PLANNED MAINTENANCE

Hello, DataStax Community!

We want to make you aware of a few operational updates which will be carried out on the site. We are working hard to streamline the login process to integrate with other DataStax resources. As such, you will soon be prompted to update your password. Please note that your username will remain the same.

As we work to improve your user experience, please be aware that login to the DataStax Community will be unavailable for a few hours on:

  • Wednesday, July 15 16:00 PDT | 19:00 EDT | 20:00 BRT
  • Thursday, July 16 00:00 BST | 01:00 CEST | 04:30 IST | 07:00 CST | 09:00 AEST

For more info, check out the FAQ page. Thank you for being a valued member of our community.


question

igor.rmarinho_185445 avatar image
igor.rmarinho_185445 asked ·

What does "Invalid metadata has been detected for role cassandra" mean?

After I recovered the the Cassandra role, after someone change the super user password I'm getting this error msg.

Error from server: code=0000 [Server error] message="java.lang.RuntimeException: Invalid metadata has been detected for role cassandra"',)})

Any thoughts on it? I'm a bit lost ...

Thanks

EDIT - I'm using DSE version 6.8. I did.

Step 1 - On all nodes, disable authentication and authorisation by setting the following properties in cassandra.yaml (requires a rolling DSE restart):

authenticator: AllowAllAuthenticator
authorizer: AllowAllAuthorizer

Step 2 - Reset the password:

cqlsh> UPDATE system_auth.roles SET salted_hash = '$2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.' WHERE role = 'cassandra';

Step 3 - Re-enable authentication

Here is the table contents:

cqlsh> SELECT * FROM system_auth.roles WHERE role = 'cassandra';

 role      | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
 cassandra |      null |         null |      null | $2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.


After I enabled the authentication back.


[cassandra]#
[cassandra]# cqlsh 10.30.50.4 -u cassandra -p cassandra
Connection error: ('Unable to connect to any servers', {'10.30.50.4:9042': error(111, "Tried connecting to [('10.30.50.4', 9042)]. Last error: Connection refused")})
[cassandra] cassandra]# cqlsh 10.30.50.4 -u cassandra -p cassandra --connect-timeout 30
Connection error: ('Unable to connect to any servers', {'10.30.50.4:9042': AuthenticationFailed('Failed to authenticate to 10.30.50.4:9042: Error from server: code=0000 [Server error] message="java.lang.RuntimeException: Invalid metadata has been detected for role cassandra"',)})


cassandra
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered ·

@igor.rmarinho_185445 The error you posted indicates that one of the column values for the role is invalid and indeed it is.

Whatever you tried to do before hand, at some point the role was deleted (for whatever reason). When you updated the password, all it did was insert a value for the salted_hash column but the rest of the columns are empty.

When authenticating, Cassandra checks to see (1) if the role is allowed to login and (2) if it is a superuser. For both of these columns, Cassandra expects a boolean value but in your case, both of them are empty.

You will need to update the entry so both columns are set to "True":

cqlsh> UPDATE system_auth.roles SET can_login = true , is_superuser = true WHERE role = 'cassandra';

If successful, the entry should look like:

cqlsh> SELECT * FROM system_auth.roles WHERE role = 'cassandra';
 role      | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
 cassandra |      True |         True |      null | $2a$10$1gMPBy9zSkDzKxdbU2v/gOslcMRPDcXVqmwQYBmi8MVgYvNdRZw/.

Note that you will need to temporarily disable authentication again to make this change.

I'm going to use this opportunity to remind you that we recommend adding a superuser login as soon as you enable authentication on a cluster. We do not recommend using the default Cassandra superuser since it requires QUORUM consistency level instead of LOCAL_ONE for all other accounts. Cheers!

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Thanks Erick!

It worked! I totally miss this step when I was doing the recovery!

1 Like 1 · ·
Erick Ramirez avatar image Erick Ramirez ♦♦ igor.rmarinho_185445 ·

@igor.rmarinho_185445 Good to hear! Cheers!

0 Likes 0 · ·