If you're able to configure your clients so that they don't send requests to 1 node in the cluster you can enable PasswordAuthenticator & CassandraAuthorizer on that node only and use cqlsh to setup all your users & permissions. The rest of the cluster will continue to serve client requests as normal. Once you've done configuring, alter the RF on system_auth then run repair on the rest of the nodes (just for the system_auth ks). Finally, do a rolling restart to enable auth on the nodes that don't yet have it.
On 25 February 2015 at 22:03, <sean_r_dur...@homedepot.com> wrote: > Cassandra 1.2.19 > > > > We would like to turn on Cassandra’s internal security > (PasswordAuthenticator and CassandraAuthorizer) on the ring (away from > AllowAll). (Clients are already passing credentials in their connections.) > However, I know all nodes have to be switched to those before the basic > security objects (system_auth) are created. So, an outage would be required > to change all the nodes, let system_auth get created, alter system_auth for > replication strategy, create all the users/permissions, repair system_auth. > > > > For DataStax, there is a TransitionalAuthorizer that allows the > system_auth to get created, but doesn’t really require passwords. So, with > a double, rolling bounce, you can implement security with no downtime. > Anything like that for open source? Any other ways you have activated > security without downtime? > > > > > > > > Sean R. Durity > > > > > > ------------------------------ > > The information in this Internet Email is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this Email > by anyone else is unauthorized. If you are not the intended recipient, any > disclosure, copying, distribution or any action taken or omitted to be > taken in reliance on it, is prohibited and may be unlawful. When addressed > to our clients any opinions or advice contained in this Email are subject > to the terms and conditions expressed in any applicable governing The Home > Depot terms of business or client engagement letter. The Home Depot > disclaims all responsibility and liability for the accuracy and content of > this attachment and for any damages or losses arising from any > inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other > items of a destructive nature, which may be contained in this attachment > and shall not be liable for direct, indirect, consequential or special > damages in connection with this e-mail message or its attachment. >
