Discussion:
System auth empty, how to populate it
Thomas Lété
2018-07-17 08:02:07 UTC
Permalink
Hi everyone,

Due to a crash, we lost the system_auth keyspace. It was not important at that time because this was a closed system, not communicating outside the structure so we used AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-create it from scratch).

Unfortunately, Cassandra isn’t able to populate the tables, they just stay empty…
I tried removing the system_auth folder from data but the keyspace isn’t removed.

Do you know a procedure that can be used to re-generate that keyspace without reinstalling Cassandra from scratch ?

Thanks for your help :-)

Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org
For additional commands, e-mail: user-***@cassandra.apache.org
Horia Mocioi
2018-07-17 09:26:32 UTC
Permalink
Hello,

Those tables are empty by default, except system_auth.roles table which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not exist.

Those tables will be populated once you start adding new users/roles
and use authorization.

What do you mean by "I tried removing the system_auth folder from data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth keyspace?

Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables, they just stay empty…
I tried removing the system_auth folder from data but the keyspace isn’t removed.
Do you know a procedure that can be used to re-generate that keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
---------------------------------------------------------------------
B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\�][��X��ܚX�P�\��[��K�\X�K�ܙ�B��܈Y][ۘ[��[X[��
Thomas Lété
2018-07-17 09:40:24 UTC
Permalink
Hi Horia,

Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot… So as we were in a hurry and not needed that keyspace, we dropped the files and put AllowAllAuthorizer.

Now even the roles table is empty.

When I enable PasswordAuthenticator, I’m not able to authenticate, cassandra user doesn’t exist…

Is there a way to insert the default user in the roles table ?

Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Horia Mocioi
Hello,
Those tables are empty by default, except system_auth.roles table which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not exist.
Those tables will be populated once you start adding new users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder from data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables, they just stay empty…
I tried removing the system_auth folder from data but the keyspace isn’t removed.
Do you know a procedure that can be used to re-generate that keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org
For additional commands, e-mail: user-***@cassandra.apache.org
Horia Mocioi
2018-07-17 10:00:59 UTC
Permalink
Try executing in cqlsh:

insert into system_auth.roles (role , can_login , is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1aW');

The above hash encrypted value is for the default password cassandra

After doing this you should enable PasswordAuthenticator and restart
your node. Then try to authenticate in cqlsh.

I tested this on ccm with cassandra 3.11.2. You should try it also on
your test systems and not trust a random guy on the web.

Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot… So as we were in
a hurry and not needed that keyspace, we dropped the files and put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to authenticate,
cassandra user doesn’t exist…
Is there a way to insert the default user in the roles table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Horia Mocioi
Hello,
Those tables are empty by default, except system_auth.roles table which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not exist.
Those tables will be populated once you start adding new
users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder from data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables, they
just
stay empty…
I tried removing the system_auth folder from data but the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-generate that keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
---------------------------------------------------------------
------
-----------------------------------------------------------------
----
---------------------------------------------------------------------
B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\�][��X��ܚX�P�\��[��K�\X�K�ܙ�B��܈Y][ۘ[��[X[��
Thomas Lété
2018-07-17 12:23:05 UTC
Permalink
Hi,

Thanks I tried that, made a node tool repair system_auth and I get a new error now :

Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})

Maybe it requires other records in the other tables ?

Thanks...
Post by Horia Mocioi
insert into system_auth.roles (role , can_login , is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1aW');
The above hash encrypted value is for the default password cassandra
After doing this you should enable PasswordAuthenticator and restart
your node. Then try to authenticate in cqlsh.
I tested this on ccm with cassandra 3.11.2. You should try it also on
your test systems and not trust a random guy on the web.
Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot
 So as we were in
a hurry and not needed that keyspace, we dropped the files and put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to authenticate,
cassandra user doesn’t exist

Is there a way to insert the default user in the roles table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Horia Mocioi
Hello,
Those tables are empty by default, except system_auth.roles table which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not exist.
Those tables will be populated once you start adding new
users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder from data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables, they
just
stay empty

I tried removing the system_auth folder from data but the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-generate that keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
---------------------------------------------------------------
------
-----------------------------------------------------------------
----
---------------------------------------------------------------------
---------------------------------------------------------------------
Horia Mocioi
2018-07-17 12:36:29 UTC
Permalink
What Cassandra version do you use?
Post by Thomas Lété
Hi,
AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from
server: code=0100 [Bad credentials] message="Provided username
cassandra and/or password are incorrect"',)})
Maybe it requires other records in the other tables ?
Thanks...
Post by Horia Mocioi
insert into system_auth.roles (role , can_login , is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1aW');
The above hash encrypted value is for the default password
cassandra
After doing this you should enable PasswordAuthenticator and
restart
your node. Then try to authenticate in cqlsh.
I tested this on ccm with cassandra 3.11.2. You should try it also on
your test systems and not trust a random guy on the web.
Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot… So as we were in
a hurry and not needed that keyspace, we dropped the files and put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to
authenticate,
cassandra user doesn’t exist…
Is there a way to insert the default user in the roles table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Horia Mocioi
om>
Hello,
Those tables are empty by default, except system_auth.roles
table
which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not exist.
Those tables will be populated once you start adding new
users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder
from
data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables, they
just
stay empty…
I tried removing the system_auth folder from data but the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-generate that keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
-----------------------------------------------------------
----
------
rg
-------------------------------------------------------------
----
----
---------------------------------------------------------------
------
-----------------------------------------------------------------
----
Thomas Lété
2018-07-17 12:37:43 UTC
Permalink
The latest : 3.11.2, the same as yours :(
Post by Horia Mocioi
What Cassandra version do you use?
Post by Thomas Lété
Hi,
AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from
server: code=0100 [Bad credentials] message="Provided username
cassandra and/or password are incorrect"',)})
Maybe it requires other records in the other tables ?
Thanks...
Post by Horia Mocioi
insert into system_auth.roles (role , can_login , is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1aW');
The above hash encrypted value is for the default password
cassandra
After doing this you should enable PasswordAuthenticator and
restart
your node. Then try to authenticate in cqlsh.
I tested this on ccm with cassandra 3.11.2. You should try it also on
your test systems and not trust a random guy on the web.
Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot… So as we were in
a hurry and not needed that keyspace, we dropped the files and put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to
authenticate,
cassandra user doesn’t exist…
Is there a way to insert the default user in the roles table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Horia Mocioi
om>
Hello,
Those tables are empty by default, except system_auth.roles
table
which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not
exist.
Those tables will be populated once you start adding new
users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder
from
data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth
keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables, they
just
stay empty…
I tried removing the system_auth folder from data but the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-generate that keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
-----------------------------------------------------------
----
------
rg
-------------------------------------------------------------
----
----
---------------------------------------------------------------
------
-----------------------------------------------------------------
----
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org
For additional commands, e-mail: user-***@cassandra.apache.org
Simon Fontana Oscarsson
2018-07-17 13:26:25 UTC
Permalink
Could you try the following steps?

Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`

Works for me.
--
SIMON FONTANA OSCARSSON
Software Developer

Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
***@ericsson.com
www.ericsson.com
Post by Thomas Lété
The latest : 3.11.2, the same as yours :(
Post by Horia Mocioi
What Cassandra version do you use?
Post by Thomas Lété
Hi,
Thanks I tried that, made a node tool repair system_auth and I get a
AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from
server: code=0100 [Bad credentials] message="Provided username
cassandra and/or password are incorrect"',)})
Maybe it requires other records in the other tables ?
Thanks...
Post by Horia Mocioi
insert into system_auth.roles (role , can_login , is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1aW');
The above hash encrypted value is for the default password cassandra
After doing this you should enable PasswordAuthenticator and restart
your node. Then try to authenticate in cqlsh.
I tested this on ccm with cassandra 3.11.2. You should try it also on
your test systems and not trust a random guy on the web.
Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot
 So as we were
in
a hurry and not needed that keyspace, we dropped the files and put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to authenticate,
cassandra user doesn’t exist

Is there a way to insert the default user in the roles table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Horia Mocioi
om>
Hello,
Those tables are empty by default, except system_auth.roles
table
which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not exist.
Those tables will be populated once you start adding new users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder
from
data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables,
they
just
stay empty

I tried removing the system_auth folder from data but the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-generate that
keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
-----------------------------------------------------------
----
------
rg
-------------------------------------------------------------
----
----
---------------------------------------------------------------
------
-----------------------------------------------------------------
----
---------------------------------------------------------------------
---------------------------------------------------------------------
Thomas Lété
2018-07-17 13:43:14 UTC
Permalink
Ok I tried that, nothing better (I already tried dropping the entire system_auth folder that way, same result)

When I open the log, I found nothing about « Password » and when I search for « roles », I only find that :

DEBUG [main] 2018-07-17 15:37:39,420 CompactionStrategyManager.java:380 - Recreating compaction strategy - disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 - Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 - Updating boundaries from DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/data}], positions=[max(9223372036854775807)], ringVersion=3, directoriesVersion=0} to DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/data}], positions=[max(9223372036854775807)], ringVersion=16, directoriesVersion=0} for system_auth.roles

The configuration I use for Auth is the following :

authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Post by Simon Fontana Oscarsson
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com
Post by Thomas Lété
The latest : 3.11.2, the same as yours :(
Post by Horia Mocioi
What Cassandra version do you use?
Post by Thomas Lété
Hi,
AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from
server: code=0100 [Bad credentials] message="Provided username
cassandra and/or password are incorrect"',)})
Maybe it requires other records in the other tables ?
Thanks...
Post by Horia Mocioi
insert into system_auth.roles (role , can_login , is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1aW');
The above hash encrypted value is for the default password
cassandra
After doing this you should enable PasswordAuthenticator and restart
your node. Then try to authenticate in cqlsh.
I tested this on ccm with cassandra 3.11.2. You should try it also on
your test systems and not trust a random guy on the web.
Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot
 So as we were in
a hurry and not needed that keyspace, we dropped the files and put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to
authenticate,
cassandra user doesn’t exist

Is there a way to insert the default user in the roles table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Horia Mocioi
om>
Hello,
Those tables are empty by default, except system_auth.roles
table
which
contains one entry(by default): the cassandra user/role.
CassandraRoleManager creates it on startup if it does not exist.
Those tables will be populated once you start adding new
users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder
from
data
but the keyspace isn’t removed. "? Is the folder deleted? Did you
restart and the folder was recreated or not? Did you get errors when it
restarted and Cassandra tried to recreate the system_auth keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It was not
important at that time because this was a closed system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that keyspace (re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the tables, they
just
stay empty

I tried removing the system_auth folder from data but the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-generate that keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
-----------------------------------------------------------
----
------
rg
-------------------------------------------------------------
----
----
---------------------------------------------------------------
------
-----------------------------------------------------------------
----
---------------------------------------------------------------------
---------------------------------------------------------------------
Horia Mocioi
2018-07-17 13:59:56 UTC
Permalink
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer) 
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not
already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
-- 
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com
Post by Thomas Lété
The latest : 3.11.2, the same as yours :(
Post by Horia Mocioi
What Cassandra version do you use?
Post by Thomas Lété
Hi,
Thanks I tried that, made a node tool repair system_auth and I get a
Connection error: ('Unable to connect to any servers',
AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from
server: code=0100 [Bad credentials] message="Provided
username
cassandra and/or password are incorrect"',)})
Maybe it requires other records in the other tables ?
Thanks...
on.com>
insert into system_auth.roles (role , can_login ,
is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1
aW');
The above hash encrypted value is for the default password cassandra
After doing this you should enable PasswordAuthenticator and
restart
your node. Then try to authenticate in cqlsh.
I tested this on ccm with cassandra 3.11.2. You should try
it also
on
your test systems and not trust a random guy on the web.
Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot… So as
we were
in
a hurry and not needed that keyspace, we dropped the
files and
put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to
authenticate,
cassandra user doesn’t exist…
Is there a way to insert the default user in the roles table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Simon Fontana Oscarsson
icsson.c
om>
Hello,
Those tables are empty by default, except
system_auth.roles
table
which
contains one entry(by default): the cassandra
user/role.
CassandraRoleManager creates it on startup if it does not
exist.
Those tables will be populated once you start adding new
users/roles
and use authorization.
What do you mean by "I tried removing the system_auth folder
from
data
but the keyspace isn’t removed. "? Is the folder
deleted? Did
you
restart and the folder was recreated or not? Did you
get errors
when it
restarted and Cassandra tried to recreate the
system_auth
keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It
was not
important at that time because this was a closed
system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that
keyspace
(re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the
tables,
they
just
stay empty…
I tried removing the system_auth folder from data but the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-
generate that
keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
---------------------------------------------------
--------
----
------
ache.org
apache.o
rg
-----------------------------------------------------
--------
----
----
he.org
ache.org
-------------------------------------------------------
--------
------
.org
he.org
---------------------------------------------------------
--------
----
rg
.org
-------------------------------------------------------------
--------
---------------------------------------------------------------
------
Thomas Lété
2018-07-17 14:01:14 UTC
Permalink
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not
already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com
Post by Thomas Lété
The latest : 3.11.2, the same as yours :(
Post by Horia Mocioi
What Cassandra version do you use?
Post by Thomas Lété
Hi,
Thanks I tried that, made a node tool repair system_auth and I get a
Connection error: ('Unable to connect to any servers',
AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from
server: code=0100 [Bad credentials] message="Provided
username
cassandra and/or password are incorrect"',)})
Maybe it requires other records in the other tables ?
Thanks...
on.com>
insert into system_auth.roles (role , can_login ,
is_superuser ,
salted_hash ) VALUES ( 'cassandra', True, True,
'$2a$10$qQIh9pXDu0JNA7vQd7KRcO7VXryjbTu8XBQTC.tXcTpJHliH6S1
aW');
The above hash encrypted value is for the default password cassandra
After doing this you should enable PasswordAuthenticator
and
restart
your node. Then try to authenticate in cqlsh.
I tested this on ccm with cassandra 3.11.2. You should try
it also
on
your test systems and not trust a random guy on the web.
Horia
Post by Thomas Lété
Hi Horia,
Thanks for your reply :-)
As the keyspace was corrupt, Cassandra didn’t boot… So as
we were
in
a hurry and not needed that keyspace, we dropped the
files and
put
AllowAllAuthorizer.
Now even the roles table is empty.
When I enable PasswordAuthenticator, I’m not able to
authenticate,
cassandra user doesn’t exist…
Is there a way to insert the default user in the roles
table ?
Yes the folder were recreated but without any data in the tables.
I didn’t see any error in the logs.
Post by Simon Fontana Oscarsson
icsson.c
om>
Hello,
Those tables are empty by default, except
system_auth.roles
table
which
contains one entry(by default): the cassandra
user/role.
CassandraRoleManager creates it on startup if it does
not
exist.
Those tables will be populated once you start adding
new
users/roles
and use authorization.
What do you mean by "I tried removing the system_auth
folder
from
data
but the keyspace isn’t removed. "? Is the folder
deleted? Did
you
restart and the folder was recreated or not? Did you
get errors
when it
restarted and Cassandra tried to recreate the
system_auth
keyspace?
Regards,
Horia
Post by Thomas Lété
Hi everyone,
Due to a crash, we lost the system_auth keyspace. It
was not
important at that time because this was a closed
system, not
communicating outside the structure so we used
AllowAllAuthorizer.
Now it is changing and we would like to recover that
keyspace
(re-
create it from scratch).
Unfortunately, Cassandra isn’t able to populate the
tables,
they
just
stay empty…
I tried removing the system_auth folder from data but
the
keyspace
isn’t removed.
Do you know a procedure that can be used to re-
generate that
keyspace
without reinstalling Cassandra from scratch ?
Thanks for your help :-)
Thomas
---------------------------------------------------
--------
----
------
ache.org
apache.o
rg
-----------------------------------------------------
--------
----
----
he.org
ache.org
-------------------------------------------------------
--------
------
.org
he.org
---------------------------------------------------------
--------
----
rg
.org
-------------------------------------------------------------
--------
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org
For additional commands, e-mail: user-***@cassandra.apache.org
Simon Fontana Oscarsson
2018-07-17 14:15:58 UTC
Permalink
This is very strange behavior if Cassandra won't recreate the cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer

Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
***@ericsson.com
www.ericsson.com
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer) 
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
Thomas Lété
2018-07-17 14:18:16 UTC
Permalink
Yes I did that multiple time, always following the same procedure : stop Cassandra, on all nodes, remove data, update config then restart nodes one by one…

I really don’t understand when I could have done wrong...
Post by Simon Fontana Oscarsson
This is very strange behavior if Cassandra won't recreate the cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com
Post by Thomas Lété
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org
For additional commands, e-mail: user-***@cassandra.apache.org
Sam Tunnicliffe
2018-07-17 14:47:15 UTC
Permalink
The default superuser is only created at startup if 3 conditions are met:

i) The default role manager is configured. In cassandra.yaml, you should
see "role_manager: CassandraRoleManager". This is also the default value,
so unless you're explicitly using a custom role manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be present.
Present means present in the schema, not on disk. Unlike most system
tables, this table is droppable (in fact this is a necessary step in
upgrading from earlier versions).
iii) There should be no preexisting roles present in the system_auth.roles
table. This is verified with a regular query, so you must either use CQL to
delete existing roles, or remove the data directories and commit logs on
*all* nodes.

Even if these three conditions are met, but the default user isn't being
created the manual insert that Horia suggested should work. If
system_auth.roles table exists and you are able to perform the insert, I'm
very surprised when you say it's empty after you issue the insert. If you
check again and it turns out the manual insert is working as expected, you
need to make sure that the legacy tables have been dropped from schema
(assuming you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read from them
and so would be ignoring the new entry in the roles table. (see:
https://github.com/apache/cassandra/blob/cassandra-3.11.2/NEWS.txt#L619-L640
)
Post by Thomas Lété
Yes I did that multiple time, always following the same procedure : stop
Cassandra, on all nodes, remove data, update config then restart nodes one
by one

I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <
This is very strange behavior if Cassandra won't recreate the cassandra
user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes and
deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------------
Thomas Lété
2018-07-17 15:24:39 UTC
Permalink
Thanks for your reply,

- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !

But when I do clash -u cassandra -p cassandra

=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra and/or password are incorrect

I already repaired system_auth a few times, nothing help...
i) The default role manager is configured. In cassandra.yaml, you should see "role_manager: CassandraRoleManager". This is also the default value, so unless you're explicitly using a custom role manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be present. Present means present in the schema, not on disk. Unlike most system tables, this table is droppable (in fact this is a necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the system_auth.roles table. This is verified with a regular query, so you must either use CQL to delete existing roles, or remove the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user isn't being created the manual insert that Horia suggested should work. If system_auth.roles table exists and you are able to perform the insert, I'm very surprised when you say it's empty after you issue the insert. If you check again and it turns out the manual insert is working as expected, you need to make sure that the legacy tables have been dropped from schema (assuming you upgraded from a pre-3.0 version at some point). If the legacy tables are still present, the authenticator will continue to read from them and so would be ignoring the new entry in the roles table. (see: https://github.com/apache/cassandra/blob/cassandra-3.11.2/NEWS.txt#L619-L640 <https://github.com/apache/cassandra/blob/cassandra-3.11.2/NEWS.txt#L619-L640>)
Yes I did that multiple time, always following the same procedure : stop Cassandra, on all nodes, remove data, update config then restart nodes one by one

I really don’t understand when I could have done wrong...
Post by Simon Fontana Oscarsson
This is very strange behavior if Cassandra won't recreate the cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com <http://www.ericsson.com/>
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------------
Horia Mocioi
2018-07-17 22:28:15 UTC
Permalink
Cassandra allows to use custom authenticators so I would create a CustomPasswordAuthenticator. This would be a copy of the existing PasswordAuthenticator. I would add several debugging info like: provided username and password, the output of the checkpw function, what cql statement is executed etc (any other info that would help me to understand what is being executed in the authenticator).

________________________________
From: Thomas Lété <***@soprism.com>
Sent: Tuesday, July 17, 2018 5:24:39 PM
To: ***@cassandra.apache.org
Subject: Re: System auth empty, how to populate it

Thanks for your reply,

- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !

But when I do clash -u cassandra -p cassandra

=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra and/or password are incorrect

I already repaired system_auth a few times, nothing help...

Le 17 juil. 2018 à 16:47, Sam Tunnicliffe <***@beobal.com<mailto:***@beobal.com>> a écrit :

The default superuser is only created at startup if 3 conditions are met:

i) The default role manager is configured. In cassandra.yaml, you should see "role_manager: CassandraRoleManager". This is also the default value, so unless you're explicitly using a custom role manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be present. Present means present in the schema, not on disk. Unlike most system tables, this table is droppable (in fact this is a necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the system_auth.roles table. This is verified with a regular query, so you must either use CQL to delete existing roles, or remove the data directories and commit logs on *all* nodes.

Even if these three conditions are met, but the default user isn't being created the manual insert that Horia suggested should work. If system_auth.roles table exists and you are able to perform the insert, I'm very surprised when you say it's empty after you issue the insert. If you check again and it turns out the manual insert is working as expected, you need to make sure that the legacy tables have been dropped from schema (assuming you upgraded from a pre-3.0 version at some point). If the legacy tables are still present, the authenticator will continue to read from them and so would be ignoring the new entry in the roles table. (see: https://github.com/apache/cassandra/blob/cassandra-3.11.2/NEWS.txt#L619-L640)


On 17 July 2018 at 15:18, Thomas Lété <***@soprism.com<mailto:***@soprism.com>> wrote:
Yes I did that multiple time, always following the same procedure : stop Cassandra, on all nodes, remove data, update config then restart nodes one by one…

I really don’t understand when I could have done wrong...
Post by Simon Fontana Oscarsson
This is very strange behavior if Cassandra won't recreate the cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com<http://www.ericsson.com/>
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org<mailto:user-***@cassandra.apache.org>
For additional commands, e-mail: user-***@cassandra.apache.org<mailto:user-***@cassandra.apache.org>
Thomas Lété
2018-07-18 06:33:18 UTC
Permalink
Unfortunately, I’m not a java dev so I’m not able to create an authenticator


I don’t like to do that usually but I share with you a gist of the config, it was generated by OpsCenter when it was free, I just updated it for Cassandra >= 3
 Maybe you will see something :

https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a CustomPasswordAuthenticator. This would be a copy of the existing PasswordAuthenticator. I would add several debugging info like: provided username and password, the output of the checkpw function, what cql statement is executed etc (any other info that would help me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra and/or password are incorrect
I already repaired system_auth a few times, nothing help...
i) The default role manager is configured. In cassandra.yaml, you should see "role_manager: CassandraRoleManager". This is also the default value, so unless you're explicitly using a custom role manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be present. Present means present in the schema, not on disk. Unlike most system tables, this table is droppable (in fact this is a necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the system_auth.roles table. This is verified with a regular query, so you must either use CQL to delete existing roles, or remove the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user isn't being created the manual insert that Horia suggested should work. If system_auth.roles table exists and you are able to perform the insert, I'm very surprised when you say it's empty after you issue the insert. If you check again and it turns out the manual insert is working as expected, you need to make sure that the legacy tables have been dropped from schema (assuming you upgraded from a pre-3.0 version at some point). If the legacy tables are still present, the authenticator will continue to read from them and so would be ignoring the new entry in the roles table. (see: https://github.com/apache/cassandra/blob/cassandra-3.11.2/NEWS.txt#L619-L640 <https://github.com/apache/cassandra/blob/cassandra-3.11.2/NEWS.txt#L619-L640>)
Yes I did that multiple time, always following the same procedure : stop Cassandra, on all nodes, remove data, update config then restart nodes one by one

I really don’t understand when I could have done wrong...
Post by Simon Fontana Oscarsson
This is very strange behavior if Cassandra won't recreate the cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com <http://www.ericsson.com/>
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from system_auth.roles"?
(you will need to change authenticator to AllowAllAuthenticator and
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping the entire
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and when I
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction strategy -
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 -
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 -
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if not already done.
Remove data directory with `rm -rf data/system_auth/roles-*`
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------------
Horia Mocioi
2018-07-18 06:51:54 UTC
Permalink
If this is the file that you are currently using...he first things that
I see is that you do not have any authenticator and role_manager:

https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L103

https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L123
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator…
I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
 
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good. 
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).  
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3
.11.2/NEWS.txt#L619-L640) 
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one…
I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
 
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
 
-- 
SIMON FONTANA OSCARSSON
Software Developer
 
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
 www.ericsson.com
 
Post by Thomas Lété
It’s empty...
 
Post by Horia Mocioi
 
 
Could you also send the output of "select * from
system_auth.roles"?
Post by Thomas Lété
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Thomas Lété
Post by Horia Mocioi
authorizer to AllowAllAuthorizer) 
 
Post by Thomas Lété
 
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
 
When I open the log, I found nothing about « Password » and
when I
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
 
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
 
 
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
 
 
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
 
Could you try the following steps?
 
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
 
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org
For additional commands, e
Thomas Lété
2018-07-18 07:02:04 UTC
Permalink
I’m using the default ones, the commented parts are the one I use when I try the PasswordAuthenticator :) (line 19 to 24)
Post by Horia Mocioi
If this is the file that you are currently using...he first things that
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L103
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L123
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator…
I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3
.11.2/NEWS.txt#L619-L640)
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one…
I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com
Post by Thomas Lété
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from
system_auth.roles"?
Post by Thomas Lété
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Thomas Lété
Post by Horia Mocioi
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and
when I
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Thomas Lété
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@cassandra.apache.org
For additional commands, e-mail: user-***@cassandra.apache.org
Sam Tunnicliffe
2018-07-18 10:03:03 UTC
Permalink
With that config you'll be using the default AllowAllAuthenticator, so I
assume you are able to connect cqlsh without any credentials? If so, can
you verify the contents of the system_auth.roles table? It should contain
only the cassandra user.
I’m using the default ones, the commented parts are the one I use when I
try the PasswordAuthenticator :) (line 19 to 24)
Post by Horia Mocioi
If this is the file that you are currently using...he first things that
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L103
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L123
Post by Thomas Lété
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator

I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3
.11.2/NEWS.txt#L619-L640)
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one

I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from
system_auth.roles"?
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Horia Mocioi
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and
when I
Post by Horia Mocioi
Post by Thomas Lété
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Horia Mocioi
Post by Thomas Lété
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
Thomas Lété
2018-07-18 10:06:50 UTC
Permalink
Yes it’s the config I’m using and I’m trying to add the Password Auth to :-)

Here is the content of the roles table :

INSERT INTO roles (role,can_login,is_superuser,member_of,salted_hash) VALUES ('cassandra',true,true,null,'$2a$10$7sXeNr3okw61oisR9pCyHeWEO3wPzx3w8r/LKwtDSW2Tt68f4KFmi’);

It seems correct but I’m not able to authenticate (using cqlsh v5.0.1 or DevCenter 1.6.0)

I’m starting to consider going from scratch and use the default config and check if it works...
With that config you'll be using the default AllowAllAuthenticator, so I assume you are able to connect cqlsh without any credentials? If so, can you verify the contents of the system_auth.roles table? It should contain only the cassandra user.
I’m using the default ones, the commented parts are the one I use when I try the PasswordAuthenticator :) (line 19 to 24)
Post by Horia Mocioi
If this is the file that you are currently using...he first things that
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5 <https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5>
8c02ecf398/conf/cassandra.yaml#L103
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5 <https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5>
8c02ecf398/conf/cassandra.yaml#L123
Post by Thomas Lété
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator

I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c <https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c>
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3 <https://github.com/apache/cassandra/blob/cassandra-3>
.11.2/NEWS.txt#L619-L640)
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one

I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
www.ericsson.com <http://www.ericsson.com/>
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from
system_auth.roles"?
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Horia Mocioi
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and
when I
Post by Horia Mocioi
Post by Thomas Lété
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Horia Mocioi
Post by Thomas Lété
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
Sam Tunnicliffe
2018-07-18 10:26:47 UTC
Permalink
It may be an artifact of the email client, but that's not a valid INSERT
statement - the closing quote on the password hash is U2019 (right side
quotation mark) but the opening quote is U0027 (apostrophe) - which is what
cqlsh expects. Can you just SELECT * from system_auth.roles and check that
the salted_hash is correct?
Post by Thomas Lété
Yes it’s the config I’m using and I’m trying to add the Password Auth to :-)
INSERT INTO roles (role,can_login,is_superuser,member_of,salted_hash)
VALUES ('cassandra',true,true,null,'$2a$10$7sXeNr3okw61oisR9pCyHeWEO3wPzx
3w8r/LKwtDSW2Tt68f4KFmi’);
It seems correct but I’m not able to authenticate (using cqlsh v5.0.1 or
DevCenter 1.6.0)
I’m starting to consider going from scratch and use the default config and
check if it works...
With that config you'll be using the default AllowAllAuthenticator, so I
assume you are able to connect cqlsh without any credentials? If so, can
you verify the contents of the system_auth.roles table? It should contain
only the cassandra user.
I’m using the default ones, the commented parts are the one I use when I
try the PasswordAuthenticator :) (line 19 to 24)
Post by Horia Mocioi
If this is the file that you are currently using...he first things that
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L103
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5
8c02ecf398/conf/cassandra.yaml#L123
Post by Thomas Lété
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator

I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3
.11.2/NEWS.txt#L619-L640)
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one

I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
<https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
Post by Horia Mocioi
Post by Thomas Lété
Post by Horia Mocioi
Post by Sam Tunnicliffe
37133 Karlskrona, Sweden
<https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
Post by Horia Mocioi
Post by Thomas Lété
Post by Horia Mocioi
Post by Sam Tunnicliffe
www.ericsson.com
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from
system_auth.roles"?
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Horia Mocioi
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and
when I
Post by Horia Mocioi
Post by Thomas Lété
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Horia Mocioi
Post by Thomas Lété
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
Thomas Lété
2018-07-18 11:12:53 UTC
Permalink
It’s my mail client that changed the quote mark, I didn’t see it, it’s just an export of the data I get from DevCenter, the salted hash is not the same as I saw in this guide : https://support.datastax.com/hc/en-us/articles/207932926-FAQ-How-to-recover-from-a-lost-superuser-password
But it should be correct as it was generated by Cassandra itself yesterday.

The export :
***@cqlsh> SELECT * from system_auth.roles;

role | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
cassandra | True | True | null | $2a$10$7sXeNr3okw61oisR9pCyHeWEO3wPzx3w8r/LKwtDSW2Tt68f4KFmi
It may be an artifact of the email client, but that's not a valid INSERT statement - the closing quote on the password hash is U2019 (right side quotation mark) but the opening quote is U0027 (apostrophe) - which is what cqlsh expects. Can you just SELECT * from system_auth.roles and check that the salted_hash is correct?
Yes it’s the config I’m using and I’m trying to add the Password Auth to :-)
INSERT INTO roles (role,can_login,is_superuser,member_of,salted_hash) VALUES ('cassandra',true,true,null,'$2a$10$7sXeNr3okw61oisR9pCyHeWEO3wPzx3w8r/LKwtDSW2Tt68f4KFmi’);
It seems correct but I’m not able to authenticate (using cqlsh v5.0.1 or DevCenter 1.6.0)
I’m starting to consider going from scratch and use the default config and check if it works...
With that config you'll be using the default AllowAllAuthenticator, so I assume you are able to connect cqlsh without any credentials? If so, can you verify the contents of the system_auth.roles table? It should contain only the cassandra user.
I’m using the default ones, the commented parts are the one I use when I try the PasswordAuthenticator :) (line 19 to 24)
Post by Horia Mocioi
If this is the file that you are currently using...he first things that
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5 <https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5>
8c02ecf398/conf/cassandra.yaml#L103
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5 <https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5>
8c02ecf398/conf/cassandra.yaml#L123
Post by Thomas Lété
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator

I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c <https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c>
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3 <https://github.com/apache/cassandra/blob/cassandra-3>
.11.2/NEWS.txt#L619-L640)
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one

I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1 <https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
37133 Karlskrona, Sweden <https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
www.ericsson.com <http://www.ericsson.com/>
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from
system_auth.roles"?
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Horia Mocioi
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and
when I
Post by Horia Mocioi
Post by Thomas Lété
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Horia Mocioi
Post by Thomas Lété
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
Sam Tunnicliffe
2018-07-18 11:33:27 UTC
Permalink
The salted hash being different is fine, the bcrypt library generates a
random 128 bit salt when encrypting a new password. The salt is then
encoded in the hashed string so you'd expect a different salted_hash each
time a given plaintext string is encoded.

I inserted exactly that data into a clean system, then switched it to use
PasswordAuthenticator and I can login using the default credentials without
any issue. Did you also drop the legacy credentials table
(system_auth.credentials) as per the upgrade docs that I linked yesterday
(in NEWS.txt)? If you didn't, the authenticator will continue to read from
the old table (you don't need a restart after dropping, the switch will
happen immediately).
Post by Thomas Lété
It’s my mail client that changed the quote mark, I didn’t see it, it’s
just an export of the data I get from DevCenter, the salted hash is not the
same as I saw in this guide : https://support.datastax.
com/hc/en-us/articles/207932926-FAQ-How-to-recover-
from-a-lost-superuser-password
But it should be correct as it was generated by Cassandra itself yesterday.
role | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+---------
-----------------------------------------------------
cassandra | True | True | null | $2a$10$
7sXeNr3okw61oisR9pCyHeWEO3wPzx3w8r/LKwtDSW2Tt68f4KFmi
It may be an artifact of the email client, but that's not a valid INSERT
statement - the closing quote on the password hash is U2019 (right side
quotation mark) but the opening quote is U0027 (apostrophe) - which is what
cqlsh expects. Can you just SELECT * from system_auth.roles and check that
the salted_hash is correct?
Post by Thomas Lété
Yes it’s the config I’m using and I’m trying to add the Password Auth to
:-)
INSERT INTO roles (role,can_login,is_superuser,member_of,salted_hash)
VALUES ('cassandra',true,true,null,'$2a$10$7sXeNr3okw61oisR9pCyHeWE
O3wPzx3w8r/LKwtDSW2Tt68f4KFmi’);
It seems correct but I’m not able to authenticate (using cqlsh v5.0.1 or
DevCenter 1.6.0)
I’m starting to consider going from scratch and use the default config
and check if it works...
With that config you'll be using the default AllowAllAuthenticator, so I
assume you are able to connect cqlsh without any credentials? If so, can
you verify the contents of the system_auth.roles table? It should contain
only the cassandra user.
I’m using the default ones, the commented parts are the one I use when I
try the PasswordAuthenticator :) (line 19 to 24)
Post by Horia Mocioi
If this is the file that you are currently using...he first things that
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2
693e3e27fa5
Post by Horia Mocioi
8c02ecf398/conf/cassandra.yaml#L103
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2
693e3e27fa5
Post by Horia Mocioi
8c02ecf398/conf/cassandra.yaml#L123
Post by Thomas Lété
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator

I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3
.11.2/NEWS.txt#L619-L640)
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one

I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1
<https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
Post by Horia Mocioi
Post by Thomas Lété
Post by Horia Mocioi
Post by Sam Tunnicliffe
37133 Karlskrona, Sweden
<https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
Post by Horia Mocioi
Post by Thomas Lété
Post by Horia Mocioi
Post by Sam Tunnicliffe
www.ericsson.com
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from
system_auth.roles"?
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Horia Mocioi
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and
when I
Post by Horia Mocioi
Post by Thomas Lété
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Horia Mocioi
Post by Thomas Lété
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
Thomas Lété
2018-07-18 11:50:10 UTC
Permalink
Oh man you just saved me ^^

I missed your link, I had just removed the users table, not the others
 Now they are gone and the password auth is working great !

Thanks a lot everyone for your help !!! :-)
The salted hash being different is fine, the bcrypt library generates a random 128 bit salt when encrypting a new password. The salt is then encoded in the hashed string so you'd expect a different salted_hash each time a given plaintext string is encoded.
I inserted exactly that data into a clean system, then switched it to use PasswordAuthenticator and I can login using the default credentials without any issue. Did you also drop the legacy credentials table (system_auth.credentials) as per the upgrade docs that I linked yesterday (in NEWS.txt)? If you didn't, the authenticator will continue to read from the old table (you don't need a restart after dropping, the switch will happen immediately).
It’s my mail client that changed the quote mark, I didn’t see it, it’s just an export of the data I get from DevCenter, the salted hash is not the same as I saw in this guide : https://support.datastax.com/hc/en-us/articles/207932926-FAQ-How-to-recover-from-a-lost-superuser-password <https://support.datastax.com/hc/en-us/articles/207932926-FAQ-How-to-recover-from-a-lost-superuser-password>
But it should be correct as it was generated by Cassandra itself yesterday.
role | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
cassandra | True | True | null | $2a$10$7sXeNr3okw61oisR9pCyHeWEO3wPzx3w8r/LKwtDSW2Tt68f4KFmi
It may be an artifact of the email client, but that's not a valid INSERT statement - the closing quote on the password hash is U2019 (right side quotation mark) but the opening quote is U0027 (apostrophe) - which is what cqlsh expects. Can you just SELECT * from system_auth.roles and check that the salted_hash is correct?
Yes it’s the config I’m using and I’m trying to add the Password Auth to :-)
INSERT INTO roles (role,can_login,is_superuser,member_of,salted_hash) VALUES ('cassandra',true,true,null,'$2a$10$7sXeNr3okw61oisR9pCyHeWEO3wPzx3w8r/LKwtDSW2Tt68f4KFmi’);
It seems correct but I’m not able to authenticate (using cqlsh v5.0.1 or DevCenter 1.6.0)
I’m starting to consider going from scratch and use the default config and check if it works...
With that config you'll be using the default AllowAllAuthenticator, so I assume you are able to connect cqlsh without any credentials? If so, can you verify the contents of the system_auth.roles table? It should contain only the cassandra user.
I’m using the default ones, the commented parts are the one I use when I try the PasswordAuthenticator :) (line 19 to 24)
Post by Horia Mocioi
If this is the file that you are currently using...he first things that
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5 <https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5>
8c02ecf398/conf/cassandra.yaml#L103
https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5 <https://github.com/apache/cassandra/blob/1d506f9d09c880ff2b2693e3e27fa5>
8c02ecf398/conf/cassandra.yaml#L123
Post by Thomas Lété
Unfortunately, I’m not a java dev so I’m not able to create an
authenticator

I don’t like to do that usually but I share with you a gist of the
config, it was generated by OpsCenter when it was free, I just
https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c <https://gist.github.com/bistory/ececc0bef7627f39a21e4e8f0c8d841c>
Post by Horia Mocioi
Cassandra allows to use custom authenticators so I would create a
CustomPasswordAuthenticator. This would be a copy of the existing
provided username and password, the output of the checkpw function,
what cql statement is executed etc (any other info that would help
me to understand what is being executed in the authenticator).
Sent: Tuesday, July 17, 2018 5:24:39 PM
Subject: Re: System auth empty, how to populate it
Thanks for your reply,
- I have not defined role_manager in the config
- I dropped the users table, it was present in the keyspace
- Cassandra then created a record in the roles table, yay !
But when I do clash -u cassandra -p cassandra
=> Invalid credentials supplied.
Authentication error on host xxxxxx: Provided username cassandra
and/or password are incorrect
I already repaired system_auth a few times, nothing help...
Post by Sam Tunnicliffe
i) The default role manager is configured. In cassandra.yaml, you
should see "role_manager: CassandraRoleManager". This is also the
default value, so unless you're explicitly using a custom role
manager it should be good.
ii) The system_auth.users table (legacy, pre-2.2) should not be
present. Present means present in the schema, not on disk. Unlike
most system tables, this table is droppable (in fact this is a
necessary step in upgrading from earlier versions).
iii) There should be no preexisting roles present in the
system_auth.roles table. This is verified with a regular query,
so you must either use CQL to delete existing roles, or remove
the data directories and commit logs on *all* nodes.
Even if these three conditions are met, but the default user
isn't being created the manual insert that Horia suggested should
work. If system_auth.roles table exists and you are able to
perform the insert, I'm very surprised when you say it's empty
after you issue the insert. If you check again and it turns out
the manual insert is working as expected, you need to make sure
that the legacy tables have been dropped from schema (assuming
you upgraded from a pre-3.0 version at some point). If the legacy
tables are still present, the authenticator will continue to read
from them and so would be ignoring the new entry in the roles
table. (see: https://github.com/apache/cassandra/blob/cassandra-3 <https://github.com/apache/cassandra/blob/cassandra-3>
.11.2/NEWS.txt#L619-L640)
Yes I did that multiple time, always following the same procedure
: stop Cassandra, on all nodes, remove data, update config then
restart nodes one by one

I really don’t understand when I could have done wrong...
Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson <simon.fontan
This is very strange behavior if Cassandra won't recreate the
cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes
and deleting the data directory?
--
SIMON FONTANA OSCARSSON
Software Developer
Ericsson
Ölandsgatan 1 <https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
37133 Karlskrona, Sweden <https://maps.google.com/?q=%C3%96landsgatan+1+%0D%0A+37133+Karlskrona,+Sweden&entry=gmail&source=g>
www.ericsson.com <http://www.ericsson.com/>
It’s empty...
Post by Horia Mocioi
Could you also send the output of "select * from
system_auth.roles"?
Post by Horia Mocioi
(you will need to change authenticator to
AllowAllAuthenticator and
Post by Horia Mocioi
authorizer to AllowAllAuthorizer)
Post by Thomas Lété
Ok I tried that, nothing better (I already tried dropping
the entire
Post by Horia Mocioi
Post by Thomas Lété
system_auth folder that way, same result)
When I open the log, I found nothing about « Password » and
when I
Post by Horia Mocioi
Post by Thomas Lété
DEBUG [main] 2018-07-17 15:37:39,420
CompactionStrategyManager.java:380 - Recreating compaction
strategy -
Post by Horia Mocioi
Post by Thomas Lété
disk boundaries are out of date for system_auth.roles.
DEBUG [main] 2018-07-17 15:37:39,420
DiskBoundaryManager.java:53 -
Post by Horia Mocioi
Post by Thomas Lété
Refreshing disk boundary cache for system_auth.roles
DEBUG [main] 2018-07-17 15:37:39,422
DiskBoundaryManager.java:56 -
Post by Horia Mocioi
Post by Thomas Lété
Updating boundaries from
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=3,
directoriesVersion=0} to
DiskBoundaries{directories=[DataDirectory{location=/home/cassandr
a/da
Post by Horia Mocioi
Post by Thomas Lété
ta}], positions=[max(9223372036854775807)], ringVersion=16,
directoriesVersion=0} for system_auth.roles
authorizer: CassandraAuthorizer
permissions_validity_in_ms: 2000
permissions_update_interval_in_ms: 2000
authenticator: PasswordAuthenticator
credentials_validity_in_ms: 2000
credentials_update_interval_in_ms: 2000
Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson
<simon.fontana.os
Post by Horia Mocioi
Post by Thomas Lété
Could you try the following steps?
Stop Cassandra.
Change authenticator in yaml to PasswordAuthenticator if
not
Post by Horia Mocioi
Post by Thomas Lété
already done.
Remove data directory with `rm -rf data/system_auth/roles-
*`
Post by Horia Mocioi
Post by Thomas Lété
Start Cassandra.
Login with `cqlsh -u cassandra -p cassandra`
Works for me.
---------------------------------------------------------------
------
---------------------------------------------------------------------
---------------------------------------------------------------------
Simon Fontana Oscarsson
2018-07-17 14:56:50 UTC
Permalink
Very strange. CassandraRoleManager will create cassandra user if it doesn't already exist (look in the setupDefaultRole method).
Perhaps this is an issue with consistency. After starting Cassandra, could you try do a nodetool repair on system_auth keyspace on all nodes.
I'm starting to run out of ideas :(
--
SIMON FONTANA OSCARSSON
Software Developer

Ericsson
Ölandsgatan 1
37133 Karlskrona, Sweden
***@ericsson.com
www.ericsson.com
Yes I did that multiple time, always following the same procedure : stop Cassandra, on all nodes, remove data, update config then restart nodes one by one

I really don’t understand when I could have done wrong...
Post by Simon Fontana Oscarsson
This is very strange behavior if Cassandra won't recreate the cassandra user when you delete the folder.
So just to make sure, you are stopping Cassandra on all nodes and deleting the data directory?
Loading...