ScyllaDB University LIVE, FREE Virtual Training Event | March 21
Register for Free
ScyllaDB Documentation Logo Documentation
  • Server
  • Cloud
  • Tools
    • ScyllaDB Manager
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
  • Resources
    • ScyllaDB University
    • Community Forum
    • Tutorials
Download
ScyllaDB Docs ScyllaDB Open Source ScyllaDB for Administrators Security Enable Authorization

Caution

You're viewing documentation for a previous version. Switch to the latest stable version.

Enable Authorization¶

Authorization is the process by where users are granted permissions, which entitle them to access or change data on specific keyspaces, tables, or an entire datacenter. Authorization for Scylla is done internally within Scylla and is not done with a third party such as LDAP or OAuth. Granting permissions to users requires the use of a role such as Database Administrator and requires a user who has been authenticated.

Authorization is enabled using the authorizer setting in scylla.yaml. Scylla has two authorizers available:

  • AllowAllAuthorizer (default setting) - which performs no checking and so effectively grants all permissions to all roles. This must be used if AllowAllAuthenticator is the configured authenticator.

  • CassandraAuthorizer - which implements permission management functionality and stores its data in Scylla system tables.

Note

Once Authorization is enabled, all users must:

  • Have roles and permissions (set by a DBA with superuser credentials) configured.

  • Use a user/password to connect to Scylla.

Enabling Authorization¶

Permissions are modeled as a whitelist, and as such, a given role has no access to any database resource, unless specified. The implication of this is that once authorization is enabled on a node, all requests will be rejected until the required permissions have been granted. For this reason, it is strongly recommended to perform the initial setup on a node that is not processing client requests.

The following assumes that Authentication has already been enabled via the process outlined in Enable Authentication. Perform these steps to enable internal authorization across the cluster:

  1. Configure the authorizer as CassandraAuthorizer

  2. Set your credentials as the superuser

  3. Login to cqlsh as the superuser and set roles and privileges for your users

  4. Confirm users can access the client with their new credentials.

  5. Remove Cassandra default user / passwords

Configure the Authorizer¶

It is highly recommended to perform this action on a node that is not processing client requests.

Procedure

  1. On the selected node, edit scylla.yaml to change the authorizer option to CassandraAuthorizer:

authorizer: CassandraAuthorizer
  1. Restart the node. This will set the authorization.

sudo systemctl restart scylla-server
docker exec -it some-scylla supervisorctl restart scylla

(without restarting some-scylla container)

Set a Superuser¶

By default, the superuser credentials are username cassandra, password cassandra. This is not secure. It is highly advised to change this to a unique username and password combination.

Procedure

  1. Start cqlsh with the default superuser settings.

cqlsh -u cassandra -p cassandra

Note

The cassandra user is special. When you try to login with this username, it is required to usen EACH_QUORUM consistency level(CL) for replies. On the other hand, your own user requires LOCAL_ONE consistency level. This can be a problematic in certain situations, such as adding or removing DCs. In such cases the cassandra user won’t be able to login. Creating a superuser role and assigning yourself to the role is definitely the best way forward. Refer to RBAC for an example of how to create roles and refer to Grant Authorization for information on using the grant clause.

  1. Create a role for the superuser which has all privileges

CREATE ROLE <role-name> WITH SUPERUSER = true;
CREATE ROLE DBA WITH SUPERUSER = true;

Note

This role already has complete read and write permissions on all tables and keyspaces and does not need to be granted anything else. The superuser permission setting is by default, disabled. Only for the administrator does it need to be enabled.

  1. Assign that role to yourself and grant login privileges

CREATE ROLE <user> WITH PASSWORD = 'password' AND SUPERUSER = true AND LOGIN = true;

Warning

It is highly recommended to set a password when creating a role with login privileges. If you are using password authentication and you create a role with LOGIN privileges and a blank PASSWORD or no password, the user assigned to this role will not be able to login to the database.

For example (John is the DBA)

CREATE ROLE john WITH PASSWORD = '39fksah!' AND LOGIN = true;
GRANT DBA TO john;
  1. Exit cqlsh and login again with the new credentials

cqlsh> exit
cqlsh -u new-username -p new-password

For example:

cqlsh> exit
cqlsh -u john -p 39fksah!

Note

To guarantee new authorization values (like a password) are visible across the cluster, make sure to run a repair on table system_auth after updating or adding users.

Create Additional Roles¶

In order for the users on your system to be able to login and perform actions, you as the DBA will have to create roles and privileges.

Before you Begin Validate you have set the authenticator as described in Authentication. Validate you have the credentials for the superuser for your system for yourself.

  1. Open a new cqlsh session using the credentials of a role with superuser credentials. For example:

cqlsh -u dba -p 39fksah!
  1. Configure the appropriate access privileges for clients using GRANT PERMISSION statements. For additional examples, consult the RBAC example.

In this example, you are creating a user (db_user) who can access with password (password). You are also granting db_user with the role named client who has SELECT permissions on the ks.t1 table.

CREATE ROLE db_user WITH PASSWORD = 'password' AND LOGIN = true;
CREATE ROLE client;
GRANT SELECT ON ks.t1 TO client;
GRANT client TO db_user;
  1. Continue in this manner to grant permissions for all users.

Clients Resume Access with New Permissions¶

  1. Restart Scylla. As each node restarts and clients reconnect, the enforcement of the granted permissions will begin.

sudo systemctl restart scylla-server
docker exec -it some-scylla supervisorctl restart scylla

(without restarting some-scylla container)

The following should be noted:

  • Clients are not able to connect until you setup roles as users with passwords using GRANT PERMISSION statements (using the superuser). Refer to the example in Role Based Access Control (RBAC) for details.

  • When initiating a connection, clients will need to use the user name and password that you assign

  • Confirm all clients can connect before removing the Cassandra default password and user.

  1. To remove permission from any role or user, see REVOKE PERMISSION.

Remove Cassandra Default Password and User¶

To prevent others from entering with the old superuser password, you can and should delete it.

DROP ROLE [ IF EXISTS ] 'old-username';

For example

DROP ROLE [ IF EXISTS ] 'cassandra';

Additional References¶

  • Role Based Access Control (RBAC)

  • Authorization - CQL Reference for authorizing users

  • Authentication - Enable Authentication

Was this page helpful?

PREVIOUS
Reset Authenticator Password
NEXT
Grant Authorization CQL Reference
  • Create an issue
  • Edit this page

On this page

  • Enable Authorization
    • Enabling Authorization
      • Configure the Authorizer
      • Set a Superuser
      • Create Additional Roles
      • Clients Resume Access with New Permissions
      • Remove Cassandra Default Password and User
    • Additional References
ScyllaDB Open Source
  • 5.2
    • master
    • 6.2
    • 6.1
    • 6.0
    • 5.4
    • 5.2
    • 5.1
  • Getting Started
    • Install ScyllaDB
      • ScyllaDB Web Installer for Linux
      • ScyllaDB Unified Installer (relocatable executable)
      • Air-gapped Server Installation
      • What is in each RPM
      • ScyllaDB Housekeeping and how to disable it
      • ScyllaDB Developer Mode
      • ScyllaDB Configuration Reference
    • Configure ScyllaDB
    • ScyllaDB Requirements
      • System Requirements
      • OS Support by Linux Distributions and Version
      • ScyllaDB in a Shared Environment
    • Migrate to ScyllaDB
      • Migration Process from Cassandra to Scylla
      • Scylla and Apache Cassandra Compatibility
      • Migration Tools Overview
    • Integration Solutions
      • Integrate Scylla with Spark
      • Integrate Scylla with KairosDB
      • Integrate Scylla with Presto
      • Integrate Scylla with Elasticsearch
      • Integrate Scylla with Kubernetes
      • Integrate Scylla with the JanusGraph Graph Data System
      • Integrate Scylla with DataDog
      • Integrate Scylla with Kafka
      • Integrate Scylla with IOTA Chronicle
      • Integrate Scylla with Spring
      • Shard-Aware Kafka Connector for Scylla
      • Install Scylla with Ansible
      • Integrate Scylla with Databricks
    • Tutorials
  • ScyllaDB for Administrators
    • Administration Guide
    • Procedures
      • Cluster Management
      • Backup & Restore
      • Change Configuration
      • Maintenance
      • Best Practices
      • Benchmarking Scylla
      • Migrate from Cassandra to Scylla
      • Disable Housekeeping
    • Security
      • ScyllaDB Security Checklist
      • Enable Authentication
      • Enable and Disable Authentication Without Downtime
      • Generate a cqlshrc File
      • Reset Authenticator Password
      • Enable Authorization
      • Grant Authorization CQL Reference
      • Role Based Access Control (RBAC)
      • ScyllaDB Auditing Guide
      • Encryption: Data in Transit Client to Node
      • Encryption: Data in Transit Node to Node
      • Generating a self-signed Certificate Chain Using openssl
      • Encryption at Rest
      • LDAP Authentication
      • LDAP Authorization (Role Management)
    • Admin Tools
      • Nodetool Reference
      • CQLSh
      • REST
      • Tracing
      • Scylla SStable
      • Scylla Types
      • SSTableLoader
      • cassandra-stress
      • SSTabledump
      • SSTable2json
      • Scylla Logs
      • Seastar Perftune
      • Virtual Tables
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
    • ScyllaDB Manager
    • Upgrade Procedures
      • ScyllaDB Open Source Upgrade
      • ScyllaDB Open Source to ScyllaDB Enterprise Upgrade
      • ScyllaDB Image
      • ScyllaDB Enterprise
    • System Configuration
      • System Configuration Guide
      • scylla.yaml
      • ScyllaDB Snitches
    • Benchmarking ScyllaDB
  • ScyllaDB for Developers
    • Learn To Use ScyllaDB
      • Scylla University
      • Course catalog
      • Scylla Essentials
      • Basic Data Modeling
      • Advanced Data Modeling
      • MMS - Learn by Example
      • Care-Pet an IoT Use Case and Example
    • Scylla Alternator
    • Scylla Features
      • Scylla Open Source Features
      • Scylla Enterprise Features
    • Scylla Drivers
      • Scylla CQL Drivers
      • Scylla DynamoDB Drivers
    • Workload Attributes
  • CQL Reference
    • CQLSh: the CQL shell
    • Appendices
    • Compaction
    • Consistency Levels
    • Consistency Level Calculator
    • Data Definition
    • Data Manipulation
    • Data Types
    • Definitions
    • Global Secondary Indexes
    • Additional Information
    • Expiring Data with Time to Live (TTL)
    • Additional Information
    • Functions
    • JSON Support
    • Materialized Views
    • Non-Reserved CQL Keywords
    • Reserved CQL Keywords
    • ScyllaDB CQL Extensions
  • ScyllaDB Architecture
    • ScyllaDB Ring Architecture
    • ScyllaDB Fault Tolerance
    • Consistency Level Console Demo
    • ScyllaDB Anti-Entropy
      • Scylla Hinted Handoff
      • Scylla Read Repair
      • Scylla Repair
    • SSTable
      • ScyllaDB SSTable - 2.x
      • ScyllaDB SSTable - 3.x
    • Compaction Strategies
    • Raft Consensus Algorithm in ScyllaDB
  • Troubleshooting ScyllaDB
    • Errors and Support
      • Report a Scylla problem
      • Error Messages
      • Change Log Level
    • ScyllaDB Startup
      • Ownership Problems
      • Scylla will not Start
      • Scylla Python Script broken
    • Upgrade
      • Inaccessible configuration files after ScyllaDB upgrade
    • Cluster and Node
      • Failed Decommission Problem
      • Cluster Timeouts
      • Node Joined With No Data
      • SocketTimeoutException
      • NullPointerException
    • Data Modeling
      • Scylla Large Partitions Table
      • Scylla Large Rows and Cells Table
      • Large Partitions Hunting
    • Data Storage and SSTables
      • Space Utilization Increasing
      • Disk Space is not Reclaimed
      • SSTable Corruption Problem
      • Pointless Compactions
      • Limiting Compaction
    • CQL
      • Time Range Query Fails
      • COPY FROM Fails
      • CQL Connection Table
      • Reverse queries fail
    • ScyllaDB Monitor and Manager
      • Manager and Monitoring integration
      • Manager lists healthy nodes as down
  • Knowledge Base
    • Upgrading from experimental CDC
    • Compaction
    • Counting all rows in a table is slow
    • CQL Query Does Not Display Entire Result Set
    • When CQLSh query returns partial results with followed by “More”
    • Run Scylla and supporting services as a custom user:group
    • Decoding Stack Traces
    • Snapshots and Disk Utilization
    • DPDK mode
    • Debug your database with Flame Graphs
    • How to Change gc_grace_seconds for a Table
    • Gossip in Scylla
    • Increase Permission Cache to Avoid Non-paged Queries
    • How does Scylla LWT Differ from Apache Cassandra ?
    • Map CPUs to Scylla Shards
    • Scylla Memory Usage
    • NTP Configuration for Scylla
    • Updating the Mode in perftune.yaml After a ScyllaDB Upgrade
    • POSIX networking for Scylla
    • Scylla consistency quiz for administrators
    • Recreate RAID devices
    • How to Safely Increase the Replication Factor
    • Scylla and Spark integration
    • Increase Scylla resource limits over systemd
    • Scylla Seed Nodes
    • How to Set up a Swap Space
    • Scylla Snapshots
    • Scylla payload sent duplicated static columns
    • Stopping a local repair
    • System Limits
    • How to flush old tombstones from a table
    • Time to Live (TTL) and Compaction
    • Scylla Nodes are Unresponsive
    • Update a Primary Key
    • Using the perf utility with Scylla
    • Configure Scylla Networking with Multiple NIC/IP Combinations
  • ScyllaDB FAQ
  • Contribute to ScyllaDB
  • Glossary
  • Alternator: DynamoDB API in Scylla
    • Getting Started With ScyllaDB Alternator
    • ScyllaDB Alternator for DynamoDB users
Docs Tutorials University Contact Us About Us
© 2025, ScyllaDB. All rights reserved. | Terms of Service | Privacy Policy | ScyllaDB, and ScyllaDB Cloud, are registered trademarks of ScyllaDB, Inc.
Last updated on 08 May 2025.
Powered by Sphinx 7.4.7 & ScyllaDB Theme 1.8.6