The lesson covers authentication and how it limits access to the cluster to identified clients. Authentication is the process where login accounts and their passwords are verified and the user is allowed access into the database. Authentication is done internally within ScyllaDB and is not done with a third party. Users and passwords are created with roles using a GRANT statement. This procedure enables authentication on the ScyllaDB servers. However, once complete, all clients (application using ScyllaDB/Apache Cassandra drivers) will stop working, until they are updated to work with Authentication as well.
Transcript
Authentication, and this by the way is
true for almost all the security measures that I will mention here, is disabled by
default okay so when you install naively install a ScyllaDB cluster according to
the documentation, it comes with almost zero security feature enabled and as a
product manager that’s my responsibility and my fault if you will
but we choose knowingly and the same go for other database to make the first
installation or evaluation very easy but it’s also non secured
so all of the security measures were mentioned here you do need to enable
them manually okay in authentication included, authentication is
basically like any other authentication on your database or other system
forcing the user to authenticate itself with a login and a password and once you do
that you can later activate authorization and defined which user can
do what, but the first phase of that is forcing the user to authenticate itself
now if you already have a running production cluster without
authentication it’s not great but you can fix it, the problem that if you
just activate or enable authentication all of your current
application will just stop working because none of them is using
authentication and so of course authentication is something you should enable in
the driver and the database but it’s hard to do it exactly at the same time
so ScyllaDB following Apache Cassandra have what is called TransitionalAuthenticator
so if your starter is no authentication you can enable this TransitionalAuthenticator
this gives you time to use or not use authentication from your driver you can
then go to your application enable authentication on application of the
driver one by one and once you do that you can go back to the ScyllaDB cluster
and move from TransitionalAuthenticator to PasswordAuthenticator in each of the
node of course each of this change require you to do configuration change
then a rolling restart of all the nodes but with this method you can move from
non-authenticated to authenticated without downtime, ok so it’s a pretty
important feature but the best of course if you move into production enable
authentication from scratch and that’s true for other security measures
