Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--ysql_enable_auth unable to authenticate #2465

Closed
kntait opened this issue Sep 30, 2019 · 3 comments
Closed

--ysql_enable_auth unable to authenticate #2465

kntait opened this issue Sep 30, 2019 · 3 comments

Comments

@kntait
Copy link

@kntait kntait commented Sep 30, 2019

Using docker image yugabytedb/yugabyte:2.0.0.0-b16 i am not able to user authenticate with YSQL when using the t-server command option --ysql_enable_auth.

Feedback from mihne.
mihnea (YB) 2 hours ago
There is no password by default which causes issues when creating the cluster with that flag. As a workaround, you can start the cluster without the flag. Then connect and set passwords (and/or add/remove users as needed) with the usual SQL commands. Finally restart the cluster with that flag. I think we should improve the defaults for the auth case soon, so that it works out of the box. (edited)

The above aproach is not practical when automating a deployment of YugabyteDB, when enabling --ysql_enable_auth we should be able to login with default credentials and then create our own accounts and reset the default account password.

@kntait kntait changed the title --ysql_enable_auth causing cluster issus --ysql_enable_auth unable to authenticate Sep 30, 2019
@ddorian

This comment has been minimized.

Copy link
Contributor

@ddorian ddorian commented Sep 30, 2019

Did you try with postgres/postgres and yugabyte/yugabyte as username/password when setting --ysql_enable_auth ?

@kntait

This comment has been minimized.

Copy link
Author

@kntait kntait commented Sep 30, 2019

Hi @ddorian,

The following options all fail with --ysql_enable_auth=true set on all t-servers.

u:postgres p:postgres
u:postgres p:
u:yugabyte p:yugabyte
u:yugabyte p:

As i mentioned above @m-iancu confirmed on the the Yugabyte slack channel that "There is no password by default which causes issues when creating the cluster with that flag". I was then asked to create this issue.

The only thing that does work is to pass the below giving super user access with no password, however this is not practical or secure in a production environment.

--ysql_hba_conf='host all yugabyte 0.0.0.0/0 trust,host all all 0.0.0.0/0 md5,host all yugabyte ::0/0 trust,host all all ::0/0 md5'

m-iancu added a commit that referenced this issue Oct 2, 2019
Summary:
The default YSQL user `yugabyte` now has password `yugabyte` by default.
However, the password is only required if auth is explicitly enabled
(e.g. using the `ysql_enable_auth` flag), since otherwise we use trust all.

Previously `yugabyte` user had default password `null` so it was no possible to connect to it
at all while authentication was enabled.

Test Plan: Jenkins, TestPgConfiguration

Reviewers: neha

Reviewed By: neha

Subscribers: yql

Differential Revision: https://phabricator.dev.yugabyte.com/D7326
@schoudhury

This comment has been minimized.

Copy link
Contributor

@schoudhury schoudhury commented Oct 12, 2019

The latest 2.0.1 release has fixed this issue the following way.

  1. yugabyte user defaults a password yugabyte for all new clusters starting 2.0.1.
  • if the new cluster is started without the ysql_enable_auth flag then this default password will not be used.
  • if the new cluster is started with the ysql_enable_auth flag turned on , then the default password will be used.
  1. clusters that upgrade from 2.0.0 to 2.0.1 will continue to have the yugabyte user without any password.
  • if the new cluster is started without the ysql_enable_auth flag then the passwords for any user do not even come into picture.
  • if the cluster is started with ysql_enable_auth flag turned on, then a password has to be set explicitly for the yugabyte user using the workaround described above (start cluster without flag, set yugabyte user password and then start cluster with flag).

@m-iancu pls close this issue when you have a moment since 2.0.1 release is already available for download along with the necessary doc updates.

@ndeodhar ndeodhar closed this Oct 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.