How to reset Cassandra superuser, when Cassandra does not know 'cassandra' default user?

Question

How to reset default Cassandra credentials without changing source code?

I have check similar problems like How to reset a lost Cassandra admin user's password?. I have three node cluster of Datastax Cassandra 2.0.8 and I am trying to implement authentication. I have set cassandra.yaml in all nodes and restarted them. Problem is that I still cannot login in to cqlsh.

I have also tried to reset password for cassandra user in cqlsh(I have disabled authentication for that):

update system_auth.credentials set salted_hash='$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu' where username='cassandra';

In logs there is Info about creating cassandra superuser. I have checked keyspace system_auth and it includes credentials,permissions and users. And credentials column family does contain user cassandra:

cqlsh> use system_auth;
cqlsh:system_auth> select * from credentials;

 username  | options | salted_hash
-----------+---------+----------------------------------------------------------                                ----
 cassandra |    null | $2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pw                                quu

(1 rows)

But still, when I try:

./cqlsh -u cassandra -p cassandra

I get exception, that user does not exists, but I dont have permissions to create one.

cql.cassandra.ttypes.AuthenticationException: AuthenticationException(why="User cassandra doesn't exist - create it with CREATE USER query first")

Answer 1

I don't know for sure, but there's a good chance that the hash you used above changes with each version, and may be particular to a specific version of Cassandra. With that in-mind, you could (in-theory) install the same version in a VM, and then query that machine's system_auth.credentials for the cassandra user's salted_hash. Had it not been for the question you linked above, I never would have thought to try that.

Otherwise, this next option WILL work.

1. Stop your Cassandra cluster.

2. On each node, cd down to your data directory, and execute:

   $ mv system_auth system_auth_20140814

3. Restart each node.

As long as the authenticator is still set (in your cassandra.yaml) to use the PasswordAuthenticator, Cassandra will rebuild the system_auth keyspace, with the default Cassandra super user, which you can use with cqlsh to get back in.

$ ./cqlsh -u cassandra -p cassandra
Connected to MyCluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 2.1.0-rc5-SNAPSHOT | CQL spec 3.2.0 | Native protocol v3]
Use HELP for help.
cqlsh>

Notes:

• You will have to re-add all of your users, and re-apply all off their permissions.
• Instead of renaming (mv) the system_auth directory, you could also just delete it (rm).
• You will have to re-apply the appropriate replication settings to your system_auth keyspace. By default, system_auth only has a replication factor of 1.