You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "German Eichberger (Jira)" <ji...@apache.org> on 2022/11/15 21:34:00 UTC

[jira] [Comment Edited] (CASSANDRA-12525) When adding new nodes to a cluster which has authentication enabled, we end up losing cassandra user's current crendentials and they get reverted back to default cassandra/cassandra crendetials

    [ https://issues.apache.org/jira/browse/CASSANDRA-12525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634535#comment-17634535 ] 

German Eichberger edited comment on CASSANDRA-12525 at 11/15/22 9:33 PM:
-------------------------------------------------------------------------

We were able to reliably reproduce this issue on C* 4.0.5

Our steps:
 # Create DC 1 with say 3 nodes
 # Set a password for the cassandra user
 # Create other users, etc.
 # Add another DC DC2
 ## We observe in I think 3.11 cassandra logs (4.0 is similar)  for the first node brought up on the new DC:

||source_file    || source_line ||message||
|CassandraRoleManager.java |374  | Created default superuser role 'cassandra'|

 # Then we run a full repair on system_auth so other users propagate from DC1 to DC2
 # Result: cassandra user has original casssandra password

We also have seen this sporadically in C* 3.11.13

I am believe there is some race conditions where that first node believes it's the only node in the cluster and ignores the other DC Our expectation is that this code does not run for the second data center and it needs to run a simple fix might be to fix the write_time to epoch 0 or something so a subsequent repair overwrites it.

 

 


was (Author: JIRAUSER298386):
We were able to reliably reproduce this issue on C* 4.0.5

Our steps:
 # Create DC 1 with say 3 nodes
 # Set a password for the cassandra user
 # Create other users, etc.
 # Add another DC DC2
 ## We observe in cassandra logs for the first node brought up o the new DC:
 ## 
source_file    source_line    message
CassandraRoleManager.java    374    Created default superuser role 'cassandra'
 # Then we run a full repair on system_auth so other users propagate from DC1 to DC2
 # Result: cassandra user has original casssandra password

We also have seen this sporadically in C* 3.11.13

I am believe there is some race conditions where that first node believes it's the only node in the cluster and ignores the other DC Our expectation is that this code does not run for the second data center and it needs to run a simple fix might be to fix the write_time to epoch 0 or something so a subsequent repair overwrites it.

 

 

> When adding new nodes to a cluster which has authentication enabled, we end up losing cassandra user's current crendentials and they get reverted back to default cassandra/cassandra crendetials
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-12525
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12525
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Local/Config
>            Reporter: Atin Sood
>            Priority: Low
>
> Made the following observation:
> When adding new nodes to an existing C* cluster with authentication enabled we end up loosing password information about `cassandra` user. 
> Initial Setup
> - Create a 5 node cluster with system_auth having RF=5 and NetworkTopologyStrategy
> - Enable PasswordAuthenticator on this cluster and update the password for 'cassandra' user to say 'password' via the alter query
> - Make sure you run nodetool repair on all the nodes
> Test case
> - Now go ahead and add 5 more nodes to this cluster.
> - Run nodetool repair on all the 10 nodes now
> - Decommission the original 5 nodes such that only the new 5 nodes are in the cluster now
> - Run cqlsh and try to connect to this cluster using old user name and password, cassandra/password
> I was unable to connect to the nodes with the original credentials and was only able to connect using the default cassandra/cassandra credentials
> From the conversation over IIRC
> `beobal: sood: that definitely shouldn't happen. The new nodes should only create the default superuser role if there are 0 roles currently defined (including that default one)`



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org