Changing admin password in a cluster

[mariocasciaro-d4h]

As part of our security best practices, we regularly have to change the admin password of our couchdb clusters.

Is it as simple as updating admin = <new password> in 10-admins.ini in each node one by one? Is there any risk that this would create issues with data synchronization in the cluster?

[nickva]

That could work as long as the 10-admins.ini file is writable, as on first use it will be update it with the hashed value (admin = -pbkdf2-...`).

But note, if the file is updated outside CouchDB, by some external process (ex: configuration management replaces it on disk), CouchDB won't automatically re-read it from disk. It doesn't automatically poll or monitor config files after the initial read. So, you could either restart the node yourself, or issue a POST to http://adm:$oldpass@$url/_node/[email protected]/_config/_reload that will force a reload.

This shouldn't affect data synchronization in a cluster as that goes over Erlang distribution: https://docs.couchdb.org/en/stable/setup/cluster.html#ports-and-firewalls. But obviously might affect clients which didn't update their admin:pass combination yet.

[mariocasciaro-d4h]

Thank you for the detailed info!

[rnewson]

you also ideally want to set all nodes to the same hashed form, otherwise a session cookie acquired on one node will not be accepted by the others. either 1) generate the hashed form yourself when PUT'ing to config (and remember to set ?raw=true to inhibit couchdb from hashing it again) 2) generate the hashed form, write it to the local.ini's and call _reload, 3) write the password to one node, and copy that hashed form from 10-admins.ini to the others.