This page provides a Apache Cassandra configuration baseline for current Debian and RHEL releases, with focus on version 5.0+ features and best practices.
Typical locations:
/etc/cassandra/cassandra.yaml
/etc/cassandra/cassandra-rackdc.properties
/etc/cassandra/jvm.options
Typical locations:
/etc/cassandra/conf/cassandra.yaml
/etc/cassandra/conf/cassandra-rackdc.properties
/etc/cassandra/conf/jvm.options
cassandra.yaml for Production (Debian/RHEL)Use this baseline for production deployments with Cassandra 5.0+ features enabled:
# Cluster properties
cluster_name: 'production-cluster'
num_tokens: 16
hinted_handoff_enabled: true
max_hint_window_in_ms: 10800000 # 3 hours
hinted_handoff_throttle_in_kb: 1024
max_hints_delivery_threads: 2
batchlog_replay_throttle_in_kb: 1024
# Ring properties
partitioner: org.apache.cassandra.dht.Murmur3Partitioner
disk_failure_policy: stop
commit_failure_policy: stop
prepared_statements_cache_size_mb: 256
thrift_prepared_statements_cache_size_mb: 256
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
roles_validity_in_ms: 2000
roles_update_interval_in_ms: 2000
# Server properties
listen_address: 10.0.0.10 # Replace with actual IP
broadcast_address: 10.0.0.10 # Replace with actual IP
start_native_transport: true
native_transport_port: 9042
native_transport_port_ssl: 9142
start_rpc: false
# Inter-node communication
rpc_address: 0.0.0.0
broadcast_rpc_address: 10.0.0.10 # Replace with actual IP
rpc_port: 9160
internode_compression: dc # or 'all' for all connections
inter_dc_tcp_nodelay: true
# Endpoint selection
endpoint_snitch: GossipingPropertyFileSnitch
dynamic_snitch: true
dynamic_snitch_update_interval_in_ms: 100
dynamic_snitch_reset_interval_in_ms: 600000
dynamic_snitch_badness_threshold: 0.1
# Security
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager
network_authorizer: null
# New in Cassandra 5.0+: Dynamic Data Masking
dynamic_data_masking_enabled: false # Enable if needed for compliance
# Directories
data_file_directories:
- /var/lib/cassandra/data
commitlog_directory: /var/lib/cassandra/commitlog
saved_caches_directory: /var/lib/cassandra/saved_caches
hints_directory: /var/lib/cassandra/hints
cdc_raw_directory: /var/lib/cassandra/cdc_raw
audit_logs_dir: /var/lib/cassandra/audit
# Compaction and flush settings
memtable_allocation_type: heap_buffers
concurrent_writes: 32
concurrent_counter_writes: 32
concurrent_reads: 32
trickle_fsync: true
trickle_fsync_interval_in_kb: 10240
# Tracing
tracetype_query_ttl: 86400
tracetype_repair_ttl: 604800
# Seed provider
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
- seeds: "10.0.0.10,10.0.0.11,10.0.0.12" # Replace with actual IPs
# Request scheduling
request_scheduler: org.apache.cassandra.scheduler.NoScheduler
# CQL native transport
native_transport_max_threads: 128
native_transport_max_frame_size_in_mb: 256
# Streaming
streaming_socket_timeout_in_ms: 86400000
# Tombstone settings
tombstone_warn_threshold: 1000
tombstone_failure_threshold: 100000
# Batch size settings
batch_size_warn_threshold_in_kb: 5
batch_size_fail_threshold_in_kb: 50
# Index summary capacity
index_summary_capacity_in_mb: null
index_summary_resize_interval_in_minutes: 60
# Memory settings
reduce_cache_sizes_at: 0.85
reduce_cache_capacity_to: 0.6
# Commit log settings
commitlog_sync: periodic
commitlog_sync_period_in_ms: 10000
commitlog_segment_size_in_mb: 32
# Compaction strategy (Cassandra 5.0+ Unified Compaction Strategy)
compaction:
# For Cassandra 5.0+, use Unified Compaction Strategy
# This combines benefits of LCS and STCS
class: UnifiedCompactionStrategy
min_threshold: 4
max_threshold: 32
# Tuning parameters for UCS
# cold_reads_to_omit: 0.05 # Adjust based on your read patterns
# max_compaction_threshold: 32
# Disk optimization for Cassandra 5.0+ Trie-based memtables
memtable:
# Cassandra 5.0+ introduces Trie memtables
# Available options: skip_list, array_based, trie_based
class: org.apache.cassandra.db.memtable.TrieMemtable # New in 5.0+
# SSTable format for Cassandra 5.0+
sstable_format: big_tier_index # New in 5.0+ (BTI format)
# Storage-Attached Indexes (SAI) - New in 5.0+
# Enable SAI globally (individual indexes still need to be created)
storage_attached_index:
disk_access_mode: mmap
disk_monitor:
enabled: true
threshold: 0.9
check_interval: 10000
# Client encryption
# For production: replace with your own keystore/truststore paths
# client_encryption_options:
# enabled: true
# optional: false
# keystore: /etc/cassandra/ssl/node.keystore
# keystore_password: change-me
# require_client_auth: false
# # Set trustore if require_client_auth is true
# # truststore: /etc/cassandra/ssl/node.truststore
# # truststore_password: change-me
# Server encryption for internode communication
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/ssl/node.keystore
keystore_password: change-me
# require_client_auth: false
# Set trustore if require_client_auth is true
# truststore: /etc/cassandra/ssl/node.truststore
# truststore_password: change-me
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
cassandra-rackdc.properties# Datacenter and rack assignment
dc=dc1
rack=rack1
# Additional properties for topology
# prefer_local=true
# datacenter=dc1
Keep dc/rack consistent with your topology and replication strategy.
compaction:
class: UnifiedCompactionStrategy
min_threshold: 4
max_threshold: 32
# Adjust based on workload:
# - Higher cold_reads_to_omit for read-heavy workloads
# - Lower values for write-heavy workloads
# cold_reads_to_omit: 0.05
memtable:
class: org.apache.cassandra.db.memtable.TrieMemtable
storage_attached_index:
disk_access_mode: mmap
disk_monitor:
enabled: true
threshold: 0.9
check_interval: 10000
# Enable in cassandra.yaml
dynamic_data_masking_enabled: true
# Then configure at table/column level via CQL:
# CREATE TABLE sensitive_data (
# id UUID PRIMARY KEY,
# name TEXT MASKED WITH mask_inner(1, '*'),
# email TEXT MASKED WITH mask_default()
# );
cluster_name: Must match exactly across all nodes in the same cluster.listen_address: Node-to-node communication address.rpc_address: Client-driver access address.seeds: Initial contact points for gossip bootstrap.num_tokens: Keep moderate (16) for predictable vnode behavior.authenticator / authorizer: Enable role-based access control.endpoint_snitch: Topology awareness for replica placement.data_file_directories + commitlog_directory: Place on reliable persistent disks.memtable.class: Use TrieMemtable for Cassandra 5.0+ for better performance.compaction.class: Use UnifiedCompactionStrategy for Cassandra 5.0+ for optimal performance.sstable_format: Use big_tier_index for Cassandra 5.0+.After enabling authentication, create controlled roles:
CREATE ROLE admin_user WITH PASSWORD = 'strong-admin-password' AND SUPERUSER = true AND LOGIN = true;
CREATE ROLE app_user WITH PASSWORD = 'strong-app-password' AND LOGIN = true;
-- Grant permissions
GRANT ALL PERMISSIONS ON KEYSPACE mykeyspace TO admin_user;
GRANT MODIFY ON KEYSPACE mykeyspace TO app_user;
GRANT SELECT ON KEYSPACE mykeyspace TO app_user;
Disable or rotate default credentials immediately after initial setup.
Update /etc/cassandra/jvm.options for Cassandra 5.0+:
# Heap settings - adjust based on available memory
-Xms4G
-Xmx4G
# Young generation size
-Xmn800M
# GC settings for Cassandra 5.0+
-XX:+UseG1GC
-XX:+UnlockExperimentalVMOptions
-XX:+UseG1GC
-XX:MaxGCPauseMillis=500
-XX:G1HeapRegionSize=32m
-XX:G1ReservePercent=15
-XX:G1NewSizePercent=20
-XX:G1MaxNewSizePercent=30
-XX:G1MixedGCCountTarget=8
-XX:InitiatingHeapOccupancyPercent=23
-XX:G1MixedGCLiveThresholdPercent=90
-XX:G1RSetUpdatingPauseTimePercent=5
-XX:SurvivorRatio=8
-XX:+PerfDisableSharedMem
-XX:MaxTenuringThreshold=1
# Cassandra-specific settings
-Dcassandra.consistent.rangemovement=false
-Dcassandra.disable_dangerous_thread_event_loops=true
-Dcassandra.warn_on_unsafe_user_defined_functions=false
-Dcassandra.system_distributed_replication_dc_names=dc1
-Dcassandra.system_distributed_replication_per_dc=3
Restart Cassandra after configuration edits:
sudo systemctl restart cassandra
Validate node and cluster health:
nodetool status
nodetool info
nodetool compactionstats
nodetool tpstats
cqlsh -e "DESCRIBE CLUSTER"
Validate auth and keyspace access:
cqlsh -u admin_user -p 'strong-admin-password' -e "LIST ROLES;"
9042 and gossip port 7000 restricted to private networks.