15

I have full access to the Cassandra installation files and a PasswordAuthenticator configured in cassandra.yaml. What do I have to do to reset admin user's password that has been lost, while keeping the existing databases intact?

Eemeli Kantola
  • 5,437
  • 6
  • 35
  • 43

4 Answers4

9

The hash has changed for Cassandra 2.1:

  1. Switch to authenticator: AllowAllAuthenticator
  2. Restart cassandra
  3. UPDATE system_auth.credentials SET salted_hash = '$2a$10$H46haNkcbxlbamyj0OYZr.v4e5L08WTiQ1scrTs9Q3NYy.6B..x4O' WHERE username='cassandra';
  4. Switch back to authenticator: PasswordAuthenticator
  5. Restart cassandra
  6. Login as cassandra/cassandra
  7. CREATE USER and ALTER USER to your heart's content.
Gerard de Visser
  • 7,590
  • 9
  • 50
  • 58
stub
  • 178
  • 1
  • 2
  • 10
  • 1
    I'm getting the following: InvalidRequest: code=2200 [Invalid query] message="unconfigured table credentials" – ealfonso May 18 '17 at 20:08
8

Solved with the following steps:

  1. Change authenticator in cassandra.yaml to AllowAllAuthenticator and restart Cassandra
  2. cqlsh
  3. update system_auth.credentials set salted_hash='$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu' where username='cassandra';
  4. Exit cqlsh
  5. Change authenticator back to PasswordAuthenticator and restart Cassandra

Now you can log in with

cqlsh -u cassandra -p cassandra

and change the password to something else.

Eemeli Kantola
  • 5,437
  • 6
  • 35
  • 43
  • 2
    I'm getting the following: `InvalidRequest: code=2200 [Invalid query] message="unconfigured table credentials"` – ealfonso May 18 '17 at 19:54
5

As of cassandra 2.0

ALTER USER cassandra WITH PASSWORD 'password';

If you want to add a user.

// CREATE USER uname WITH PASSWORD 'password'; // add new user
// GRANT all ON ALL KEYSPACES to uname;    // grant permissions to new user

Verify your existing users with LIST USERS;

EDIT

Oh boy, this is gona be fun! So, I found one hacktastic way but it requires changing sourcecode.

First a high level overview:

  1. Edit source so you can make changes to the system_auth.credentials column family
  2. Change the authenticator to AllowAllAuthenticator
  3. Start C*
  4. Log in with cqlsh without needing a password
  5. Update the cassandra user's hash password
  6. Undo the source changes and change back to PasswordAuthenticator.

Step 1 - edit source

Open the C* source and go to package org.apache.cassandra.service.ClientState; Find the validateLogin() and ensureNotAnonymous() functions and comment all contained coude out so you end up with:

public void validateLogin() throws UnauthorizedException
{
    // if (user == null)
    //    throw new UnauthorizedException("You have not logged in");
}

public void ensureNotAnonymous() throws UnauthorizedException
{
    validateLogin();
    // if (user.isAnonymous())
    //    throw new UnauthorizedException("You have to be logged in and not anonymous to perform this request");
}

Step2 - Change to AllowAllAuthenticator in cassandra.yaml Step3 & 4 - Simple! Step 5 - Execute this insert statement from cqlsh:

insert into system_auth.credentials (username, options, salted_hash) 
VALUES ('cassandra', null, '$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu');

Note* step 5 will work assuming the user named 'cassandra' has already been created. If you have another user created just switch the username you are inserting (this procedure resets a password, it doesn't add a new user).

Step 6 Fix the source by uncommenting validateLogin() and ensureNotAnonymous() and switch back to the PasswordAuthenticator in cassandra.yaml, you should now have access to cqlsh via ./cqlsh -u cassandra -p cassandra

Lyuben Todorov
  • 13,987
  • 5
  • 50
  • 69
  • 1
    `ALTER USER` is not an option since the admin password is lost and I don't have access to cqlsh console. Also changing the authenticator to AllowAllAuthenticator doesn't help, because in that case `ALTER USER` doesn't work even if I can access the console. – Eemeli Kantola Nov 19 '13 at 12:45
  • @EemeliKantola Sorry, I incorrectly though you had access to cqlsh with admin privileges! I posted a fix but it sadly requires changing source. – Lyuben Todorov Nov 19 '13 at 14:07
  • The situation that the admin password was lost is stated in the title, but I edited the question body to re-state that for clarity. – Eemeli Kantola Nov 20 '13 at 14:52
  • The problem got solved in a simpler way, with no code modifications needed. – Eemeli Kantola Dec 02 '13 at 17:15
1

Update for Cassandra 4:

  1. Change cassandra.yaml as described in the other answers:

Comment out the following lines

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

and uncomment

#authenticator: AllowAllAuthenticator
#authorizer: AllowAllAuthorizer
  1. Login with cqlsh.
  2. The table names and columns have changed. The query now becomes

UPDATE system_auth.roles SET salted_hash = '$2a$10$H46haNkcbxlbamyj0OYZr.v4e5L08WTiQ1scrTs9Q3NYy.6B..x4O' WHERE role='cassandra';

ranban282
  • 148
  • 1
  • 14