How to reset Cassandra superuser, when Cassandra does not know 'cassandra' default user?

12,211

I don't know for sure, but there's a good chance that the hash you used above changes with each version, and may be particular to a specific version of Cassandra. With that in-mind, you could (in-theory) install the same version in a VM, and then query that machine's system_auth.credentials for the cassandra user's salted_hash. Had it not been for the question you linked above, I never would have thought to try that.

Otherwise, this next option WILL work.

  1. Stop your Cassandra cluster.
  2. On each node, cd down to your data directory, and execute:

    $ mv system_auth system_auth_20140814

  3. Restart each node.

As long as the authenticator is still set (in your cassandra.yaml) to use the PasswordAuthenticator, Cassandra will rebuild the system_auth keyspace, with the default Cassandra super user, which you can use with cqlsh to get back in.

$ ./cqlsh -u cassandra -p cassandra
Connected to MyCluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 2.1.0-rc5-SNAPSHOT | CQL spec 3.2.0 | Native protocol v3]
Use HELP for help.
cqlsh>

Notes:

  • You will have to re-add all of your users, and re-apply all off their permissions.
  • Instead of renaming (mv) the system_auth directory, you could also just delete it (rm).
  • You will have to re-apply the appropriate replication settings to your system_auth keyspace. By default, system_auth only has a replication factor of 1.
Share:
12,211
LadyWoodi
Author by

LadyWoodi

Updated on June 04, 2022

Comments

  • LadyWoodi
    LadyWoodi about 2 years

    How to reset default Cassandra credentials without changing source code?

    I have check similar problems like How to reset a lost Cassandra admin user's password?. I have three node cluster of Datastax Cassandra 2.0.8 and I am trying to implement authentication. I have set cassandra.yaml in all nodes and restarted them. Problem is that I still cannot login in to cqlsh.

    I have also tried to reset password for cassandra user in cqlsh(I have disabled authentication for that):

    update system_auth.credentials set salted_hash='$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu' where username='cassandra';
    

    In logs there is Info about creating cassandra superuser. I have checked keyspace system_auth and it includes credentials,permissions and users. And credentials column family does contain user cassandra:

    cqlsh> use system_auth;
    cqlsh:system_auth> select * from credentials;
    
     username  | options | salted_hash
    -----------+---------+----------------------------------------------------------                                ----
     cassandra |    null | $2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pw                                quu
    
    (1 rows)
    

    But still, when I try:

    ./cqlsh -u cassandra -p cassandra
    

    I get exception, that user does not exists, but I dont have permissions to create one.

    cql.cassandra.ttypes.AuthenticationException: AuthenticationException(why="User cassandra doesn't exist - create it with CREATE USER query first")