2.1 Ensure that authentication is enabled for Cassandra databases

Information

Authentication is pluggable in Cassandra and is configured using the authenticator setting in cassandra.yaml. Cassandra ships with two options included in the default distribution, AllowAllAuthenticator and PasswordAuthenticator. The default, AllowAllAuthenticator, performs no authentication checks and therefore requires no credentials. It is used to disable authentication completely. The second option, PasswordAuthenticator, stores encrypted credentials in a system table. This can be used to enable simple username/password authentication.

Rationale:
Authentication is a necessary condition of Cassandra's permissions subsystem, so if authentication is disabled then so are permissions. Failure to authenticate clients, users, and/or servers can allow unauthorized access to the Cassandra database and can prevent tracing actions back to their sources. The authentication mechanism should be implemented before anyone accesses the Cassandra server.

Solution

To enable the authentication mechanism:

Stop the Cassandra database.
Modify cassandra.yaml file to modify/add entry for authenticator: set it to PasswordAuthenticator
Start the Cassandra database.

Default Value:
authenticator: AllowAllAuthenticator

References:
http://cassandra.apache.org/doc/latest/getting_started/configuring.html
http://cassandra.apache.org/doc/latest/operating/security.html

See Also

https://workbench.cisecurity.org/files/2309