Cassandra allows to use custom authenticators so I would create a CustomPasswordAuthenticator. This would be a copy of the existing PasswordAuthenticator. I would add several debugging info like: provided username and password, the output of the checkpw function, what cql statement is executed etc (any other info that would help me to understand what is being executed in the authenticator).
________________________________ From: Thomas Lété <thomas.l...@soprism.com> Sent: Tuesday, July 17, 2018 5:24:39 PM To: user@cassandra.apache.org Subject: Re: System auth empty, how to populate it Thanks for your reply, - I have not defined role_manager in the config - I dropped the users table, it was present in the keyspace - Cassandra then created a record in the roles table, yay ! But when I do clash -u cassandra -p cassandra => Invalid credentials supplied. Authentication error on host xxxxxx: Provided username cassandra and/or password are incorrect I already repaired system_auth a few times, nothing help... Le 17 juil. 2018 à 16:47, Sam Tunnicliffe <s...@beobal.com<mailto:s...@beobal.com>> a écrit : The default superuser is only created at startup if 3 conditions are met: i) The default role manager is configured. In cassandra.yaml, you should see "role_manager: CassandraRoleManager". This is also the default value, so unless you're explicitly using a custom role manager it should be good. ii) The system_auth.users table (legacy, pre-2.2) should not be present. Present means present in the schema, not on disk. Unlike most system tables, this table is droppable (in fact this is a necessary step in upgrading from earlier versions). iii) There should be no preexisting roles present in the system_auth.roles table. This is verified with a regular query, so you must either use CQL to delete existing roles, or remove the data directories and commit logs on *all* nodes. Even if these three conditions are met, but the default user isn't being created the manual insert that Horia suggested should work. If system_auth.roles table exists and you are able to perform the insert, I'm very surprised when you say it's empty after you issue the insert. If you check again and it turns out the manual insert is working as expected, you need to make sure that the legacy tables have been dropped from schema (assuming you upgraded from a pre-3.0 version at some point). If the legacy tables are still present, the authenticator will continue to read from them and so would be ignoring the new entry in the roles table. (see: https://github.com/apache/cassandra/blob/cassandra-3.11.2/NEWS.txt#L619-L640) On 17 July 2018 at 15:18, Thomas Lété <thomas.l...@soprism.com<mailto:thomas.l...@soprism.com>> wrote: Yes I did that multiple time, always following the same procedure : stop Cassandra, on all nodes, remove data, update config then restart nodes one by one… I really don’t understand when I could have done wrong... > Le 17 juil. 2018 à 16:15, Simon Fontana Oscarsson > <simon.fontana.oscars...@ericsson.com<mailto:simon.fontana.oscars...@ericsson.com>> > a écrit : > > This is very strange behavior if Cassandra won't recreate the cassandra user > when you delete the folder. > So just to make sure, you are stopping Cassandra on all nodes and deleting > the data directory? > > -- > SIMON FONTANA OSCARSSON > Software Developer > > Ericsson > Ölandsgatan 1 > 37133 Karlskrona, Sweden > simon.fontana.oscars...@ericsson.com<mailto:simon.fontana.oscars...@ericsson.com> > www.ericsson.com<http://www.ericsson.com/> > > On tis, 2018-07-17 at 16:01 +0200, Thomas Lété wrote: >> It’s empty... >> >>> >>> Le 17 juil. 2018 à 15:59, Horia Mocioi >>> <horia.moc...@ericsson.com<mailto:horia.moc...@ericsson.com>> a écrit : >>> >>> Could you also send the output of "select * from system_auth.roles"? >>> (you will need to change authenticator to AllowAllAuthenticator and >>> authorizer to AllowAllAuthorizer) >>> >>> On tis, 2018-07-17 at 15:43 +0200, Thomas Lété wrote: >>>> >>>> Ok I tried that, nothing better (I already tried dropping the entire >>>> system_auth folder that way, same result) >>>> >>>> When I open the log, I found nothing about « Password » and when I >>>> search for « roles », I only find that : >>>> >>>> DEBUG [main] 2018-07-17 15:37:39,420 >>>> CompactionStrategyManager.java:380 - Recreating compaction strategy - >>>> disk boundaries are out of date for system_auth.roles. >>>> DEBUG [main] 2018-07-17 15:37:39,420 DiskBoundaryManager.java:53 - >>>> Refreshing disk boundary cache for system_auth.roles >>>> DEBUG [main] 2018-07-17 15:37:39,422 DiskBoundaryManager.java:56 - >>>> Updating boundaries from >>>> DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da >>>> ta}], positions=[max(9223372036854775807)], ringVersion=3, >>>> directoriesVersion=0} to >>>> DiskBoundaries{directories=[DataDirectory{location=/home/cassandra/da >>>> ta}], positions=[max(9223372036854775807)], ringVersion=16, >>>> directoriesVersion=0} for system_auth.roles >>>> >>>> The configuration I use for Auth is the following : >>>> >>>> authorizer: CassandraAuthorizer >>>> permissions_validity_in_ms: 2000 >>>> permissions_update_interval_in_ms: 2000 >>>> authenticator: PasswordAuthenticator >>>> credentials_validity_in_ms: 2000 >>>> credentials_update_interval_in_ms: 2000 >>>> >>>>> >>>>> Le 17 juil. 2018 à 15:26, Simon Fontana Oscarsson <simon.fontana.os >>>>> cars...@ericsson.com<mailto:cars...@ericsson.com>> a écrit : >>>>> >>>>> Could you try the following steps? >>>>> >>>>> Stop Cassandra. >>>>> Change authenticator in yaml to PasswordAuthenticator if not >>>>> already done. >>>>> Remove data directory with `rm -rf data/system_auth/roles-*` >>>>> Start Cassandra. >>>>> Login with `cqlsh -u cassandra -p cassandra` >>>>> >>>>> Works for me. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org<mailto:user-unsubscr...@cassandra.apache.org> For additional commands, e-mail: user-h...@cassandra.apache.org<mailto:user-h...@cassandra.apache.org>
