How To Manage Users NoSql Cassandra using `cqlsh`

In this tutorial we learn how to manage user in database cassandra. Setting the cassandra database using username and password authentication. Learn how to login using default username and password cassandra, create user with or without password, create user superuser and nosuperuser, modifying user and dropping user.

Create user

Syntax for create user

CREATE USER IF NOT EXISTS user_name WITH PASSWORD 'password' NOSUPERUSER | SUPERUSER 

Before we create user, check the authenticator file cassandra.yaml, must using PasswordAuthenticator.

authenticator: PasswordAuthenticator

if not change it and restart cassandra.

for creating user in cassandra we must login as superuser
Create user for the first time in cassandra we must login using default superuser.

root@e465eeadc356:/# cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.1 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>

Syntax for creating user in cqlsh

CREATE USER nonadmin;
CREATE USER nonadmin1 WITH PASSWORD 'nonadmin1';
CREATE USER nonadmin2 WITH PASSWORD 'nonadmin2' NOSUPERUSER;
CREATE USER admin WITH PASSWORD 'admin' SUPERUSER;

cassandra@cqlsh> create user testuser;
cassandra@cqlsh> CREATE USER nonadmin1 with password 'nonadmin1';
cassandra@cqlsh> CREATE USER nonadmin2 with password 'nonadmin2' NOSUPERUSER;
cassandra@cqlsh> CREATE USER admin with password 'admin' SUPERUSER;
cassandra@cqlsh> CREATE USER ADMIN with password 'admintest';
cassandra@cqlsh> CREATE USER admin with password 'admintest';
InvalidRequest: Error from server: code=2200 [Invalid query] message="admin already exists"
cassandra@cqlsh> list users;
 name      | super
-----------+-------
     ADMIN | False
     admin |  True
 cassandra |  True
 nonadmin1 | False
 nonadmin2 | False
  testuser | False

In this course we learn
1. User cassandra Case Sensitif ( user “ADMIN” not same with user “admin”)
2. Default user is not superuser

trying login to cassandra using user

Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.1 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
nonadmin1@cqlsh>

Alter User

Superusers can change a user’s password or superuser status. To prevent disabling all superusers, superusers cannot change their own superuser status. Ordinary users can change only their own password. Enclose the user name in single quotation marks if it contains non-alphanumeric characters. Enclose the password in single quotation marks.

Syntax

ALTER USER username
  WITH PASSWORD 'password'  NOSUPERUSER | SUPERUSER 

example

ALTER USER nonadmin1 WITH PASSWORD 'nonadmin123' SUPERUSER; 

root@e465eeadc356:/# cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.                                    
[cqlsh 5.0.1 | Cassandra 3.11.1 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> ALTER USER nonadmin1 WITH PASSWORD 'nonadmin123' SUPERUSER;
cassandra@cqlsh> list users;
 name      | super 
-----------+-------
     ADMIN | False
     admin |  True
 cassandra |  True
 nonadmin1 |  True
 nonadmin2 | False
  testuser | False
(6 rows)        
cassandra@cqlsh> exit
root@e465eeadc356:/# cqlsh -u nonadmin1 -p nonadmin123
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.1 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
nonadmin1@cqlsh>

user database nonadmin1 become “SUPERUSER” and changed the password.
notes
switch username without logout

LOGIN username [optional password]
example
login admin
when user admin not using password the shell with come out,if using password
Password: ******
nonadmin1@cqlsh> login admin
Password:
admin@cqlsh>

DROP user

DROP USER removes an existing user. In Apache Cassandra™ 2.0.9 and later, you can test that the user exists. Attempting to drop a user that does not exist results in an invalid query condition unless the IF EXISTS option is used. If the option is used, the statement will be a no-op if the user does not exist. You have to be logged in as a superuser to issue a DROP USER statement. Users cannot drop themselves.

Enclose the user name in single quotation marks only if it contains non-alphanumeric characters.

Syntax

DROP USER IF EXISTS username
example
admin@cqlsh> login cassandra                     
Password:                                        
cassandra@cqlsh> drop user if exists nonadmin1;  
cassandra@cqlsh> drop user if exists nonadmin1;  
cassandra@cqlsh> list users;                     
 name      | super                               
-----------+-------                              
     ADMIN | False                               
     admin |  True                               
 cassandra |  True                               
 nonadmin2 | False                               
  testuser | False                               
(5 rows)                                         
cassandra@cqlsh>