New superuser unable to connect after enabling authentication in DSE 6.8.0

Question

question

sushanta.saha_41353 asked May 24, '20 Erick Ramirez commented May 26, '20

New superuser unable to connect after enabling authentication in DSE 6.8.0

Added new superuser. But unable to login with new superuser.

$ cqlsh
Connection error: ('Unable to connect to any servers', {'127.0.0.1:9042': AuthenticationFailed('Remote end requires authentication',)})

$ nodetool status
Datacenter: us-east-1
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving/Stopped
-- Address Load Tokens Owns (effective) Host ID Rack
UN 10.119.20.42 298.13 KiB 8 45.3% fba6d230-64e5-4db0-9af8-4a71ccf790a5 us-east-1a
Datacenter: us-west-2
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving/Stopped
-- Address Load Tokens Owns (effective) Host ID Rack
UN 10.119.43.25 368.72 KiB 8 54.7% b12df92e-b29b-45dc-9f27-4040060c0f62 us-west-2b

$ cqlsh 10.119.20.42 -u cacsadmin -p dse68admin
Connection error: ('Unable to connect to any servers', {'10.119.20.42:9042': error(111, "Tried connecting to [('10.119.20.42', 9042)]. Last error: Connection refused")})

$ grep "_address:" cassandra.yaml
listen_address: 10.119.20.42
# broadcast_address: 1.2.3.4
# listen_on_broadcast_address: false
native_transport_address: localhost
# native_transport_broadcast_address: 1.2.3.4

$ netstat -l | grep 9042
tcp 0 0 localhost:9042 0.0.0.0:* LISTEN

EDIT:

/home/cacsuser $ nodetool repair --full system_auth
[2020-05-24 17:30:39,693] Skipping anti-entropy repair on tables with NodeSync enabled: [system_auth.role_members, system_auth.role_permissions, system_auth.roles].
[2020-05-24 17:30:39,697] Starting repair command #2 (d06ad9b0-9e05-11ea-8256-cfd5eff2888f), repairing keyspace system_auth with repair options (parallelism: parallel, primary range: false, incremental: false, job threads: 1, ColumnFamilies: {}, dataCenters: {}, hosts: {}, previewKind: NONE, # of ranges: 16, pull repair: false, force repair: false)
[2020-05-24 17:30:39,867] Repair completed successfully
[2020-05-24 17:30:39,867] Repair command #2 finished in 0 seconds

/home/cacsuser $ cqlsh 10.119.20.42 -u cacsadmin -p dse68admin
Connection error: ('Unable to connect to any servers', {'10.119.20.42:9042': error(111, "Tried connecting to [('10.119.20.42', 9042)]. Last error: Connection refused")})

cassandra dse authentication

5

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

alex.ott commented · May 24, 2020 at 08:41 PM

have you changed the replication factor for system_auth keyspace and performed the repair?

0 ·

sushanta.saha_41353 alex.ott commented · May 24, 2020 at 09:34 PM

From *10.42

cqlsh> ALTER KEYSPACE system_auth WITH REPLICATION= {'class' : 'NetworkTopologyStrategy', 'us-east-1' : 1, 'us-west-2' : 1};

Warnings :

After a replication factor increase, data will need to be replicated to achieve the new factor. This will be done automatically by NodeSync, but can be prioritized on specific tables by triggering user validations ('nodesync help validation submit').

cqlsh> ALTER KEYSPACE dse_security WITH REPLICATION= {'class' : 'NetworkTopologyStrategy', 'us-east-1' : 1, 'us-west-2' : 1};

Warnings :

After a replication factor increase, data will need to be replicated to achieve the new factor. This will be done automatically by NodeSync, but can be prioritized on specific tables by triggering user validations ('nodesync help validation submit').

cqlsh> exit

0 ·

dmngaya commented · May 24, 2020 at 09:59 PM

I think you are using dse, what did you do inside dse.yaml about authentication and authorization ?

https://docs.datastax.com/en/security/6.0/security/Auth/secEnableDseAuthenticator.html

0 ·

sushanta.saha_41353 dmngaya commented · May 25, 2020 at 01:10 AM

Node 1 - Transactional. Node 2 - Analytics with Spark, Graph, Search

On both nodes, dse.yaml changed for authentication:

authentication_options:

enabled: true

default_scheme: internal

role_management_options:

mode: internal

authorization_options:

enabled: true

transitional_mode: normal

allow_row_level_security: true

Thanks for looking into.

.... Sushanta

0 ·

Erick Ramirez ♦♦ dmngaya commented · May 25, 2020 at 10:04 PM

A friendly note to let you know I converted your post to a comment since it's not an "answer". Cheers!

0 ·

DataStax Enterprise is powered by the best distribution of Apache Cassandra ™

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Privacy Policy Terms of Use

Answer 1 · 2020-05-25T22:20:33Z

Erick Ramirez answered May 25, '20 Erick Ramirez commented May 26, '20

@sushanta.saha_41353 This isn't really an authentication issue. It looks like you haven't configured your cluster correctly, specifically the problem is that the CQL native transport server is bound to localhost:

native_transport_address: localhost

This means that clients/apps will not be able to connect to the nodes unless those apps are co-located on the same server. Note that cqlsh is just another client connecting to the cluster.

You need to set native_transport_address to either:

the node's public IP address (if available)
the node's IP address

I have previously explained this in "Which network properties should I configure in cassandra.yaml, private vs public IP?". Cheers!

2 Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

sushanta.saha_41353 commented · May 26, 2020 at 06:53 PM

That worked! So, looks like I need to keep an eye on the DEV guide as well :)

Appreciate the help.

.... Sushanta

0 ·

Erick Ramirez ♦♦ sushanta.saha_41353 commented · May 26, 2020 at 09:20 PM

Not a problem. Cheers!

0 ·

question