How to reset a lost Cassandra admin user's password?

Asked 23/8, 2013 at 9:7 Answered 1/8, 2023 at 9:45

I have full access to the Cassandra installation files and a PasswordAuthenticator configured in cassandra.yaml. What do I have to do to reset admin user's password that has been lost, while keeping the existing databases intact?

Groundsheet answered 23/8, 2013 at 9:7 Comment(0)

Solved with the following steps:

Change authenticator in cassandra.yaml to AllowAllAuthenticator and restart Cassandra
cqlsh
update system_auth.credentials set salted_hash='$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu' where username='cassandra';
Exit cqlsh
Change authenticator back to PasswordAuthenticator and restart Cassandra

Now you can log in with

cqlsh -u cassandra -p cassandra

and change the password to something else.

Groundsheet answered 2/12, 2013 at 17:13 Comment(1)

I'm getting the following: InvalidRequest: code=2200 [Invalid query] message="unconfigured table credentials" – Perionychium 18/5, 2017 at 19:54

The hash has changed for Cassandra 2.1:

Switch to authenticator: AllowAllAuthenticator
Restart cassandra
UPDATE system_auth.credentials SET salted_hash = '$2a$10$H46haNkcbxlbamyj0OYZr.v4e5L08WTiQ1scrTs9Q3NYy.6B..x4O' WHERE username='cassandra';
Switch back to authenticator: PasswordAuthenticator
Restart cassandra
Login as cassandra/cassandra
CREATE USER and ALTER USER to your heart's content.

Anastassia answered 6/1, 2015 at 9:11 Comment(1)

I'm getting the following: InvalidRequest: code=2200 [Invalid query] message="unconfigured table credentials" – Perionychium 18/5, 2017 at 20:8

Solved with the following steps:

Change authenticator in cassandra.yaml to AllowAllAuthenticator and restart Cassandra
cqlsh
update system_auth.credentials set salted_hash='$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu' where username='cassandra';
Exit cqlsh
Change authenticator back to PasswordAuthenticator and restart Cassandra

Now you can log in with

cqlsh -u cassandra -p cassandra

and change the password to something else.

Groundsheet answered 2/12, 2013 at 17:13 Comment(1)

I'm getting the following: InvalidRequest: code=2200 [Invalid query] message="unconfigured table credentials" – Perionychium 18/5, 2017 at 19:54

As of cassandra 2.0

ALTER USER cassandra WITH PASSWORD 'password';

If you want to add a user.

// CREATE USER uname WITH PASSWORD 'password'; // add new user
// GRANT all ON ALL KEYSPACES to uname;    // grant permissions to new user

Verify your existing users with LIST USERS;

EDIT

Oh boy, this is gona be fun! So, I found one hacktastic way but it requires changing sourcecode.

First a high level overview:

Edit source so you can make changes to the system_auth.credentials column family
Change the authenticator to AllowAllAuthenticator
Start C*
Log in with cqlsh without needing a password
Update the cassandra user's hash password
Undo the source changes and change back to PasswordAuthenticator.

Step 1 - edit source

Open the C* source and go to package org.apache.cassandra.service.ClientState; Find the validateLogin() and ensureNotAnonymous() functions and comment all contained coude out so you end up with:

public void validateLogin() throws UnauthorizedException
{
    // if (user == null)
    //    throw new UnauthorizedException("You have not logged in");
}

public void ensureNotAnonymous() throws UnauthorizedException
{
    validateLogin();
    // if (user.isAnonymous())
    //    throw new UnauthorizedException("You have to be logged in and not anonymous to perform this request");
}

Step2 - Change to AllowAllAuthenticator in cassandra.yaml Step3 & 4 - Simple! Step 5 - Execute this insert statement from cqlsh:

insert into system_auth.credentials (username, options, salted_hash) 
VALUES ('cassandra', null, '$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu');

Note* step 5 will work assuming the user named 'cassandra' has already been created. If you have another user created just switch the username you are inserting (this procedure resets a password, it doesn't add a new user).

Step 6 Fix the source by uncommenting validateLogin() and ensureNotAnonymous() and switch back to the PasswordAuthenticator in cassandra.yaml, you should now have access to cqlsh via ./cqlsh -u cassandra -p cassandra

Indistinct answered 18/11, 2013 at 18:19 Comment(4)

ALTER USER is not an option since the admin password is lost and I don't have access to cqlsh console. Also changing the authenticator to AllowAllAuthenticator doesn't help, because in that case ALTER USER doesn't work even if I can access the console. – Groundsheet 19/11, 2013 at 12:45

@EemeliKantola Sorry, I incorrectly though you had access to cqlsh with admin privileges! I posted a fix but it sadly requires changing source. – Indistinct 19/11, 2013 at 14:7

The situation that the admin password was lost is stated in the title, but I edited the question body to re-state that for clarity. – Groundsheet 20/11, 2013 at 14:52

The problem got solved in a simpler way, with no code modifications needed. – Groundsheet 2/12, 2013 at 17:15

Update for Cassandra 4:

Change cassandra.yaml as described in the other answers:

Comment out the following lines

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

and uncomment

#authenticator: AllowAllAuthenticator
#authorizer: AllowAllAuthorizer

Login with cqlsh.
The table names and columns have changed. The query now becomes

UPDATE system_auth.roles SET salted_hash = '$2a$10$H46haNkcbxlbamyj0OYZr.v4e5L08WTiQ1scrTs9Q3NYy.6B..x4O' WHERE role='cassandra';

Baynebridge answered 1/8, 2023 at 9:45 Comment(0)

Recommended topics

Hot tags