change-root-password

Description

Change the root password for a node on the local host.

Note: The change-root-password command can only be run against nodes in a running process state.

The root password is stored in the following places:

• In a cluster metadata, which is used by a cluster to verify incoming connections.

• In the nodeMetadataFile (run memsqlctl env to display the path to the file) , which is used by memsqlctl to connect to a node.

The change-root-password command can be used in the following cases:

• If the nodeMetadataFile is in sync with the cluster metadata, the command will update the password in both the cluster metadata and the nodeMetadataFile by calling

  SET PASSWORD FOR 'root'@<host> = PASSWORD(<new password>)

• If the nodeMetadataFile is no longer in sync with the cluster and the nodes have become inaccessible (such as when the password is changed without using memsqlctl), the command will update the password only in nodeMetadataFile file and only if the provided password matches the password in the cluster metadata.

The memsqlctl command supports pre-encrypted passwords passed as command line arguments. If the encryption key is broken on the local host, it must be fixed with the following command:

memsqlctl change-root-password --fix-secure-key

After running this command, the user must also set the root password for each node on the local host as the nodeMetadataFile will be out of sync with the cluster metadata.

Usage

Usage:
  memsqlctl change-root-password [flags]

Flags:
  -a, --all                 Change the password of all nodes on the host
      --fix-secure-key      Reset the secure key
      --force               Force password update on stopped nodes
  -h, --help                Help for change-root-password
      --memsql-id strings   The node ID
      --password STRING     The new database root password for the node

Global Flags:
  -c, --config FILE_PATH                     Path to the memsqctl config file
      --default-install-dir DIRECTORY_PATH   Path to the default install directory
      --insecure-ssl                         Fall back to insecure SSL connections to local nodes if memsqlctl is unable to otherwise establish a connection (ADVANCED)
  -j, --json                                 Print output in JSON format
      --node-metadata-file FILE_PATH         Path to the node metadata file
      --parallelism POSITIVE_INTEGER         Maximum amount of operations to be run in parallel
      --ssl-ca FILE_PATH                     The path to the CA certificate file (in PEM format) to authenticate the database certificate
      --timeout duration                     Maximum time for operation to complete (e.g., 30s, 10m, 1.5h)
      --verbose-json                         Print output in JSON format, include some warnings and user messages
  -v, --verbosity count                      Increase logging verbosity
  -y, --yes                                  Enable non-interactive mode and assume the user would like to move forward with the proposed actions by default

Remarks

• When running this command, memsqlctl will attempt to connect to a running node using the root user and existing root password for the node that is already stored in nodes.hcl. If the existing root password does not work, then the nodes.hcl file has become out of sync with the current state of the node. This can be caused by either a manual password change by the user without using memsqlctl, or the root password was encrypted with an older encryption key. To fix this issue, memsqlctl will try to connect to the node with new password and, if it works, memsqlctl will update nodes.hcl with the new password encrypted with the current encryption key. This behavior allows change-root-password to be used to update memsqlctl when there is state drift.

• --password is a required flag that specifies the new SingleStore root password to be configured. Wrap the value of password in single quotes to avoid having the shell try to interpret any special characters included in the string.

• The new password can also be specified through the environment variable MEMSQL_PASSWORD instead of as a command-line argument.

• Once connected, memsqlctl will run GRANT… SQL commands on the node to change the password to the new password and then update nodes.hcl.

• This command is interactive unless you use either --yes or --json flag to override interactive behavior.

• The memsqlctl change-root-password command is equivalent to the sdb-admin change-root-password command.

Output

The following is the standard output for the change-root-password command.

sudo memsqlctl change-root-password --password "NewSecurePass"

+-------+------------+------------+------+---------------+---------+
| Index | MemSQL ID  |    Role    | Port | Process State | Version |
+-------+------------+------------+------+---------------+---------+
| 1     | 01FA0ABD58 | Aggregator | 3306 | Running       | 6.5.10  |
| 2     | 994274A024 | Leaf       | 3307 | Running       | 6.5.10  |
| 3     | All Nodes  |            |      |               |         |
+-------+------------+------------+------+---------------+---------+
Select an option: 2
memsqlctl will perform the following actions
  · On SingleStore node with ID 994274A024996ADAD6B1B780352C0EDBC0E7328F:
    - Run `SET PASSWORD FOR 'root'@'%' = PASSWORD(***)`

Would you like to continue? [y/N]: y
✓ Set new password for node with MemSQL ID 994274A024996ADAD6B1B780352C0EDBC0E7328F