Details
Authentication is pluggable in Cassandra and is configured using the authenticator setting in cassandra.yaml. Cassandra ships with two options included in the default distribution, AllowAllAuthenticator and PasswordAuthenticator. The default, AllowAllAuthenticator, performs no authentication checks and therefore requires no credentials. It is used to disable authentication completely. The second option, PasswordAuthenticator, stores encrypted credentials in a system table. This can be used to enable simple username/password authentication.
Rationale:
Authentication is a necessary condition of Cassandra’s permissions subsystem, so if authentication is disabled then so are permissions. Failure to authenticate clients, users, and/or servers can allow unauthorized access to the Cassandra database and can prevent tracing actions back to their sources. The authentication mechanism should be implemented before anyone accesses the Cassandra server.
Solution
To enable the authentication mechanism:
Stop the Cassandra database.
Modify cassandra.yaml file to modify/add entry for authenticator: set it to PasswordAuthenticator
Start the Cassandra database.
Default Value:
authenticator: AllowAllAuthenticator
References:
http://cassandra.apache.org/doc/latest/getting_started/configuring.html
http://cassandra.apache.org/doc/latest/operating/security.html
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.