Enable Cassandra PasswordAuthenticator at up time

Question

I have a Cassandra cluster (Datastax open source) and currently there is no authentication configured (ie, it is using AllowAllAuthenticator), and I want to use PasswordAuthenticator. The official document says that I should follow these steps:

1. enable PasswordAuthenticator in cassandra.yaml,

2. restart the Cassandra node, which will create the system_auth keyspace,

3. change the system_auth replication factor,

4. create new user and password

However, this is a big problem to me because the cluster is used in production so we cannot have any downtime. Between step 2 and 4 no user has been configured yet, so even if the client supplies username and password, the request would still be rejected, which is not ideal.

I looked into the Datastax Enterprise doc , and it has a TransitionalAuthenticator class, which would create the system_auth keyspace but without rejecting requests. I wonder if this class can be ported to the open source version? Or if there are other ways around this problem? Thanks

Update This is the Cassandra version I'm using:

cqlsh 4.1.1 | Cassandra 2.0.9 | CQL spec 3.1.1 | Thrift protocol 19.39.0

Answer 1

You should be able to execute steps 2-4 with just one node and have zero downtime, assuming proper client configuration, replication, and cluster capacity. Then, it's just a rolling restart of the remaining nodes.

Clients should be setup with credentials ahead of time, and they will start using them as nodes as nodes with authorizers come online (this behavior could depend on driver -- try it out first).

You might be able to manually generate the schema and data for steps 3-4 before engaging the CassandraAuthenticator, but that shouldn't be necessary.

What are your concerns about downtime?