Issue Accessing UI After Enabling Authentication

Hello everyone,

I’m experiencing an issue after enabling authentication in YugabyteDB. Before enabling authentication, the UI was working correctly. However, after activating the following options:

• --ysql_enable_auth=true for YSQL
• --use_cassandra_authentication=true for YCQL

The UI can no longer connect and returns errors.

Deployment Details

I deployed YugabyteDB using the following Helm command:

helm upgrade yugabyte yugabytedb/yugabyte \
  --namespace yugabytedb \
  --create-namespace \
  --version 2.25.0 \
  --set image.tag=2.25.0.0-b489 \
  --set service.type=ClusterIP \
  --set storage.master.storageClass=longhorn \
  --set storage.tserver.storageClass=longhorn \
  --set storage.master.size=10Gi \
  --set storage.tserver.size=10Gi \
  --set resource.master.requests.cpu=500m \
  --set resource.master.requests.memory=1000Mi \
  --set resource.tserver.requests.cpu=500m \
  --set resource.tserver.requests.memory=1000Mi \
  --set replicas.master=2 \
  --set replicas.tserver=2 \
  --set ysql.auth.enabled=true \
  --set gflags.tserver.ysql_enable_auth=true \
  --set gflags.tserver.use_cassandra_authentication=true \
  --set ycql.auth.enabled=true \
  --set ycql.auth.username=cassandra \
  --set ycql.auth.password=PasswordWhaoo \
  --set tls.enabled=true \
  --set tls.autoGenerateCerts=true

Issue

• When authentication is disabled, the UI works fine.
• After enabling ysql_enable_auth=true and use_cassandra_authentication=true, the UI stops working and does not prompt for login credentials.
• The UI seems unable to connect to the services.

Questions

1. How can I properly configure authentication so that the UI can connect successfully?
2. Does the UI have a built-in authentication option to restrict access? Currently, anyone can access the page, which is a security concern.

I can provide logs from the yugabyted-ui-service if needed.

Thanks in advance for your help!

Capture2560×1284 211 KB

Capture22560×1283 92.8 KB

Hi @zootopie

Yes, please provide the logs.

Hello @dorian_yugabyte

Here are the logs you asked for. Thank you for your help.

yb-master-0_yb-master.log : disk check at: Mon Feb 3 09:24:28 UTC 2025DNS addr resolve: yb-master-0.yb-ma - Pastebin.com

Those don’t look like logs of yugabyted-ui. Looks to me like yb-master/yb-tserver. Can you confirm?

And this yb-master-0_yugabyted-ui.log : 2025-02-03T10:27:13.654Z info server/main.go:100 main.main Logger initialized wi - Pastebin.com

I’ve asked internally about this and will get back to you.

Unrelated to your issue:

Please read Deployment checklist for YugabyteDB clusters | YugabyteDB Docs for valid replication factor values.

I changed it to 3 as the documentation says to use odd numbers but the problem persists

  --set replicas.master=3 \
  --set replicas.tserver=3 \

1. You need to change ycql.auth.username and ycql.auth.password to authCredentials.ycql.user and authCredentials.ycql.password
2. If the credentials were not already set up before the upgrade, then after the upgrade they need to either trigger the setup-credentials job, or manually set up the credentials

Then the UI should work.

The reason we don’t trigger on upgrade is because credentials could have changed so we don’t have a good way to reset the password.

You should use the K8s operator for this to work, we support dynamic credential update in the CR.

Hello @dorian_yugabyte ,

I have performed the upgrade following your recommendations using the following command:

helm upgrade yugabyte yugabytedb/yugabyte \
  --namespace yugabytedb \
  --create-namespace \
  --version 2.25.0 \
  --set image.tag=2.25.0.0-b489 \
  --set service.type=ClusterIP \
  --set storage.master.storageClass=longhorn \
  --set storage.tserver.storageClass=longhorn \
  --set storage.master.size=10Gi \
  --set storage.tserver.size=10Gi \
  --set resource.master.requests.cpu=500m \
  --set resource.master.requests.memory=1000Mi \
  --set resource.tserver.requests.cpu=500m \
  --set resource.tserver.requests.memory=1000Mi \
  --set replicas.master=3 \
  --set replicas.tserver=3 \
  --set ysql.auth.enabled=true \
  --set gflags.tserver.ysql_enable_auth=true \
  --set gflags.tserver.use_cassandra_authentication=true \
  --set ycql.auth.enabled=true \
  --set authCredentials.ycql.user=admin \
  --set authCredentials.ycql.password=SuperMotDePasse123 \
  --set tls.enabled=true \
  --set tls.autoGenerateCerts=true

I have also created the admin user with superadmin privileges and this password.

However, the issue still persists: logs here.
I see an incorrect password in the errors, even though it’s correct. I’m able to connect with the user and password.

Yet, I can successfully connect to the PostgreSQL database with admin user and using a third-party software on my PC, which means the port is open and functioning properly.

Could you help me understand why the YCQL connection is still not working despite these configurations?

Thanks in advance for your help!

@zootopie can you please provide us the exact steps you performed after running the helm upgrade command?

How did you propagate the YCQL password? did you run setup-credentials job or explicitly set the password by logging into YCQL using -

ALTER ROLE admin WITH PASSWORD = 'SuperMotDePasse123';

@nmalladi I did not use the setup-credentials but just the command then I put it in superadmin this user, but by doing that after rebooting I can connect to the Admin with the password it works

ALTER ROLE admin WITH PASSWORD = 'SuperMotDePasse123';
ALTER ROLE admin WITH SUPERUSER;

I am also having similar issue.

For some reason, default username / password pair doesn’t work with error:

Provided username 'cassandra' and/or password are incorrect

docker-compose.yaml

services:
  db-1:
    image: yugabytedb/yugabyte:2.25.0.0-b489
    restart: always
    command: [
      "bin/yugabyted",
      "start",
      "--listen=db-1",
      "--background=false",
      "--base_dir=/home/yugabyte/yb_data",
      "--ysql_enable_auth=true",
      "--use_cassandra_authentication=true",
      "--tserver_flags=flagfile=/ydb.conf"
    ]
    ports:
      - "5433:5433"
      - "15433:15433"
    volumes:
      - ./data/db-1:/home/yugabyte/yb_data
      - ./ydb.conf:/ydb.conf

/ydb.conf

--ysql_hba_conf_csv=host all all all trust,local all yugabyte trust

yugabyted-ui.err

2025-02-05T03:02:04.264Z	error	server/main.go:142	main.main	Error initializing the gocql session.
2025-02-05T03:02:04.264Z	error	server/main.go:143	main.main	gocql: unable to create session: unable to discover protocol version: Provided username 'cassandra' and/or password are incorrect
using embed mode
2025-02-05T03:02:31.055Z	error	handlers/container.go:76	apiserver/cmd/server/handlers.(*Container).GetSession	Error initializing the gocql session: gocql: unable to create session: unable to discover protocol version: Provided username 'cassandra' and/or password are incorrect
2025-02-05T03:02:31.055Z	error	handlers/api_cluster_info.go:499	apiserver/cmd/server/handlers.(*Container).GetClusterMetric	[GetSession]: gocql: unable to create session: unable to discover protocol version: Provided username 'cassandra' and/or password are incorrect
2025-02-05T03:02:32.452Z	error	handlers/container.go:76	apiserver/cmd/server/handlers.(*Container).GetSession	Error initializing the gocql session: gocql: unable to create session: unable to discover protocol version: Provided username 'cassandra' and/or password are incorrect

Please try with setup-credentials

How to use the setup-credentials I don’t see any part in the doc that talks about how to do that ? Could you send me the doc that explains how to do this ?

It’s defined here: charts/stable/yugabyte/templates/hooks/setup-credentials-job.yaml at 132f70dd12822d2bda99681037d8eea2162c96f4 · yugabyte/charts · GitHub

I don’t think there are docs for it though.

@dorian_yugabyte I’ve just done it, but it hasn’t solved my problem … What’s strange is that I can connect to the database with “admin” and “SuperPassword123”, so I don’t understand why the identifiers I’ve created are invalid. What can I do ?

Here’s how it works [SOLUTION]

WARNING /!\ The password must not be too long or contain some special characters, it may not work if the password is too long I put 50 characters and it works

Make sure you have uninstalled all YugabyteDB

helm install yugabyte yugabytedb/yugabyte \
  --namespace yugabytedb \
  --create-namespace \
  --version 2.25.0 \
  --set image.tag=2.25.0.0-b489 \
  --set service.type=ClusterIP \
  --set storage.master.storageClass=longhorn \
  --set storage.tserver.storageClass=longhorn \
  --set storage.master.size=10Gi \
  --set storage.tserver.size=10Gi \
  --set resource.master.requests.cpu=500m \
  --set resource.master.requests.memory=1000Mi \
  --set resource.tserver.requests.cpu=500m \
  --set resource.tserver.requests.memory=1000Mi \
  --set replicas.master=3 \
  --set replicas.tserver=3 \
  --set tls.enabled=true \
  --set tls.autoGenerateCerts=true \
  \
  --set ysql.auth.enabled=true \
  --set gflags.tserver.ysql_enable_auth=true \
  \
  --set ycql.auth.enabled=true \
  --set gflags.tserver.use_cassandra_authentication=true \
  \
  --set authCredentials.ycql.user=cassandra \
  --set authCredentials.ycql.password="YOUR_PASSWORD_HERE"

For storage I use LongHorn, if you haven’t used it elsewhere, performance has been limited because it’s a small database.