Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Expert Contributor

It's not a simple process, but one that can be easily done by anyone with a little database admin experience. You have to add a user by restarting cbd with new user and password in Profile. Then you go into the database and move the encrypted password from the new user to the old. This will change the password and leave your old user with access to the clusters and resource you've already built.

Overview

  1. Edit the Profile and change both the UAA_DEFAULT_USER_PW to the desired new password and UAA_DEFAULT_USER_EMAIL to a different address.
  2. cbd restart – This will add a 2nd user with the new password to the database
  3. docker exec -ti cbreak_commondb_1 bash – Starts a bash shell in the database container
  4. pg_dump -Fc -U postgres uaadb > uaadb.dump – Makes a backup of the user database
  5. psql -U postgres – Starts a postgres shell
  6. postgres=# \c uaadb; – Connects to the user database in the postgres shell
  7. uaadb=# select * from users; – Shows the two accounts and their encrypted passwords
  8. update users set password='$2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum' where email = 'admin@example.com'; - Sets the original user’s password to the new user’s password, which you copy from the select output.
  9. Log in with the new password and you’ll see everything is still in place.

Walk-through


postgres=# \l
                                  List of databases
    Name     |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges
-------------+----------+----------+------------+------------+-----------------------
cbdb        | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
periscopedb | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
postgres    | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
template0   | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
             |          |          |            |            | postgres=CTc/postgres
template1   | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
             |          |          |            |            | postgres=CTc/postgres
uaadb       | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
(6 rows)

postgres=# \c uaadb;
You are now connected to database "uaadb" as user "postgres".
uaadb=# \d
                 List of relations
Schema |          Name          | Type  |  Owner
--------+------------------------+-------+----------
public | authz_approvals        | table | postgres
public | authz_approvals_old    | table | postgres
public | expiring_code_store    | table | postgres
public | external_group_mapping | table | postgres
public | group_membership       | table | postgres
public | groups                 | table | postgres
public | identity_provider      | table | postgres
public | identity_zone          | table | postgres
public | oauth_client_details   | table | postgres
public | oauth_code             | table | postgres
public | revocable_tokens       | table | postgres
public | schema_version         | table | postgres
public | sec_audit              | table | postgres
public | service_provider       | table | postgres
public | users                  | table | postgres
(15 rows)

uaadb=# select * from users;
                  id                  |         created         |      lastmodified       | version |          username          |                           password                           |           email            | givenname | familyname | active | phonenumber | authorities | verified | origin | external_id | identity_zone_id | salt | passwd_lastmodified | legacy_verification_behavior
--------------------------------------+-------------------------+-------------------------+---------+----------------------------+--------------------------------------------------------------+----------------------------+-----------+------------+--------+-------------+-------------+----------+--------+-------------+------------------+------+---------------------+------------------------------
eb52fb6c-b588-4401-8ad4-97b0e04ffc23 | 2018-06-28 19:55:02.066 | 2018-06-28 19:55:02.066 |       0 | admin@example.com  | $2a$10$TFGoKcaWNs7XWsO4AqvmlOHVe9yBSUcmtvo9tdLsf3AhL2oNUYOHW | admin@example.com  | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-06-28 19:55:02 | f

2731b250-7de0-4f88-ae34-0fbd33206c42 | 2018-07-13 16:33:52.737 | 2018-07-13 16:33:52.737 |       0 | admin2@example.com | $2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum | admin2@example.com | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-07-13 16:33:52 | f

(2 rows)
                                                          ^
uaadb=# update users set password='$2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum' where email = 'admin@example.com';
UPDATE 1
uaadb=# select * from users;
                  id                  |         created         |      lastmodified       | version |          username          |                           password                           |           email            | givenname | familyname | active | phonenumber | authorities | verified | origin | external_id | identity_zone_id | salt | passwd_lastmodified | legacy_verification_behavior
--------------------------------------+-------------------------+-------------------------+---------+----------------------------+--------------------------------------------------------------+----------------------------+-----------+------------+--------+-------------+-------------+----------+--------+-------------+------------------+------+---------------------+------------------------------
2731b250-7de0-4f88-ae34-0fbd33206c42 | 2018-07-13 16:33:52.737 | 2018-07-13 16:33:52.737 |       0 | admin2@example.com | $2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum | admin2@example.com | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-07-13 16:33:52 | f

eb52fb6c-b588-4401-8ad4-97b0e04ffc23 | 2018-06-28 19:55:02.066 | 2018-06-28 19:55:02.066 |       0 | admin@example.com  | $2a$10$nTd3OV33zfM/lfQTIPKN7OrxL4uCQqRotJXXERqDhzeVB9Dlfmlum | admin@example.com  | Joe       | Admin      | t      |             | uaa.user    | t        | uaa    |             | uaa              |      | 2018-06-28 19:55:02 | f

(2 rows)

uaadb=# \q
bash-4.3# exit
[root@jwcbd cloudbreak-deployment]#

1,400 Views
0 Kudos
Comments
avatar
Cloudera Employee

There is another way where the user updates the password hash only (with a little help from a python script):

  1. save the password hash from uaadb's user table which looks similar to this: $2a$10$someSaltSomeSaltedHash,
  2. download the gen_password.py and check_password.py (see below this list) to a computer where you have python3 installed,
  3. install the bcrypt python package with pip3 install bcrypt, the script uses this to generate password hash with the Bcrypt algorithm,
  4. run python3 gen_password.py, the script uses useful defaults, so the customer needs to give the password only,
  5. save the generated hash into the uaadb's user table,
  6. try login with the new password.

gen_password.py

import bcrypt

import sys

rounds=int(input("Number of rounds [4..31], higher number gives more security but the genaration and login process will be slower (default 10): ") or 10)
prefix=str(input("Prefix (possible values 2a, 2b, 2y, default 2a): ") or "2a").encode("utf-8")
password=input("Password: ")

print("Generating hash for password: " + password)
password_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt(rounds=rounds,prefix=prefix))
print(password_hash.decode("utf-8"))

check_password.py

import bcrypt

password=input("Password: ")
hashed_password=input("Hashed password: ")

if bcrypt.checkpw(password.encode("utf-8"), hashed_password.encode("utf-8")):
    print("Matches")
else:
    print("Doesn't match")

Example to generate:

$ python3 gen_password.py
Number of rounds [4..31], higher number gives more security but the genaration and login process will be slower (default 10):
Prefix (possible values 2a, 2b, 2y, default 2a):
Password: SomeReallyHardPassword
Generating hash for password: SomeReallyHardPassword
$2a$10$6ch6sgrqxWnQYsxPdgBXLe6HPb02P5CeYHlwRtiCciJ1gDrSvZ1Km

Example to validate:

$ python3 check_password.py 
Password: SomeReallyHardPassword
Hashed password: $2a$10$6ch6sgrqxWnQYsxPdgBXLe6HPb02P5CeYHlwRtiCciJ1gDrSvZ1Km
Matches

Note:

The algorithm is not deterministic so for the same password it will generate different hashes if you execute the script multiple times.