Apache Cassandra
Apache Software Foundationdatabase3 credentials
PasswordAuthenticator Role Password
apache-cassandra / password-authenticator-role
Cassandra can authenticate users with PasswordAuthenticator, which relies on username/password pairs. Cassandra documents that PasswordAuthenticator stores usernames and hashed passwords in the system_auth.roles table.
Looks like
patternCREATE\s+ROLE\s+\S+\s+WITH\s+PASSWORD\s*=\s*'[^'\r\n]+'ALTER\s+ROLE\s+\S+\s+WITH\s+PASSWORD\s*=\s*'[^'\r\n]+'Location
system_auth.rolesCassandra system_auth table storing role names and hashed passwords
application config, cassandra driver config, .env files, and deployment manifests
CASSANDRA_USERNAME, CASSANDRA_PASSWORDKubernetes Secrets, cloud secret managers, CI/CD variables, and password vault entries
application connection config, migration scripts, tests, and accidentally committed credentials
failed authentication traces, driver debug logs, and CI output
tcp/9042Cassandra native transport login endpoint
Notes
Cassandra does not have to use password authentication; AllowAllAuthenticator disables authentication. Role password exposure matters when PasswordAuthenticator is enabled.
AllowAllAuthenticator / AllowAllAuthorizer Configuration
apache-cassandra / cassandra-yaml-auth-disabled
Cassandra configuration supports authenticator and authorizer backends. Cassandra documents AllowAllAuthenticator as performing no checks and AllowAllAuthorizer as allowing any action to any user.
Looks like
patternauthenticator:\s*(?:AllowAllAuthenticator|org\.apache\.cassandra\.auth\.AllowAllAuthenticator)authorizer:\s*(?:AllowAllAuthorizer|org\.apache\.cassandra\.auth\.AllowAllAuthorizer)Location
cassandra.yamlCassandra server configuration controlling authentication and authorization backends
Helm charts, container images, Ansible roles, and committed Cassandra configs
VM or container images containing insecure cassandra.yaml settings
Notes
These settings are not credentials, but they create unauthenticated or over-permissive database access for reachable clients.
TLS Keystore / Truststore Password
apache-cassandra / tls-keystore-password
Cassandra supports node-to-node and client encryption using Java keystores and truststores. Cassandra configuration references keystores, truststores, and their passwords for encrypted transport.
Looks like
pattern(?:keystore_password|truststore_password):\s*[^\s]+Location
cassandra.yamlserver_encryption_options and client_encryption_options keystore/truststore passwords
Kubernetes Secrets, Java keystore stores, cloud secret managers, and deployment vaults
Helm values, Docker Compose files, Ansible inventories, and committed TLS config
startup logs and troubleshooting output that include TLS option dumps
Notes
Keystore and truststore passwords protect private keys and trust material used by Cassandra transport security.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.