Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

sushanta.saha_41353 avatar image
sushanta.saha_41353 asked ·

New superuser unable to connect after enabling authentication in DSE 6.8.0

Added new superuser. But unable to login with new superuser.

$ cqlsh
Connection error: ('Unable to connect to any servers', {'127.0.0.1:9042': AuthenticationFailed('Remote end requires authentication',)})
$ nodetool status
Datacenter: us-east-1
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving/Stopped
-- Address Load Tokens Owns (effective) Host ID Rack
UN 10.119.20.42 298.13 KiB 8 45.3% fba6d230-64e5-4db0-9af8-4a71ccf790a5 us-east-1a
Datacenter: us-west-2
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving/Stopped
-- Address Load Tokens Owns (effective) Host ID Rack
UN 10.119.43.25 368.72 KiB 8 54.7% b12df92e-b29b-45dc-9f27-4040060c0f62 us-west-2b
$ cqlsh 10.119.20.42 -u cacsadmin -p dse68admin
Connection error: ('Unable to connect to any servers', {'10.119.20.42:9042': error(111, "Tried connecting to [('10.119.20.42', 9042)]. Last error: Connection refused")})
$ grep "_address:" cassandra.yaml
listen_address: 10.119.20.42
# broadcast_address: 1.2.3.4
# listen_on_broadcast_address: false
native_transport_address: localhost
# native_transport_broadcast_address: 1.2.3.4
$ netstat -l | grep 9042
tcp 0 0 localhost:9042 0.0.0.0:* LISTEN

EDIT:

/home/cacsuser $ nodetool repair --full system_auth
[2020-05-24 17:30:39,693] Skipping anti-entropy repair on tables with NodeSync enabled: [system_auth.role_members, system_auth.role_permissions, system_auth.roles].
[2020-05-24 17:30:39,697] Starting repair command #2 (d06ad9b0-9e05-11ea-8256-cfd5eff2888f), repairing keyspace system_auth with repair options (parallelism: parallel, primary range: false, incremental: false, job threads: 1, ColumnFamilies: {}, dataCenters: {}, hosts: {}, previewKind: NONE, # of ranges: 16, pull repair: false, force repair: false)
[2020-05-24 17:30:39,867] Repair completed successfully
[2020-05-24 17:30:39,867] Repair command #2 finished in 0 seconds
/home/cacsuser $ cqlsh 10.119.20.42 -u cacsadmin -p dse68admin
Connection error: ('Unable to connect to any servers', {'10.119.20.42:9042': error(111, "Tried connecting to [('10.119.20.42', 9042)]. Last error: Connection refused")})
cassandradseauthentication
5 comments
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

have you changed the replication factor for system_auth keyspace and performed the repair?

0 Likes 0 · ·

From *10.42


cqlsh> ALTER KEYSPACE system_auth WITH REPLICATION= {'class' : 'NetworkTopologyStrategy', 'us-east-1' : 1, 'us-west-2' : 1};


Warnings :

After a replication factor increase, data will need to be replicated to achieve the new factor. This will be done automatically by NodeSync, but can be prioritized on specific tables by triggering user validations ('nodesync help validation submit').


cqlsh> ALTER KEYSPACE dse_security WITH REPLICATION= {'class' : 'NetworkTopologyStrategy', 'us-east-1' : 1, 'us-west-2' : 1};


Warnings :

After a replication factor increase, data will need to be replicated to achieve the new factor. This will be done automatically by NodeSync, but can be prioritized on specific tables by triggering user validations ('nodesync help validation submit').


cqlsh> exit


0 Likes 0 · ·

I think you are using dse, what did you do inside dse.yaml about authentication and authorization ?

https://docs.datastax.com/en/security/6.0/security/Auth/secEnableDseAuthenticator.html

0 Likes 0 · ·

Node 1 - Transactional. Node 2 - Analytics with Spark, Graph, Search

On both nodes, dse.yaml changed for authentication:

authentication_options:

enabled: true

default_scheme: internal

role_management_options:

mode: internal

authorization_options:

enabled: true

transitional_mode: normal

allow_row_level_security: true

Thanks for looking into.

.... Sushanta

0 Likes 0 · ·

A friendly note to let you know I converted your post to a comment since it's not an "answer". Cheers!

0 Likes 0 · ·

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered ·

@sushanta.saha_41353 This isn't really an authentication issue. It looks like you haven't configured your cluster correctly, specifically the problem is that the CQL native transport server is bound to localhost:

native_transport_address: localhost

This means that clients/apps will not be able to connect to the nodes unless those apps are co-located on the same server. Note that cqlsh is just another client connecting to the cluster.

You need to set native_transport_address to either:

  • the node's public IP address (if available)
  • the node's IP address

I have previously explained this in "Which network properties should I configure in cassandra.yaml, private vs public IP?". Cheers!

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

That worked! So, looks like I need to keep an eye on the DEV guide as well :)

Appreciate the help.

.... Sushanta

0 Likes 0 · ·

Not a problem. Cheers!

0 Likes 0 · ·