open-vault/website/content/docs/secrets/databases/cassandra.mdx

---
layout: docs
page_title: Cassandra - Database - Secrets Engines
description: |-
  Cassandra is one of the supported plugins for the database secrets engine.
  This plugin generates database credentials dynamically based on configured
  roles for the Cassandra database.
---

# Cassandra Database Secrets Engine

Cassandra is one of the supported plugins for the database secrets engine. This
plugin generates database credentials dynamically based on configured roles for
the Cassandra database.

See the [database secrets engine](/docs/secrets/databases) docs for
more information about setting up the database secrets engine.

## Capabilities

| Plugin Name                 | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
| --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
| `cassandra-database-plugin` | Yes                      | Yes           | Yes (1.6+)   | Yes (1.7+)             |

## Setup

1. Vault will need a Cassandra user with the following permissions:
   ```text
   GRANT CREATE ON ALL ROLES to '<YOUR USER>';
   GRANT ALTER ON ALL ROLES to '<YOUR USER>';
   GRANT DROP ON ALL ROLES to '<YOUR USER>';
   GRANT AUTHORIZE ON ALL ROLES to '<YOUR USER>';
   ```

1.  Enable the database secrets engine if it is not already enabled:

    ```text
    $ vault secrets enable database
    Success! Enabled the database secrets engine at: database/
    ```

    By default, the secrets engine will enable at the name of the engine. To
    enable the secrets engine at a different path, use the `-path` argument.

1.  Configure Vault with the proper plugin and connection information:

    ```text
    $ vault write database/config/my-cassandra-database \
        plugin_name="cassandra-database-plugin" \
        hosts=127.0.0.1 \
        protocol_version=4 \
        username=vaultuser \
        password=vaultpass \
        allowed_roles=my-role
    ```

1.  Configure a role that maps a name in Vault to an SQL statement to execute to
    create the database credential:

    ```text
    $ vault write database/roles/my-role \
        db_name=my-cassandra-database \
        creation_statements="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \
              GRANT SELECT ON ALL KEYSPACES TO {{username}};" \
        default_ttl="1h" \
        max_ttl="24h"
    Success! Data written to: database/roles/my-role
    ```

## Usage

After the secrets engine is configured and a user/machine has a Vault token with
the proper permission, it can generate credentials.

1.  Generate a new credential by reading from the `/creds` endpoint with the name
    of the role:

    ```text
    $ vault read database/creds/my-role
    Key                Value
    ---                -----
    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
    lease_duration     1h
    lease_renewable    true
    password           7iO-FxlVCdj8szsgGgsL
    username           v_vaultuser_my_role_6zjahr4mjn5c9prgucy1_1602541475
    ```

## API

The full list of configurable options can be seen in the [Cassandra database plugin API](/api/secret/databases/cassandra) page.

For more information on the database secrets engine's HTTP API please see the [Database secret secrets engine API](/api/secret/databases) page.
Add website skeleton 2017-05-02 20:26:32 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: Cassandra - Database - Secrets Engines`
Add website skeleton 2017-05-02 20:26:32 +00:00			`description: \|-`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`Cassandra is one of the supported plugins for the database secrets engine.`
			`This plugin generates database credentials dynamically based on configured`
			`roles for the Cassandra database.`
Add website skeleton 2017-05-02 20:26:32 +00:00			`---`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`# Cassandra Database Secrets Engine`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`Cassandra is one of the supported plugins for the database secrets engine. This`
			`plugin generates database credentials dynamically based on configured roles for`
			`the Cassandra database.`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
[website] Link Cleaning (#8205) * update dependencies * remove hard-coded vaultproject.io on local links * remove 'index.html' from internal links * remove '.html' at end of internal links * manual review cleanup Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> 2020-01-22 20:05:41 +00:00			`See the [database secrets engine](/docs/secrets/databases) docs for`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`more information about setting up the database secrets engine.`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Improve documentation around database plugins (#8892) * Adds a summary to the top of each plugin's page showing the capabilities that the plugin has. * Fixed sidebar sorting (they weren't quite alpabetical) * Improved instructions for using the Oracle plugin * Added note about using the pluggable database rather than the container database * Replaced admin/root usernames with super-user ones to encourage users to not use the root user in Vault * Included suggestions to rotate the root user's password when the plugin is capable * Improve documentation around rotating the root user's password * Fixed various typos 2020-05-01 21:05:05 +00:00			`## Capabilities`
Implement MDX Remote (#10581) * implement mdx remote * fix an unfenced code block * fix partials path Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2020-12-17 21:53:33 +00:00
docs: Update Database Capabilities to include username customization (#12172) * docs: Update Database Capabilities to include username customization * add operator/diagnose to the index file 2021-07-27 15:33:12 +00:00			`\| Plugin Name \| Root Credential Rotation \| Dynamic Roles \| Static Roles \| Username Customization \|`
			`\| --------------------------- \| ------------------------ \| ------------- \| ------------ \| ---------------------- \|`
			\| `cassandra-database-plugin` \| Yes \| Yes \| Yes (1.6+) \| Yes (1.7+) \|
Improve documentation around database plugins (#8892) * Adds a summary to the top of each plugin's page showing the capabilities that the plugin has. * Fixed sidebar sorting (they weren't quite alpabetical) * Improved instructions for using the Oracle plugin * Added note about using the pluggable database rather than the container database * Replaced admin/root usernames with super-user ones to encourage users to not use the root user in Vault * Included suggestions to rotate the root user's password when the plugin is capable * Improve documentation around rotating the root user's password * Fixed various typos 2020-05-01 21:05:05 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`## Setup`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
docs: add permissions required for cassandra (#11844) 2021-06-11 18:47:34 +00:00			`1. Vault will need a Cassandra user with the following permissions:`
			```text
			`GRANT CREATE ON ALL ROLES to '<YOUR USER>';`
			`GRANT ALTER ON ALL ROLES to '<YOUR USER>';`
			`GRANT DROP ON ALL ROLES to '<YOUR USER>';`
			`GRANT AUTHORIZE ON ALL ROLES to '<YOUR USER>';`
			```

New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`1. Enable the database secrets engine if it is not already enabled:`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```text
			`$ vault secrets enable database`
			`Success! Enabled the database secrets engine at: database/`
			```
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`By default, the secrets engine will enable at the name of the engine. To`
			enable the secrets engine at a different path, use the `-path` argument.
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`1. Configure Vault with the proper plugin and connection information:`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```text
			`$ vault write database/config/my-cassandra-database \`
			`plugin_name="cassandra-database-plugin" \`
			`hosts=127.0.0.1 \`
			`protocol_version=4 \`
Improve documentation around database plugins (#8892) * Adds a summary to the top of each plugin's page showing the capabilities that the plugin has. * Fixed sidebar sorting (they weren't quite alpabetical) * Improved instructions for using the Oracle plugin * Added note about using the pluggable database rather than the container database * Replaced admin/root usernames with super-user ones to encourage users to not use the root user in Vault * Included suggestions to rotate the root user's password when the plugin is capable * Improve documentation around rotating the root user's password * Fixed various typos 2020-05-01 21:05:05 +00:00			`username=vaultuser \`
			`password=vaultpass \`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`allowed_roles=my-role`
			```
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`1. Configure a role that maps a name in Vault to an SQL statement to execute to`
			`create the database credential:`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```text
			`$ vault write database/roles/my-role \`
			`db_name=my-cassandra-database \`
			`creation_statements="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`GRANT SELECT ON ALL KEYSPACES TO {{username}};" \`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`default_ttl="1h" \`
			`max_ttl="24h"`
			`Success! Data written to: database/roles/my-role`
			```
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`## Usage`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`After the secrets engine is configured and a user/machine has a Vault token with`
			`the proper permission, it can generate credentials.`

New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			1. Generate a new credential by reading from the `/creds` endpoint with the name
			`of the role:`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
			```text
			`$ vault read database/creds/my-role`
			`Key Value`
			`--- -----`
			`lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6`
			`lease_duration 1h`
			`lease_renewable true`
DBPW - Update docs with password policies & new Database interface (#10138) 2020-10-19 21:58:09 +00:00			`password 7iO-FxlVCdj8szsgGgsL`
			`username v_vaultuser_my_role_6zjahr4mjn5c9prgucy1_1602541475`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
			`## API`

[website] Link Cleaning (#8205) * update dependencies * remove hard-coded vaultproject.io on local links * remove 'index.html' from internal links * remove '.html' at end of internal links * manual review cleanup Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> 2020-01-22 20:05:41 +00:00			`The full list of configurable options can be seen in the [Cassandra database plugin API](/api/secret/databases/cassandra) page.`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
[website] Link Cleaning (#8205) * update dependencies * remove hard-coded vaultproject.io on local links * remove 'index.html' from internal links * remove '.html' at end of internal links * manual review cleanup Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> 2020-01-22 20:05:41 +00:00			`For more information on the database secrets engine's HTTP API please see the [Database secret secrets engine API](/api/secret/databases) page.`