We setting up Apigee OPDK on-premise for the first time and are working on securing our environment. We followed the directions in the operations guide, to specify the password authenticator, but when we get to the step to change the cassandra password with cqlsh the password change fails basically stating I do not have access.
Has anyone else configured authentication for cassandra? How did you change the cassandra user password? DId you also create a different user or did you stick with the cassanra user? Did you have to run any specific grant statements if you created a new user?
Solved! Go to Solution.
Hi @bryanpfremmer and @Steven Wolfe,
I just tested this on a fresh 4.15.07.03 installation. I was able to recreate the issue, so this might simply be related to the order in which the tasks are being performed.
To resolve, here's what I did:
Update cassandra.yaml:
$ sudo vim /opt/apigee4/conf/cassandra/cassandra.yaml
Change "authenticator: AllowAllAuthenticator" to "authenticator: PasswordAuthenticator".
Restart Cassandra:
$ sudo /opt/apigee4/etc/init.d/apigee-cassandra restart
Then, repeat the steps above:
[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra Connected to Apigee at 10.4.15.7:9160. [cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0] Use HELP for help. cqlsh> ALTER USER cassandra WITH PASSWORD 'testing123456'; cqlsh> quit
Confirm you get an error when trying the old password:
[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra Traceback (most recent call last): File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2097, in <module> main(*read_options(sys.argv[1:], os.environ)) File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2080, in main single_statement=options.execute) File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 492, in __init__ password=password, cql_version=cqlver, transport=transport) File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 143, in connect File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 59, in __init__ File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/thrifteries.py", line 157, in establish_connection File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 507, in login File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 528, in recv_login cql.cassandra.ttypes.AuthenticationException: AuthenticationException(why='Username and/or password are incorrect')
Confirm you can login without issue using the new password:
[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p testing123456 Connected to Apigee at 10.4.15.7:9160. [cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0] Use HELP for help. cqlsh> quit
Then, as a final step, you must update the Apigee config to use the new password:
[vagrant@localhost ~]$ sudo /opt/apigee4/bin/update-cass-pwd-in-config.sh Enter cassandra username: cassandra Enter cassandra password. This must be same as cassandra server password: Warning: If you proceed further, you will be changing the Cassandra password in configuration files. This should be preceeded by changing the password in Cassandra. If not, the server restart will FAIL!!!. Are you really sure? y/n (y): y = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Cassandra authentication is enabled. Please restart all servers except UI. If this is a multi-node installation, run this script on all the nodes and input the same username, password and passphrase.
Once you restart all components, this should work as expected (mine did).
Please respond here if you have any issues getting this setup. Thanks!
The commands we're using are...
Hi @bryanpfremmer and @Steven Wolfe,
I just tested this on a fresh 4.15.07.03 installation. I was able to recreate the issue, so this might simply be related to the order in which the tasks are being performed.
To resolve, here's what I did:
Update cassandra.yaml:
$ sudo vim /opt/apigee4/conf/cassandra/cassandra.yaml
Change "authenticator: AllowAllAuthenticator" to "authenticator: PasswordAuthenticator".
Restart Cassandra:
$ sudo /opt/apigee4/etc/init.d/apigee-cassandra restart
Then, repeat the steps above:
[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra Connected to Apigee at 10.4.15.7:9160. [cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0] Use HELP for help. cqlsh> ALTER USER cassandra WITH PASSWORD 'testing123456'; cqlsh> quit
Confirm you get an error when trying the old password:
[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra Traceback (most recent call last): File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2097, in <module> main(*read_options(sys.argv[1:], os.environ)) File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2080, in main single_statement=options.execute) File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 492, in __init__ password=password, cql_version=cqlver, transport=transport) File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 143, in connect File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 59, in __init__ File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/thrifteries.py", line 157, in establish_connection File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 507, in login File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 528, in recv_login cql.cassandra.ttypes.AuthenticationException: AuthenticationException(why='Username and/or password are incorrect')
Confirm you can login without issue using the new password:
[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p testing123456 Connected to Apigee at 10.4.15.7:9160. [cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0] Use HELP for help. cqlsh> quit
Then, as a final step, you must update the Apigee config to use the new password:
[vagrant@localhost ~]$ sudo /opt/apigee4/bin/update-cass-pwd-in-config.sh Enter cassandra username: cassandra Enter cassandra password. This must be same as cassandra server password: Warning: If you proceed further, you will be changing the Cassandra password in configuration files. This should be preceeded by changing the password in Cassandra. If not, the server restart will FAIL!!!. Are you really sure? y/n (y): y = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Cassandra authentication is enabled. Please restart all servers except UI. If this is a multi-node installation, run this script on all the nodes and input the same username, password and passphrase.
Once you restart all components, this should work as expected (mine did).
Please respond here if you have any issues getting this setup. Thanks!
Hi - do we need a documentation update? I dont remember reading this in the OPDK guide...
@Benjamin Goldman I think this is already in the OPDK documentation. But I would check again. Like @Alex Toombs pointed out, if you have multiple nodes, in your setup you need to perform these steps on each node. Once you have updated the cassandra.yaml make sure you bounce the cassandra and then try to login with the old and new passwords. The former attempt should fail, while the latter would succeed.
yeah - it is more or less the same.. but for some reason this post is so much easier to follow...
This is the same procedure as is in the Ops Guide. There really isn't any doc update needed.
Our issue was the cassandra.yaml file was being refreshed by your start scripts was reverted. I don't think the guide is completely clear when it says run the shell script to update the cassandra password on all edge nodes. It would have been helpful if it called out what node types.
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 |