FAQ - How to recover from a lost superuser password

Overview

This article provides instructions on how to reset the default superuser password for administrators who are locked out of Cassandra.

Background

If you are in a situation where you have lost the password for the cassandra superuser account, follow the workaround provided below to reset the password back to the default value.

Note that this article only applies to internal Cassandra authentication but can be adapted to enable access back to into the database.

Procedure

Follow these steps to reset the superuser password back to the default "cassandra".

Step 1 - On all nodes, disable authentication and authorisation by setting the following properties in cassandra.yaml (requires a rolling DSE restart):

authenticator: AllowAllAuthenticator
authorizer: AllowAllAuthorizer

Step 2 - Manually reset the password via cqlsh:

cqlsh> UPDATE system_auth.credentials SET salted_hash = '$2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.' WHERE username = 'cassandra';

NOTE - The hash encrypted value above is for the default password "cassandra".

WARNING - Step 2 above applies to DSE 4.x. For DSE 5.x, authentication was updated to use role-based access so update the system_auth.roles table instead:

cqlsh> UPDATE system_auth.roles SET salted_hash = '$2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.' WHERE role = 'cassandra';

Step 3 - Re-enable authentication and confirm that the password "cassandra" works:

$ bin/cqlsh -u cassandra -p cassandra

cqlsh> SELECT * FROM system_auth.credentials;

 username  | options | salted_hash
-----------+---------+--------------------------------------------------------------
 cassandra |    null | $2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.

Step 4 - Use this opportunity to create another superuser as recommended in the documentation.

See also

DSE doc -  Configuring authentication

DSE doc -  CQL CREATE USER