How do you create the first user in Cassandra DB - cassandra

How does one create the first user in a cassandra database?
I tried:
CREATE USER username WITH PASSWORD "";
and its says:
Bad Request: Only superusers are allowed to perform CREATE USER queries
But I have never created a user before this attempt, so how do you create the first user in a cassandra database?
This seems a little strange because it's like a chicken and egg problem, but people use Cassandra so I am sure there must be a solution somewhere.

Once you have enabled Authentication and Authorization, you can log-in (to your local Cassandra instance) as the default Cassandra admin user like this:
./cqlsh localhost -u cassandra -p cassandra
If you are running Cassandra on a Windows Server, I believe you need to invoke it with Python:
python cqlsh localhost -u cassandra -p cassandra
Once you get in, your first task should be to create another super user account.
CREATE USER dba WITH PASSWORD 'bacon' SUPERUSER;
Next, it is a really good idea to set the current Cassandra super user's password to something else...preferably something long and incomprehensible. With your new super user, you shouldn't need the default Cassandra account again.
ALTER USER cassandra WITH PASSWORD 'dfsso67347mething54747long67a7ndincom4574prehensi562ble';
For more information, check out this DataStax article: A Quick Tour of Internal Authentication and Authorization Security in DataStax Enterprise and Apache Cassandra

Change
authenticator: AllowAllAuthenticator
To
authenticator: PasswordAuthenticator
in cassandra.yamlconfiguration file and restart Cassandra.
This will create a superuser cassandra for you with the restart. Make sure you have Phthon27, thrift-0.91, Cassandra ( datastax community edition 2.0.9 ) etc installed. Now when you login to cassandra, it will let you enter as superuser. You can now create new superuser and change existing superuser's password as well.
python cqlsh localhost -u cassandra -p cassandra
Connected to Test Cluster at localhost:9160.
[cqlsh 4.1.1 | Cassandra 2.0.9 | CQL spec 3.1.1 | Thrift protocol 19.39.0]
Use HELP for help.
cqlsh> create user abc with password 'xyz' superuser;
cqlsh> alter user cassandra with password 'gaurav';
cqlsh> exit

To start to use authentication, the default superuser username/password pair is cassandra/cassandra. This should fix the chicken and egg problem.
Source:
http://www.datastax.com/docs/datastax_enterprise3.0/security/native_authentication

Re: Once you have enabled Authentication and Authorization (from the Mar 6 at 14:41 comment by BryceAtNetwork23)
First, is changing authorization required in order to setup authentication? I'm guessing not.
Second, setting up authorization is not exactly trivial if you have data center style replication setup. I setup authorization using the following steps:
In conf/cassandra.yaml, changed authenticator from AllowAllAuthenticator to PasswordAuthenticator for all nodes
Rebooted all nodes
Changed the default 'cassandra' password as described above and added other superusers
Altered the system_auth keyspace to be redundant (as per instructions in the cassandra.yaml file) by running: "ALTER KEYSPACE system_auth WITH REPLICATION = {'class': 'NetworkTopologyStrategy', 'MY_DATACENTER_NAME':N }"
I set N was set to the number of nodes in my datacenter (ie., fully redundant)
Ran bin/nodetool repair on each node serially
Does this sound reasonable to people who know what they're doing?

Related

Cassandra Authentication Fail: "Unable to perform authentication: Cannot achieve consistency level QUORUM"

I'm configuring a 3 node Cassandra cluster (multi datacenter) and everything works well until I set up the authentication process, setting from AllowAllAuthenticator to PasswordAuthenticator, as defined in Cassandra's doc.
The problem is, once I changed and restart nodes, I cannot access anymore the database, in this case with cassandra superuser, displaying this message:
Connection error: ('Unable to connect to any servers', {'10.0.0.10': AuthenticationFailed('Failed to authenticate to 10.0.0.10: Error from server: code=0100 [Bad credentials] message="Unable to perform authentication: Cannot achieve consistency level QUORUM"',)})
It's important to mention that before to set up the authenticator, I already updated the system_auth to NetworkTopologyStratety, setting up each node.
Also, without authentication all replications work fine, which means the cluster is running fine.
Does anyone have some idea about it? This is really driving me crazy, once I didn't find any reference about it.
All the best!
My guess is that you need to run repair on all of the nodes for the "system_auth", and if you're running DSE, ensure any keyspace that starts with "dse" that has "simple strategy" is updated to Network Topology Strategy with appropriate DC and RF settings - and run repair on each node for those as well.
That should solve your problem. My guess is that you created your users and then updated the keyspaces to use Network Topology. Once done, any new records will be be propagated correctly, but the existing records need repair to "fan them out" as it won't happen on its own.
-Jim

mysql-safe mode in TiDB or something like that

I created a TiDB cluster with Docker, not Docker Compose. When I tested the TiDB account, I changed the root password, and then I had no way to connect to my cluster database.
We all know that there is mysqld-safe mode in MySQL to skip the grant table for passwordless login. Then in the TiDB cluster, what method should be used for the same or similar operations?
Of course, the way I found in the TiDB FAQ is to close the TiDB server and run it with the parameter ‘-skip-grant-table=true’. But unfortunately, this way in the cluster of docker deployment, I can only delete the TiDB container and then run a new container. This way I rerun the TiDB and can't even run.
I don't know how to do it, I look forward to your answer!!
Modify the tidb-server configuration file, add the following parameters, and then restart tidb-server:
[security]
skip-grant-table = true
Please refer to the documentation for modifying the user password:
https://pingcap.com/docs-cn/sql/user-account-management/
After the modification, you need to flush the privileges:
flush privileges

What's the procedure to change password for default cassandra user?

I have a 5 node cassandra cluster with RF=3 (only for application related db) with only 1 data centre. I wish to change password of default cassandra user
My system_auth key space has the following setting
CREATE KEYSPACE system_auth WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'} AND durable_writes = true;
Questions
Should the strategy by changed to NetworkTopology ? I thought it
wasn't required as there is only 1 DC
Should the RF be 3 same as for other application related DB ?
When I change the credentials of default cassandra user using ALTER
USER command, should I change it in each of the hosts since currently RF=1 ?
Should the strategy by changed to NetworkTopology ? I thought it
wasn't required as there is only 1 DC
Since its a single data center, simple strategy should work fine. Consider changing to Network Topology strategy when going Multi-DC
Should the RF be 3 same as for other application related DB ?
Its definitely recommended to have system_auth keyspace RF to be more than 1. Having RF=1 entails only one copy of the storing user credentials and hence any particular node loss would cause loss of a portion of authorization data. Increase it to a minimum of 3.
When I change the credentials of default cassandra user using ALTER USER command, should I change it in each of the hosts since currently RF=1 ?
No its not required to change in each node. With RF=1, the user credentials of "Cassandra" would live in only node. Irrespective of which node you pick to change its password, it will act as a coordinator and route the password change to appropriate node storing Cassandra user. Again if you loose that node which stored Cassandra, you potentially lost access to the cluster. So having RF=3, will avoid that.

Apache Cassandra 3.10 : CQL query to check remote application connections in Cassandra DB

I want to know if there is a cqlsh query to check remote application connections in Cassandra DB, just like V$session in oracle, or processlists in mysql.
I don't think there is a cqlsh query to do that, but you can use cassandra java-diver to do a manual pooling. This link: http://docs.datastax.com/en/developer/java-driver/3.0/manual/pooling/#monitoring-and-tuning-the-pool, gives a simple example that will print the number of open connections, active requests, and maximum capacity for each host, every 5 seconds.

Cassandra NetworkTopologyStrategy replication

I installed and started Cassandra on two linux machines in Amazon EC2. I also set cassandra.yaml to use a property file snitch and configured the cassandra-topology.properties file as the following:
<external IP 1>=AWS1:R1
<external IP 2>=AWS2:R1
Then created a keyspace as the following:
create keyspace myks with strategy_options = [{AWS1:1,AWS2:1}] and placement_strategy='NetworkTopologyStrategy';
Then I created a column family and tried inserting one row...However, I'm getting a null back from the CLI when I try to insert. Did I miss something in the configuration?
How can I find out what's going on?
Also -- does Cassandra only read the cassandra-topology at startup?
Thanks
Looks like keyspace creation is not properly done. Its a simple fact, whenever you are getting UnavailableException() while populating, take it for granted that there is an issue in creating the keyspace. In your case you haven't mention the full class path for the desired placement_strategy
CREATE KEYSPACE myks WITH placement_strategy = 'org.apache.cassandra.locator.NetworkTopologyStrategy'
AND strategy_options=[{AWS1:1,AWS2:1}];
Yes Cassandra only read topology at the time creation of the keyspace(startup)

Resources