Databases are critical infrastructures of modern applications. Therefore, making a mistake can have immense repercussions, especially on a production database. One of the best ways to reduce the risk is to assign specific permissions and roles to the users associated with a database.
This can help prevent the normal users from performing the administrative tasks or accessing the restricted features of the database. It can also reduce the risk in the case of a comprised account.
This tutorial walks you through creating and setting up the user accounts in your Apache Cassandra cluster.
Create User – Apache Cassandra <= 2.2
In Apache Cassandra 2.2 and below, we use the CREATE USER statement. This statement creates a new database user without superuser privileges.
The query syntax is as shown:
WITH PASSWORD 'password'
[SUPERUSER | NOSUPERUSER]
NOTE: Only a user with superuser privileges can create other users within the cluster.
The following example shows how to create a regular user with a specific username and password.
Enclose the username and password in single quotes when using special characters.
Once the user is created, you can login to the server using the specified username and password.
The defined password that is specified during an account creation is used for internal authentication as defined in the cluster configuration. If the cluster’s internal authentication has not been configured, you can skip the password definition during the account creation as:
By default, Cassandra creates a non-superuser account when not defined. However, you can explicitly specify that the user is a non-root user, as shown in the following example:
This creates a regular user in the cluster.
To create a user with superuser privileges, run the following command:
NOTE: The username of a specific account must be unique. Hence, Cassandra returns an error if you specify a username that is already in the cluster.
InvalidRequest: Error from server: code=2200 [Invalid query] message="root already exists"
If you are not sure if an account already exists on the server, you can use the IF NOT EXISTS option.
Cassandra then checks if the user already exists in the cluster. If true, it skips the user creation. Otherwise, it creates the username with the specified credentials.
Create User – Apache Cassandra >= 2.2
The CREATE USER command is deprecated in Apache Cassandra version 2.2 and above. Although you can use the command in the recent Cassandra version (backward compatible), using the CREATE ROLE command is recommended to provision the new user accounts.
The command syntax is as shown:
[WITH SUPERUSER = true | false
| LOGIN = true | false
| PASSWORD = 'password'
| OPTIONS = option_map]
For example, to create a login account with the CREATE ROLE statement, we can run the following query:
Setting the password and login to true allow Cassandra to create the role as a regular user.
Once created, you can then login to the account using the LOGIN command:
Cassandra prompts you for a password. Provide the password for the account to log in.
admin@cqlsh>
Once logged in, the prompt changes to reflect the currently logged-in user.
Conclusion
You learned about the two methods of creating new users within your Cassandra cluster through this article. You also learned how to log in to a specific user after creation.
