Cassandra Authentication

Shardul | Apr 4, 2026 min read
Cassandra Authentication

Before you put Cassandra into any real environment, it’s worth flipping on authentication because out of the box, it trusts everything, which is great for testing but a bad idea for anything else.

Enable Security Features

In this section, we will enable user login authentication. You can also configure other security settings based on your project’s needs.

  1. Make a backup of the Cassandra configuration file cassandra.yaml
sudo cp /etc/cassandra/conf/cassandra.yaml /etc/cassandra/conf/cassandra.yaml.backup
  1. Open cassandra.yaml in your preferred text editor:

Note:
Locations of the cassandra.yaml file may differ slightly between distros.

sudo vim /etc/cassandra/conf/cassandra.yaml
  1. Match the following variables in the file to the values shown in the example file. If any values are commented out, uncomment them. The rest of the properties found in the cassandra.yaml file should be set based on your project’s particular requirements and how you plan to utilize Cassandra. The default configuration should work well for development when not making any changes or auth.
. . .

authenticator: org.apache.cassandra.auth.PasswordAuthenticator
authorizer: org.apache.cassandra.auth.CassandraAuthorizer
role_manager: CassandraRoleManager
roles_validity_in_ms: 0
permissions_validity_in_ms: 0

. . .

More information about this file can be found in the Cassandra Configuration File guide in Apache’s official documentation.

  1. After editing the configuration file restart Cassandra.
sudo systemctl restart cassandra.service

Add An Administration Superuser

  1. Open the Cassandra command terminal by typing cqlsh. Log in with the credentials shown below for the default user cassandra:
cqlsh -u cassandra -p cassandra
  1. Create a new superuser. Replace the brackets as well as the content inside with the applicable information:
CREATE ROLE [new_superuser] WITH PASSWORD = '[secure_password]' AND SUPERUSER = true AND LOGIN = true;

  1. Log out by typing exit.

  2. Log back in with the new superuser account and replace the username and password with your new credentials:

cqlsh -u [new_superuser] -p [scecure_password]
  1. Remove the elevated permissions from the Cassandra account:
ALTER ROLE cassandra WITH PASSWORD = 'cassandra' AND SUPERUSER = false AND LOGIN = false;
REVOKE ALL PERMISSIONS ON ALL KEYSPACES FROM cassandra;
  1. Grant all permissions to the new superuser account. Replace the brackets and contents inside with your superuser account username:
GRANT ALL PERMISSIONS ON ALL KEYSPACES TO '[new_superuser]';
  1. Log out by typing exit.