Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Changing Cloudbreak Password

Labels (1)
avatar
author-rank jwhitmore author-rank
Expert Contributor

Created on ‎02-01-2019 03:52 PM

It's not a simple process, but one that can be easily done by anyone with a little database admin experience. You have to add a user by restarting cbd with new user and password in Profile. Then you go into the database and move the encrypted password from the new user to the old. This will change the password and leave your old user with access to the clusters and resource you've already built.

Overview

  1. Edit the Profile and change both the UAA_DEFAULT_USER_PW to the desired new password and UAA_DEFAULT_USER_EMAIL to a different address.
  2. cbd restart – This will add a 2nd user with the new password to the database
  3. docker exec -ti cbreak_commondb_1 bash – Starts a bash shell in the database container
  4. pg_dump -Fc -U postgres uaadb > uaadb.dump – Makes a backup of the user database
  5. psql -U postgres – Starts a postgres shell
  6. postgres=# \c uaadb; – Connects to the user database in the postgres shell
  7. uaadb=# select * from users; – Shows the two accounts and their encrypted passwords
  8. update users set password='$2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum' where email = 'admin@example.com'; - Sets the original user’s password to the new user’s password, which you copy from the select output.
  9. Log in with the new password and you’ll see everything is still in place.

Walk-through


postgres=# \l
                                  List of databases
    Name     |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges
-------------+----------+----------+------------+------------+-----------------------
cbdb        | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
periscopedb | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
postgres    | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
template0   | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
             |          |          |            |            | postgres=CTc/postgres
template1   | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
             |          |          |            |            | postgres=CTc/postgres
uaadb       | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
(6 rows)

postgres=# \c uaadb;
You are now connected to database "uaadb" as user "postgres".
uaadb=# \d
                 List of relations
Schema |          Name          | Type  |  Owner
--------+------------------------+-------+----------
public | authz_approvals        | table | postgres
public | authz_approvals_old    | table | postgres
public | expiring_code_store    | table | postgres
public | external_group_mapping | table | postgres
public | group_membership       | table | postgres
public | groups                 | table | postgres
public | identity_provider      | table | postgres
public | identity_zone          | table | postgres
public | oauth_client_details   | table | postgres
public | oauth_code             | table | postgres
public | revocable_tokens       | table | postgres
public | schema_version         | table | postgres
public | sec_audit              | table | postgres
public | service_provider       | table | postgres
public | users                  | table | postgres
(15 rows)

uaadb=# select * from users;
                  id                  |         created         |      lastmodified       | version |          username          |                           password                           |           email            | givenname | familyname | active | phonenumber | authorities | verified | origin | external_id | identity_zone_id | salt | passwd_lastmodified | legacy_verification_behavior
--------------------------------------+-------------------------+-------------------------+---------+----------------------------+--------------------------------------------------------------+----------------------------+-----------+------------+--------+-------------+-------------+----------+--------+-------------+------------------+------+---------------------+------------------------------
eb52fb6c-b588-4401-8ad4-97b0e04ffc23 | 2018-06-28 19:55:02.066 | 2018-06-28 19:55:02.066 |       0 | admin@example.com  | $2a$10$TFGoKcaWNs7XWsO4AqvmlOHVe9yBSUcmtvo9tdLsf3AhL2oNUYOHW | admin@example.com  | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-06-28 19:55:02 | f

2731b250-7de0-4f88-ae34-0fbd33206c42 | 2018-07-13 16:33:52.737 | 2018-07-13 16:33:52.737 |       0 | admin2@example.com | $2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum | admin2@example.com | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-07-13 16:33:52 | f

(2 rows)
                                                          ^
uaadb=# update users set password='$2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum' where email = 'admin@example.com';
UPDATE 1
uaadb=# select * from users;
                  id                  |         created         |      lastmodified       | version |          username          |                           password                           |           email            | givenname | familyname | active | phonenumber | authorities | verified | origin | external_id | identity_zone_id | salt | passwd_lastmodified | legacy_verification_behavior
--------------------------------------+-------------------------+-------------------------+---------+----------------------------+--------------------------------------------------------------+----------------------------+-----------+------------+--------+-------------+-------------+----------+--------+-------------+------------------+------+---------------------+------------------------------
2731b250-7de0-4f88-ae34-0fbd33206c42 | 2018-07-13 16:33:52.737 | 2018-07-13 16:33:52.737 |       0 | admin2@example.com | $2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum | admin2@example.com | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-07-13 16:33:52 | f

eb52fb6c-b588-4401-8ad4-97b0e04ffc23 | 2018-06-28 19:55:02.066 | 2018-06-28 19:55:02.066 |       0 | admin@example.com  | $2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum | admin@example.com  | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-06-28 19:55:02 | f

(2 rows)

uaadb=# \q
bash-4.3# exit
[root@jwcbd cloudbreak-deployment]#
1,398 Views
0 Kudos
Comments

Re: Changing Cloudbreak Password

avatar
foldik author-rank
Cloudera Employee

Created on ‎02-15-2021 05:36 AM

There is another way where the user updates the password hash only (with a little help from a python script):

  1. save the password hash from uaadb's user table which looks similar to this: $2a$10$someSaltSomeSaltedHash,
  2. download the gen_password.py and check_password.py (see below this list) to a computer where you have python3 installed,
  3. install the bcrypt python package with pip3 install bcrypt, the script uses this to generate password hash with the Bcrypt algorithm,
  4. run python3 gen_password.py, the script uses useful defaults, so the customer needs to give the password only,
  5. save the generated hash into the uaadb's user table,
  6. try login with the new password.

gen_password.py

import bcrypt

import sys

rounds=int(input("Number of rounds [4..31], higher number gives more security but the genaration and login process will be slower (default 10): ") or 10)
prefix=str(input("Prefix (possible values 2a, 2b, 2y, default 2a): ") or "2a").encode("utf-8")
password=input("Password: ")

print("Generating hash for password: " + password)
password_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt(rounds=rounds,prefix=prefix))
print(password_hash.decode("utf-8"))

check_password.py

import bcrypt

password=input("Password: ")
hashed_password=input("Hashed password: ")

if bcrypt.checkpw(password.encode("utf-8"), hashed_password.encode("utf-8")):
    print("Matches")
else:
    print("Doesn't match")

Example to generate:

$ python3 gen_password.py
Number of rounds [4..31], higher number gives more security but the genaration and login process will be slower (default 10):
Prefix (possible values 2a, 2b, 2y, default 2a):
Password: SomeReallyHardPassword
Generating hash for password: SomeReallyHardPassword
$2a$10$6ch6sgrqxWnQYsxPdgBXLe6HPb02P5CeYHlwRtiCciJ1gDrSvZ1Km

Example to validate:

$ python3 check_password.py 
Password: SomeReallyHardPassword
Hashed password: $2a$10$6ch6sgrqxWnQYsxPdgBXLe6HPb02P5CeYHlwRtiCciJ1gDrSvZ1Km
Matches

Note:

The algorithm is not deterministic so for the same password it will generate different hashes if you execute the script multiple times.

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎02-01-2019 03:52 PM
Updated by:
Expert Contributor Expert Contributor
Contributors