3

How to reset default Cassandra credentials without changing source code?

I have check similar problems like How to reset a lost Cassandra admin user's password?. I have three node cluster of Datastax Cassandra 2.0.8 and I am trying to implement authentication. I have set cassandra.yaml in all nodes and restarted them. Problem is that I still cannot login in to cqlsh.

I have also tried to reset password for cassandra user in cqlsh(I have disabled authentication for that):

update system_auth.credentials set salted_hash='$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu' where username='cassandra';

In logs there is Info about creating cassandra superuser. I have checked keyspace system_auth and it includes credentials,permissions and users. And credentials column family does contain user cassandra:

cqlsh> use system_auth;
cqlsh:system_auth> select * from credentials;

 username  | options | salted_hash
-----------+---------+----------------------------------------------------------                                ----
 cassandra |    null | $2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pw                                quu

(1 rows)

But still, when I try:

./cqlsh -u cassandra -p cassandra

I get exception, that user does not exists, but I dont have permissions to create one.

cql.cassandra.ttypes.AuthenticationException: AuthenticationException(why="User cassandra doesn't exist - create it with CREATE USER query first")
Community
  • 1
  • 1
LadyWoodi
  • 486
  • 1
  • 5
  • 12

1 Answers1

8

I don't know for sure, but there's a good chance that the hash you used above changes with each version, and may be particular to a specific version of Cassandra. With that in-mind, you could (in-theory) install the same version in a VM, and then query that machine's system_auth.credentials for the cassandra user's salted_hash. Had it not been for the question you linked above, I never would have thought to try that.

Otherwise, this next option WILL work.

  1. Stop your Cassandra cluster.

  2. On each node, cd down to your data directory, and execute:

    $ mv system_auth system_auth_20140814

  3. Restart each node.

As long as the authenticator is still set (in your cassandra.yaml) to use the PasswordAuthenticator, Cassandra will rebuild the system_auth keyspace, with the default Cassandra super user, which you can use with cqlsh to get back in.

$ ./cqlsh -u cassandra -p cassandra
Connected to MyCluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 2.1.0-rc5-SNAPSHOT | CQL spec 3.2.0 | Native protocol v3]
Use HELP for help.
cqlsh>

Notes:

  • You will have to re-add all of your users, and re-apply all off their permissions.
  • Instead of renaming (mv) the system_auth directory, you could also just delete it (rm).
  • You will have to re-apply the appropriate replication settings to your system_auth keyspace. By default, system_auth only has a replication factor of 1.
Aaron
  • 55,518
  • 11
  • 116
  • 132
  • 2
    After trying your answer and setting higher replication factor, it worked. – LadyWoodi Aug 15 '14 at 10:07
  • @LadyWoodi how did you set the higher replication factor before authenticating with newly created super user? Or did you do it _after_ restart, having system_auth replicated only with _LocalStrategy_ ? I've got a cluster of a few machines and I'm fighting the very same error. Unfortunately none of the machines wants to get up after cleaning _system_auth_ directory. – Scooletz Sep 01 '14 at 14:32
  • 2
    @Scooletz I have disabled authentication, started nodes and updated replication factor like this: CREATE KEYSPACE system_auth WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 3}; and then I have enabled authenication again and used solution above. However I did not have any issues with starting nodes after cleaning system_auth. Have you seen anything helpful in loggs during the start of the nodes? There should be information about cassandra superuser creation. Have you cleaned system_auth on all nodes? – LadyWoodi Sep 04 '14 at 10:28
  • @LadyWoodi I've finally managed to resolve this issue. The problem was caused by not cleaning all data directories (I've got JBOD on the board). After cleaning all of them, the solution described above worked like a charm. Thx for your clarification! – Scooletz Sep 04 '14 at 11:54