Updating passwords

Edit online

Update your Grafana, prometheus or mongodb password for IBM Watson® Machine Learning Accelerator.

Updating mongodb passwords

The Watson Machine Learning Accelerator service has two database password settings configured, one for the mongodb database admin (admin), and one for the dlidb database user (dliadmin).

To update your mongodb passwords:
  1. Log in to your Red Hat® OpenShift® cluster as a project administrator:
    oc login OpenShift_URL:port
  2. To update password, switch to Watson Machine Learning Accelerator namespace
    oc project wmla-namespace
  3. Create a backup of the current password:
    oc get secret wmla-mongodb-secret -o yaml
  4. Encode a new password:
    echo -n 'new-admin-password'|base64
echo -n 'new-wmla-user-password'|base64
    where new-admin-password is the new password for the database admin and new-wmla-user-password is the new password for the dlidb database.
  5. Set a new password in wmla-mongodb-secret:
    oc patch secret wmla-mongodb-secret --patch '{"data":{"mongodb-admin-passwd":"encoded-admin-password"}}' --type=merge
oc patch secret wmla-mongodb-secret --patch '{"data":{"mongodb-user-passwd":"encoded-wmla-user-password"}}' --type=merge
    where encoded-admin-password is the encoded password for the admin database and encoded-wmla-user-password is the encoded password of the Watson Machine Learning Accelerator database dlidb.
  6. Update the passwords on the mongodb pod.
    1. Log on one of mongodb pod.
      oc exec -it wmla-mongodb-0 bash -n wmla-ns
    2. Export the Watson Machine Learning Accelerator namespace. 
      export wmla-ns=wmla-ns
      where wmla-ns is the Watson Machine Learning Accelerator namespace.
    3. Run the following commands in the mongodb pod to update the mongodb passwords:
      mongo --tls --tlsCAFile /var/shareDir/mongodb/tls/ca.crt --tlsCertificateKeyFile /tmp/mongodb.pem wmla-mongodb-0.wmla-mongodb.$wmla-ns-ns.svc.cluster.local,wmla-mongodb-1.wmla-mongodb.$wmla-ns.svc.cluster.local,wmla-mongodb-2.wmla-mongodb.$wmla-ns.svc.cluster.local:27017/admin -u admin -p $MONGODB_ADMIN_PASSWORD --quiet --eval "db.getSiblingDB('dlidb').changeUserPassword(\"dliadmin\", \"new-wmla-user-password\")"
mongo --tls --tlsCAFile /var/shareDir/mongodb/tls/ca.crt --tlsCertificateKeyFile /tmp/mongodb.pem wmla-mongodb-0.wmla-mongodb.$wmla-ns.svc.cluster.local,wmla-mongodb-1.wmla-mongodb.$wmla-ns.svc.cluster.local,wmla-mongodb-2.wmla-mongodb.$wmla-ns.svc.cluster.local:27017/admin -u admin -p $MONGODB_ADMIN_PASSWORD --quiet --eval "db.changeUserPassword(\"admin\", \"new-admin-password\")"
      where wmla-ns is the Watson Machine Learning Accelerator namespace, new-admin-password is password of admin database and new-wmla-user-password is the password for the Watson Machine Learning Accelerator dlidb database.
  7. Restart the wmla-dlpd and wmla-logstash pods:
    oc scale --replicas 0 deploy wmla-dlpd
oc scale --replicas 0 deploy wmla-logstash -n wmla-ns

oc scale --replicas 1 deploy wmla-dlpd wmla-logstash
oc scale --replicas 1 deploy wmla-logstash -n wmla-ns
    where wmla-ns is the Watson Machine Learning Accelerator namespace.
  8. Verify that the passwords were changed by submitting a successful training job.

Updating prometheus password

To update your prometheus password:
  1. Use the htpasswd utility to produce the hash for password. For example: 
    htpasswd -n admin
New password:
Re-type new password:
admin:$apr1$u8s2rQzR$kLSIGXXA4G3xdbg2Q6v4r.
    To get the base64 encoded password: 
    echo 'admin:$apr1$u8s2rQzR$kLSIGXXA4G3xdbg2Q6v4r.' | base64 -
  YWRtaW46JGFwcjEkdThzMnJRelIka0xTSUdYWEE0RzN4ZGJnMlE2djRyLgo=
  2. Update the secret using the base64 encoded password. For example:
    oc patch secret/wmla-prometheus-htpasswd -p '{"data":{"htpasswd":"YWRtaW46JGFwcjEkdThzMnJRelIka0xTSUdYWEE0RzN4ZGJnMlE2djRyLgo="}}'
  secret/wmla-prometheus-htpasswd patched
  3. Restart the prometheus pod to pickup updated secret:
    oc delete pod wmla-prometheus-pod
    where wmla-prometheus-pod is the name of the prometheus pod.
  4. Verify that the secret is in configuration file:
    oc exec -it wmla-prometheus-pod -c sidecar -- cat /etc/nginx/auth/htpasswd
admin:$apr1$u8s2rQzR$kLSIGXXA4G3xdbg2Q6v4r.
  5. Verify the new password. 
    oc exec -it wmla-prometheus-pod -c prometheus -- curl -u admin:new-password https://wmla-prometheus:9090 -k
    Where new-password is the new password.
    If successful, the result returns Found:
    <a href="/prometheus/graph">Found</a>.
  6. After updating the password, update your prometheus connection in Grafana. To update the connection: :
    1. Log in to Grafana.
    2. Navigate to Configuration/Data Sources, click on Prometheus.
    3. Under Basic Auth Details, click Reset and enter the password. If successful, the result returns: Data source is working.

Updating Grafana password

To update the Grafana password:
  1. Obtain the Grafana password:
    CRED=`oc get secret wmla-grafana-secret -n wmla-ns -o jsonpath=\"{.data.admin-password}\"`
  2. Decode the password:
    echo $CRED | tr -d '"' | base64 --decode
yryibNyJYqDvYFlgYHVI
  3. Using the admin account and the password obtained, you can change the Grafana password from the Grafana console, see: Manage user preferences.