Hi, I am facing similar issues with SYSTEM_AUTH keyspace and wanted to know the implication of disabling the "cassandra" superuser.
Thanks, Charu From: "wxn...@zjqunshuo.com<mailto:wxn...@zjqunshuo.com>" <wxn...@zjqunshuo.com<mailto:wxn...@zjqunshuo.com>> Date: Wednesday, June 14, 2017 at 2:16 AM To: Oleksandr Shulgin <oleksandr.shul...@zalando.de<mailto:oleksandr.shul...@zalando.de>> Cc: "user@cassandra.apache.org<mailto:user@cassandra.apache.org>" <user@cassandra.apache.org<mailto:user@cassandra.apache.org>> Subject: Re: Cannot achieve consistency level LOCAL_ONE Thanks for the detail explanation. You did solve my problem. Cheers, -Simon From: Oleksandr Shulgin<mailto:oleksandr.shul...@zalando.de> Date: 2017-06-14 17:09 To: wxn...@zjqunshuo.com<mailto:wxn...@zjqunshuo.com> CC: user<mailto:user@cassandra.apache.org> Subject: Re: Cannot achieve consistency level LOCAL_ONE On Wed, Jun 14, 2017 at 10:46 AM, wxn...@zjqunshuo.com<mailto:wxn...@zjqunshuo.com> <wxn...@zjqunshuo.com<mailto:wxn...@zjqunshuo.com>> wrote: Thanks for the reply. My system_auth settings is as below and what should I do with it? And I'm interested why the newly added node is responsible for the user authentication? CREATE KEYSPACE system_auth WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'} AND durable_writes = true; You should change the replication options to use NetworkTopologyStrategy and a replication factor greater than 1 in each DC. It is not uncommon to set it to the number of nodes in the DC, and is actually recommended by the following piece of documentation: http://docs.datastax.com/en/cassandra/2.1/cassandra/security/security_config_native_authenticate_t.html For version 3, the official doc says to set it to 3-5 nodes per DC: http://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureConfigNativeAuth.html In general there is no drawback when setting the RF for system_auth to the number of nodes in DC, unless you're relying on the default superuser named "cassandra" being able to login at all times. This user is special and it requires LOCAL_QUORUM in order to log in, while any other user (including non-default superusers) require only LOCAL_ONE. As to the reason why the new node is responsible for authenticating your application user. There is no particular reason for that. The new node is assigned a random set of tokens and it happened to be responsible for that user, while some of the old nodes is no longer responsible (remember, you have RF=1). Hope this helps, -- Alex
