search

yugabyte / yugabyte-db

YugabyteDB - the cloud native distributed SQL database for mission-critical applications.
https://www.yugabyte.com
Other
8.93k stars 1.06k forks source link

[YSQL] Can't set yugabyte password, get "locked out" #12264

Open Extarys opened 2 years ago

Extarys commented 2 years ago

Jira Link: DB-2541

Description

Every time I set the yugabyte password I get locked out, I'm not sure what is happening - probably my fault though but I can't seem to put the finger on it. (I also prefer to use master/tserver as opposed to yugabyted to avoid any complication down the road if I want to had servers)

I created a docker compose file with both master and tserver. (Docker compose excerpt down below) I load tserver with the initial config:

--enable_ondisk_compression=true
--compression_type=Snappy
#--ysql_enable_auth=true
--ysql_pg_conf=password_encryption=scram-sha-256
#--ysql_hba_conf_csv=host all all 0.0.0.0/0 scram-sha-256,host all all ::0/0 scram-sha-256
#--use_client_to_server_encryption=true
--certs_dir=/mnt/certs
--certs_for_client_dir=/mnt/certs

Then I restart it and log in and change the yugabyte password: (Where 172.20.0.5 is the IP of the docker container itself, could also try 127.0.0.1)

docker exec -it yb-tserver-n1 /home/yugabyte/bin/ysqlsh --host=172.20.0.5 --echo-queries -U yugabyte

ALTER ROLE yugabyte PASSWORD 'bobisawesome'; # Not an actual password, but bob is indeed awesome.

\q

After that, I update the tserver configuration to use auth by uncommenting the 3 lines, so it looks like this:

--enable_ondisk_compression=true
--compression_type=Snappy
--ysql_enable_auth=true
--ysql_pg_conf=password_encryption=scram-sha-256
--ysql_hba_conf_csv=host all all 0.0.0.0/0 scram-sha-256,host all all ::0/0 scram-sha-256
--use_client_to_server_encryption=true
--certs_dir=/mnt/certs
--certs_for_client_dir=/mnt/certs

Restart the container to make sure the config file was read, try logging in: docker exec -it yb-tserver-n1 /home/yugabyte/bin/ysqlsh --host=172.20.0.5 --echo-queries -U yugabyte -W Enter password: bobisawesome(He really is) ysqlsh: FATAL: password authentication failed for user "yugabyte"

I noticed it worked if I use \password command though, but since I'd like to copy/paste the file containing all the commands I need to make the initial users and schemas, it would be easier. I also destroy my installation by playing with different docker and yb configuration (encryption at rest is a good example on how I broke my last install :smile: ), therefore using \password breaks the flow.

tserver docker options as follows:

  yb-master:
      image: yugabytedb/yugabyte:latest
      container_name: yb-master-n1
      volumes:
        - ./yb-data/master:/mnt/master
        - ./yb-conf/master:/mnt/conf
      command: [ "/home/yugabyte/bin/yb-master",
                "--fs_data_dirs=/mnt/master",
                "--master_addresses=yb-master-n1:7100",
                "--rpc_bind_addresses=yb-master-n1:7100",
                "--replication_factor=1"]
      ports:
        - "7000:7000"
      environment:
        SERVICE_7000_NAME: yb-master

  yb-tserver:
      image: yugabytedb/yugabyte:latest
      container_name: yb-tserver-n1
      volumes:
        - "./yb-data/tserver:/mnt/tserver"
        - "./yb-conf/server:/mnt/conf"
        - "./yb-conf/certs:/mnt/certs"

      command: [ "/home/yugabyte/bin/yb-tserver",
                "--flagfile=/mnt/conf/yb-tserver.conf",
                "--fs_data_dirs=/mnt/tserver",
                "--start_pgsql_proxy",
                "--rpc_bind_addresses=yb-tserver-n1:9100",
                "--tserver_master_addrs=yb-master-n1:7100"]
      ports:
        - "9000:9000"
        - "9042:9042"
        - "5433:5433"
      environment:
        SERVICE_5433_NAME: ysql
        SERVICE_9042_NAME: ycql
        SERVICE_6379_NAME: yedis
        SERVICE_9000_NAME: yb-tserver
      depends_on:
        - yb-master
ddorian commented 2 years ago

Please see https://docs.yugabyte.com/preview/secure/authentication/password-authentication/.

My guess is that when you update the password, it's saved in MD5, then you change the config to scram-sha-256, but the password is hashed as MD5, so it doesn't match.

Extarys commented 2 years ago

No the line --ysql_pg_conf=password_encryption=scram-sha-256 is there as soon as I start the docker container for the first time. I did make that mistake the first time around though! :joy:

The 3 lines I add after I change the password are:

--ysql_enable_auth=true
--ysql_hba_conf_csv=host all all 0.0.0.0/0 scram-sha-256,host all all ::0/0 scram-sha-256
--use_client_to_server_encryption=true

EDIT: Even the docs suggest the default password is yugabyte when auth is enabled, which I cannot get to work. I could start the server with the the above flags and it should still work. Ref: https://docs.yugabyte.com/preview/secure/authentication/password-authentication/#yugabytedb-database-passwords

image

ddorian commented 2 years ago

Can you try just changing the password without enabling encryption? So doing separate steps.