Overview
This article provides instructions on how to reset the default superuser password for administrators who are locked out of Cassandra.
Background
If you are in a situation where you have lost the password for the cassandra
superuser account, follow the workaround provided below to reset the password back to the default value.
Note that this article only applies to internal Cassandra authentication but can be adapted to enable access back to into the database.
Procedure
Follow these steps to reset the superuser password back to the default "cassandra".
Step 1 - On all nodes, disable authentication and authorisation by setting the following properties in cassandra.yaml
(requires a rolling DSE restart):
authenticator: AllowAllAuthenticator authorizer: AllowAllAuthorizer
Step 2 - Manually reset the password via cqlsh
:
cqlsh> UPDATE system_auth.credentials SET salted_hash = '$2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.' WHERE username = 'cassandra';
NOTE - The hash encrypted value above is for the default password "cassandra".
WARNING - Step 2 above applies to DSE 4.x. For DSE 5.x, authentication was updated to use role-based access so update the system_auth.roles
table instead:
cqlsh> UPDATE system_auth.roles SET salted_hash = '$2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.' WHERE role = 'cassandra';
Step 3 - Re-enable authentication and confirm that the password "cassandra" works:
$ bin/cqlsh -u cassandra -p cassandra cqlsh> SELECT * FROM system_auth.credentials; username | options | salted_hash -----------+---------+-------------------------------------------------------------- cassandra | null | $2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.
Step 4 - Use this opportunity to create another superuser as recommended in the documentation.
See also
DSE doc - Configuring authentication
DSE doc - CQL CREATE USER