Sign inTry Free

Recovering from Loss of Root Credentials

Warning

SingleStore 9.0 gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 8.9 is recommended for production workloads, which can later be upgraded to SingleStore 9.0.

On this page

If the affected node is using Tools for managing the cluster you may be able to reset a root password using the the sdb-admin change-root-password command .

If the root credential is lost on only the master aggregator and there are existing child aggregators in the cluster, then a child aggregator can be promoted to master aggregator. The old master aggregator can be deleted after a child aggregator is deployed in its place.. See Tools: Aggregator Failures.

If all else fails, the insecure_accept_any_password_for_all_users option can be set to true at startup. For example:

sudo /ebs/memsql/master-3306-MI63dd6b39/memsqld --defaults-file=/ebs/memsql/master-3306-MI63dd6b39/memsql.cnf \
--pid-file=/ebs/memsql/master-3306-MI63dd6b39/data/memsqld.pid --user=memsql --insecure_accept_any_password_for_all_users=true
----------------------------------------------------------------------------------------
2019-12-07 01:52:09.822   WARN: MemSQL is running with option "insecure_accept_any_password_for_all_users". Please fix your user account and turn off this mode.
2019-12-07 01:52:09.822   INFO: Successfully became user 'memsql' (uid 999, gid 999)
2019-12-07 01:52:10.059   INFO: Entering command loop
2019-12-07 01:52:11.545   INFO: Initializing OpenSSL
2019-12-07 01:52:11.546   INFO: MemSQL version hash: e973c625ae6d372c2d41d39b19612202c244fd7a (Sun Oct 20 22:22:04 2019 -0400)
2019-12-07 01:52:11.630   INFO: ./memsqld: ready for connections.
2019-12-07 01:52:11.630   INFO: Version:  '6.8.11'  Socket:  '/ebs/memsql/master-3306-MI63dd6b39/data/memsql.sock'  Port:  '3306'
2019-12-07 01:52:11.723   INFO: Replaying snapshots/memsql_snapshot_0: started replaying from offset 0
2019-12-07 01:52:11.724   INFO: Replaying snapshots/memsql_snapshot_0: Log record expected at offset 89.
2019-12-07 01:52:11.724   INFO: Replaying snapshots/memsql_snapshot_0: completed replaying at offset 89

A node started with the --insecure_accept_any_password_for_all_users=true option will allow a user to log in without a password only once. Subsequent login attempts will fail.

The following warning will be logged in the memsql.log file:

WARN: Thread 99996: AuthenticateUser: User logged in using "insecure_accept_any_password_for_all_users" mode. Please restart the server without this option after fixing your accounts.

Distributed User

The distributed user is an internal user that has all privileges in the system. You can sign in with this internal user only if the non-sync global variable, insecure_accept_any_password_for_all_users=true. This variable can be set only at startup. It is not available in the single-box mode.

The distributed user can be used to log in if you have dropped the root user.

memsql> show users;
Empty set (0.000 sec)

memsql> select current_user();
+-----------------------+
| current_user()        |
+-----------------------+
| distributed@localhost |
+-----------------------+
1 row in set (0.000 sec)

memsql> create user root@'%';
Query OK, 0 rows affected (0.009 sec)

memsql> grant all on *.* to root@'%';
Query OK, 0 rows affected (0.009 sec)

memsql> show grants for root;
+-------------------------------------------+
| Grants for root@%                         |
+-------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' |
+-------------------------------------------+
1 row in set (0.000 sec)

Last modified: July 27, 2023

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK