What are the steps and precautions required before dropping default cassandra user?

Question

question

yashwanth.kondeti@verizon.com asked Oct 21, '21 Erick Ramirez answered Nov 3, '21

What are the steps and precautions required before dropping default cassandra user?

Hi Community users,

I have a small questions regarding setting up credentials in a new cluster. We have just created a new DSE cluster with version 6.8. As always, the cluster has come with cassandra as the superuser. However, for internal audit compliance purposes, we want to create and designate a new user as superuser and drop the default cassandra user. I have created the superuser (db_admin) and assigned it some permissions. But before dropping the cassandra user, I wanted to ensure that db_admin user has all the privileges necessary to handle all operations in the cluster and that i will not face any issues after dropping the cassandra user.

Here are the steps i have done so far:

1. Login as cassandra superuser

2. Create a new superuser account

cassandra@cqlsh> create role db_admin with password='<password>' and superuser=true and login=true;

3. Grant all permissions on all keyspaces to the new superuser.

cassandra@cqlsh> grant all permissions on all keyspaces to db_admin;

4. Login as the new superuser and validate the permissions for db_admin & cassandra users:

db_admin@cqlsh> list roles

 role                | super | login | options
---------------------+-------+-------+---------
 cassandra           | True  | True  | {}
 dse_backup_operator | False | False | {}
 db_admin            | True  | True  | {}

db_admin@cqlsh> list all permissions of db_admin;


 role     | username | resource        | permission | granted | restricted | grantable
----------+----------+-----------------+------------+---------+------------+-----------
 db_admin | db_admin | <all keyspaces> | CREATE     | True    | False      | False
 db_admin | db_admin | <all keyspaces> | ALTER      | True    | False      | False
 db_admin | db_admin | <all keyspaces> | DROP       | True    | False      | False
 db_admin | db_admin | <all keyspaces> | SELECT     | True    | False      | False
 db_admin | db_admin | <all keyspaces> | AUTHORIZE  | True    | False      | False
 db_admin | db_admin | <all keyspaces> | DESCRIBE   | True    | False      | False
 db_admin | db_admin | <all keyspaces> | UPDATE     | True    | False      | False
 db_admin | db_admin | <all keyspaces> | TRUNCATE   | True    | False      | False
 db_admin | db_admin | <all keyspaces> | BACKUP     | True    | False      | False

From the output above, can I confirm that the superuser db_admin has all the privileges that cassandra user has and proceed with dropping the cassandra user? My concern is that I don't want to be in a situation where i am deleting the cassandra user and there is no other user with the necessarily privileges to maintain the cluster going forward.

Thank you in advance.

Yashwanth.

authentication

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

DataStax Enterprise is powered by the best distribution of Apache Cassandra ™

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Privacy Policy Terms of Use

Answer 1 · 2021-11-03T15:32:51Z

starlord answered Nov 3, '21

Hi Yashwanth,

Make sure that your dse_security and system_auth keyspaces have a replication factor of 3 (assuming 3 or more nodes in the cluster) and repair the keyspaces on all nodes.

Once that is complete, you can be sure your new superuser data is sufficiently replicated and you can drop the cassandra user.

Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Answer 2 · 2021-11-03T23:36:47Z

Erick Ramirez answered Nov 3, '21 biendv commented Sep 8, '22

To add to @starlord 's response, there aren't any real considerations as long as you follow the documented procedures for adding a new superuser and configuring the security keyspaces.

Any superuser has full permissions to perform any operation on the cluster. Cheers!

Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

question