Unable to set Cassandra password in v4.15.07.03

Not applicable

We setting up Apigee OPDK on-premise for the first time and are working on securing our environment. We followed the directions in the operations guide, to specify the password authenticator, but when we get to the step to change the cassandra password with cqlsh the password change fails basically stating I do not have access.

Has anyone else configured authentication for cassandra? How did you change the cassandra user password? DId you also create a different user or did you stick with the cassanra user? Did you have to run any specific grant statements if you created a new user?

Solved Solved
1 9 1,313
1 ACCEPTED SOLUTION

Hi @bryanpfremmer and @Steven Wolfe,

I just tested this on a fresh 4.15.07.03 installation. I was able to recreate the issue, so this might simply be related to the order in which the tasks are being performed.

To resolve, here's what I did:

Update cassandra.yaml:

$ sudo vim /opt/apigee4/conf/cassandra/cassandra.yaml

Change "authenticator: AllowAllAuthenticator" to "authenticator: PasswordAuthenticator".

Restart Cassandra:

$ sudo /opt/apigee4/etc/init.d/apigee-cassandra restart

Then, repeat the steps above:

[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra

Connected to Apigee at 10.4.15.7:9160.

[cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0]

Use HELP for help.

cqlsh> ALTER USER cassandra WITH PASSWORD 'testing123456';

cqlsh> quit

Confirm you get an error when trying the old password:

[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra

Traceback (most recent call last):

  File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2097, in <module>

    main(*read_options(sys.argv[1:], os.environ))

  File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2080, in main

    single_statement=options.execute)

  File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 492, in __init__

    password=password, cql_version=cqlver, transport=transport)

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 143, in connect

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 59, in __init__

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/thrifteries.py", line 157, in establish_connection

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 507, in login

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 528, in recv_login

cql.cassandra.ttypes.AuthenticationException: AuthenticationException(why='Username and/or password are incorrect')

Confirm you can login without issue using the new password:

[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p testing123456

Connected to Apigee at 10.4.15.7:9160.

[cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0]

Use HELP for help.

cqlsh> quit

Then, as a final step, you must update the Apigee config to use the new password:

[vagrant@localhost ~]$ sudo /opt/apigee4/bin/update-cass-pwd-in-config.sh

Enter cassandra username: cassandra




Enter cassandra password. This must be same as cassandra server password: 




Warning: If you proceed further, you will be changing the Cassandra password in configuration files.

This should be preceeded by changing the password in Cassandra. If not, the server restart will FAIL!!!.

Are you really sure? y/n (y): y







= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Cassandra authentication is enabled. Please restart all servers except UI.

If this is a multi-node installation, run this script on all the nodes and input the same username, password and passphrase.

Once you restart all components, this should work as expected (mine did).

Please respond here if you have any issues getting this setup. Thanks!

View solution in original post

9 REPLIES 9

Not applicable

The commands we're using are...

  1. /<inst-root>/apigee4/share/apache-cassandra/bin/cqlsh cassIP cassPort -u cassandra -p cassandra
  2. cqlsh> ALTER USER cassandra WITH PASSWORD 'NEW_PASSWORD';

Hi @bryanpfremmer and @Steven Wolfe,

I just tested this on a fresh 4.15.07.03 installation. I was able to recreate the issue, so this might simply be related to the order in which the tasks are being performed.

To resolve, here's what I did:

Update cassandra.yaml:

$ sudo vim /opt/apigee4/conf/cassandra/cassandra.yaml

Change "authenticator: AllowAllAuthenticator" to "authenticator: PasswordAuthenticator".

Restart Cassandra:

$ sudo /opt/apigee4/etc/init.d/apigee-cassandra restart

Then, repeat the steps above:

[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra

Connected to Apigee at 10.4.15.7:9160.

[cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0]

Use HELP for help.

cqlsh> ALTER USER cassandra WITH PASSWORD 'testing123456';

cqlsh> quit

Confirm you get an error when trying the old password:

[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p cassandra

Traceback (most recent call last):

  File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2097, in <module>

    main(*read_options(sys.argv[1:], os.environ))

  File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 2080, in main

    single_statement=options.execute)

  File "/opt/apigee4/share/apache-cassandra/bin/cqlsh", line 492, in __init__

    password=password, cql_version=cqlver, transport=transport)

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 143, in connect

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/connection.py", line 59, in __init__

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/thrifteries.py", line 157, in establish_connection

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 507, in login

  File "/opt/apigee4/share/apache-cassandra-2.0.15/bin/../lib/cql-internal-only-1.4.2.zip/cql-1.4.2/cql/cassandra/Cassandra.py", line 528, in recv_login

cql.cassandra.ttypes.AuthenticationException: AuthenticationException(why='Username and/or password are incorrect')

Confirm you can login without issue using the new password:

[vagrant@localhost ~]$ /opt/apigee4/share/apache-cassandra/bin/cqlsh 10.4.15.7 9160 -u cassandra -p testing123456

Connected to Apigee at 10.4.15.7:9160.

[cqlsh 4.1.1 | Cassandra 2.0.15 | CQL spec 3.1.1 | Thrift protocol 19.39.0]

Use HELP for help.

cqlsh> quit

Then, as a final step, you must update the Apigee config to use the new password:

[vagrant@localhost ~]$ sudo /opt/apigee4/bin/update-cass-pwd-in-config.sh

Enter cassandra username: cassandra




Enter cassandra password. This must be same as cassandra server password: 




Warning: If you proceed further, you will be changing the Cassandra password in configuration files.

This should be preceeded by changing the password in Cassandra. If not, the server restart will FAIL!!!.

Are you really sure? y/n (y): y







= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Cassandra authentication is enabled. Please restart all servers except UI.

If this is a multi-node installation, run this script on all the nodes and input the same username, password and passphrase.

Once you restart all components, this should work as expected (mine did).

Please respond here if you have any issues getting this setup. Thanks!

Hi - do we need a documentation update? I dont remember reading this in the OPDK guide...

@Benjamin Goldman I think this is already in the OPDK documentation. But I would check again. Like @Alex Toombs pointed out, if you have multiple nodes, in your setup you need to perform these steps on each node. Once you have updated the cassandra.yaml make sure you bounce the cassandra and then try to login with the old and new passwords. The former attempt should fail, while the latter would succeed.

yeah - it is more or less the same.. but for some reason this post is so much easier to follow...

This is the same procedure as is in the Ops Guide. There really isn't any doc update needed.

Not applicable

Our issue was the cassandra.yaml file was being refreshed by your start scripts was reverted. I don't think the guide is completely clear when it says run the shell script to update the cassandra password on all edge nodes. It would have been helpful if it called out what node types.