How to reset a lost Cassandra admin user's password?

Question

I have full access to the Cassandra installation files and a PasswordAuthenticator configured in cassandra.yaml. What do I have to do to reset admin user's password that has been lost, while keeping the existing databases intact?

Answer 1

Update for Cassandra 4:

1. Change cassandra.yaml as described in the other answers:

Comment out the following lines

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

and uncomment

#authenticator: AllowAllAuthenticator
#authorizer: AllowAllAuthorizer

2. Login with cqlsh.
3. The table names and columns have changed. The query now becomes

UPDATE system_auth.roles SET salted_hash = '$2a$10$H46haNkcbxlbamyj0OYZr.v4e5L08WTiQ1scrTs9Q3NYy.6B..x4O' WHERE role='cassandra';

Answer 2

The hash has changed for Cassandra 2.1:

1. Switch to authenticator: AllowAllAuthenticator
2. Restart cassandra
3. UPDATE system_auth.credentials SET salted_hash = '$2a$10$H46haNkcbxlbamyj0OYZr.v4e5L08WTiQ1scrTs9Q3NYy.6B..x4O' WHERE username='cassandra';
4. Switch back to authenticator: PasswordAuthenticator
5. Restart cassandra
6. Login as cassandra/cassandra
7. CREATE USER and ALTER USER to your heart's content.

Answer 3

Solved with the following steps:

1. Change authenticator in cassandra.yaml to AllowAllAuthenticator and restart Cassandra
2. cqlsh
3. update system_auth.credentials set salted_hash='$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu' where username='cassandra';
4. Exit cqlsh
5. Change authenticator back to PasswordAuthenticator and restart Cassandra

Now you can log in with

cqlsh -u cassandra -p cassandra

and change the password to something else.

Answer 4

As of cassandra 2.0

ALTER USER cassandra WITH PASSWORD 'password';

If you want to add a user.

// CREATE USER uname WITH PASSWORD 'password'; // add new user
// GRANT all ON ALL KEYSPACES to uname;    // grant permissions to new user

Verify your existing users with LIST USERS;

EDIT

Oh boy, this is gona be fun! So, I found one hacktastic way but it requires changing sourcecode.

First a high level overview:

1. Edit source so you can make changes to the system_auth.credentials column family
2. Change the authenticator to AllowAllAuthenticator
3. Start C*
4. Log in with cqlsh without needing a password
5. Update the cassandra user's hash password
6. Undo the source changes and change back to PasswordAuthenticator.

Step 1 - edit source

Open the C* source and go to package org.apache.cassandra.service.ClientState; Find the validateLogin() and ensureNotAnonymous() functions and comment all contained coude out so you end up with:

public void validateLogin() throws UnauthorizedException
{
    // if (user == null)
    //    throw new UnauthorizedException("You have not logged in");
}

public void ensureNotAnonymous() throws UnauthorizedException
{
    validateLogin();
    // if (user.isAnonymous())
    //    throw new UnauthorizedException("You have to be logged in and not anonymous to perform this request");
} 

Step2 - Change to AllowAllAuthenticator in cassandra.yaml Step3 & 4 - Simple! Step 5 - Execute this insert statement from cqlsh:

insert into system_auth.credentials (username, options, salted_hash) 
VALUES ('cassandra', null, '$2a$10$vbfmLdkQdUz3Rmw.fF7Ygu6GuphqHndpJKTvElqAciUJ4SZ3pwquu');

Note* step 5 will work assuming the user named 'cassandra' has already been created. If you have another user created just switch the username you are inserting (this procedure resets a password, it doesn't add a new user).

Step 6 Fix the source by uncommenting validateLogin() and ensureNotAnonymous() and switch back to the PasswordAuthenticator in cassandra.yaml, you should now have access to cqlsh via ./cqlsh -u cassandra -p cassandra