Summary
This article describes the expected authentication transitional mode in DSE 5.1 and 6.0.
Applies to
- DSE 5.1
- DSE 6.0
Scenario
When using authentication transitional mode, you must supply user credentials regardless of the transitional mode you use, so long as authentication is enabled,
If transitional mode is set to 'permissive', the credentials don't have to be valid credentials, but the credentials still have to be provided by the client.
If you want to enable access control without any downtime, you must use one of the following procedures:
- Update your apps to submit dummy credentials (they would have to be dummy credentials since you don't have any users/user credentials yet since you can't create users without first enabling authentication)
- Enable authentication, at the same time setting transitional_mode to permissive
- Create your dse/cassandra users
- Update the apps again so that, now, the user is prompted for their username and password
- Disable transitional mode
OR :
- Update your apps to prompt users for username and password (users to give their username and password, though the username and password aren't enforced yet at this point)
- Enable authentication, at the same time setting transitional_mode to permissive
- Create your dse/cassandra users
- Disable transitional mode (username and password should now be enforced so the credentials now must be valid in order to connect)
Additionally, NOTE: Anonymous login for strict mode transitional authentication is not supported by cqlsh. This work is tracked in internal Datastax jira DSP-11914.