAllAuthenticator

To 

authenticator: PasswordAuthenticator

in cassandra.yamlconfiguration file and restart Cassandra.

This will create a superuser cassandra for you with the restart. Make sure you have Phthon27, thrift-0.91, Cassandra ( datastax community edition 2.0.9 ) etc installed. Now when you login to cassandra, it will let you enter as superuser. You can now create new superuser and change existing superuser's password as well.

python cqlsh localhost -u cassandra -p cassandra 
Connected to Test Cluster at localhost:9160. 
[cqlsh 4.1.1 | Cassandra 2.0.9 | CQL spec 3.1.1 | Thrift protocol 19.39.0]

Use HELP for help. 

cqlsh> create user abc with password 'xyz' superuser; 
cqlsh> alter user cassandra with password 'gaurav'; 
cqlsh> exit
Prasad Khode
  • 6,602
  • 11
  • 44
  • 59
user3183457
  • 97
  • 1
  • 2
  • 1
    This answer would be easier to read if you break up this large paragraph a bit. Also, check the rendered output of your answer before posting. One of your line breaks in your input text isn't in your output (add two spaces to the previous line or add a blank line between them). – skrrgwasme Sep 10 '14 at 20:38
  • thanks your answer reminded me that to restart cassandra :p – Nassim Dec 03 '16 at 20:29
3

To start to use authentication, the default superuser username/password pair is cassandra/cassandra. This should fix the chicken and egg problem.

Source: http://www.datastax.com/docs/datastax_enterprise3.0/security/native_authentication

Blue Ice
  • 7,888
  • 6
  • 32
  • 52
  • 2
    sure, but how do I even log in as any user? – Charlie Parker Mar 06 '14 at 05:31
  • 1
    You use command line arguments to the python call that starts cqlsh like so: "C:\Program Files\DataStax Community\python\python.exe" "C:\Program Files\DataStax Community\apache-cassandra\bin\cqlsh" localhost -u cassandra -p cassandra – Dan Csharpster Sep 20 '15 at 16:27
3

Re: Once you have enabled Authentication and Authorization (from the Mar 6 at 14:41 comment by BryceAtNetwork23)

First, is changing authorization required in order to setup authentication? I'm guessing not.

Second, setting up authorization is not exactly trivial if you have data center style replication setup. I setup authorization using the following steps:

  • In conf/cassandra.yaml, changed authenticator from AllowAllAuthenticator to PasswordAuthenticator for all nodes
  • Rebooted all nodes
  • Changed the default 'cassandra' password as described above and added other superusers
  • Altered the system_auth keyspace to be redundant (as per instructions in the cassandra.yaml file) by running: "ALTER KEYSPACE system_auth WITH REPLICATION = {'class': 'NetworkTopologyStrategy', 'MY_DATACENTER_NAME':N }"
  • I set N was set to the number of nodes in my datacenter (ie., fully redundant)
  • Ran bin/nodetool repair on each node serially

Does this sound reasonable to people who know what they're doing?

Ben Slade
  • 478
  • 5
  • 11