Reset YCQL Password as a Non-Authenticated User

Jim Knicely

If you try to reset a user password as a non-authenticated user in YCQL, you’ll get an error – even if logged in as a super user!

A user is a non-authenticated user if they logged in when the gFlag use_cassandra_authentication is set to false.

In a previous tip, we learned how to check the current value of a gFlag from the command line.

				
					[root@localhost ~]# curl -s http://198.xx.xx.xxx:9000/varz?raw | grep "\-\-use_cassandra_authentication"
--use_cassandra_authentication=false

Since the gFlag use_cassandra_authentication is set to false, if I log in as the super user cassandra, I won’t be able to changed the password.

				
					[root@localhost ~]# ycqlsh $server_ip -u cassandra -p password
Connected to local cluster at 198.xx.xx.xxx:9042.
[ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.

cassandra@ycqlsh> SELECT role, is_superuser FROM system_auth.roles;

 role      | is_superuser
-----------+--------------
 cassandra |         True

(1 rows)

cassandra@ycqlsh> ALTER ROLE cassandra WITH password = 'new_password';
Unauthorized: Error from server: code=2100 [Unauthorized] message="Unauthorized. You have to be logged in and not anonymous to perform this request
ALTER ROLE cassandra WITH password = 'new_password';
^^^^^
 (ql error -4)"

To allow a non-authenticated password reset, temporarily set the gFlag ycql_allow_non_authenticated_password_reset to true.

				
					[root@localhost ~]# yb-ts-cli --server_address=198.xx.xx.xxx:9100 set_flag ycql_allow_non_authenticated_password_reset true

Now I can reset the password.

				
					[root@localhost ~]# ycqlsh 198.xx.xx.xxx -u cassandra -p password
Connected to local cluster at 198.xx.xx.xxx:9042.

[ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.

cassandra@ycqlsh> ALTER ROLE cassandra WITH password = 'new_password';

cassandra@ycqlsh> exit

[root@localhost ~]# ycqlsh 198.xx.xx.xxx -u cassandra -p new_password
Connected to local cluster at 198.xx.xx.xxx:9042.
[ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.

Don’t forget to return the gFlag ycql_allow_non_authenticated_password_reset back to its default value of false!

Have Fun!

Lucy loves living on the edge!