ALLOW_EMPTY_PASSWORD option is broken due to YAML syntax error

[dlenskiSB]

Name and Version

bitnami/cassandra:5.0.2-debian-12-r3

What architecture are you using?

amd64

What steps will reproduce the bug?

The documentation for this container says that it's possible to set the environment variable ALLOW_EMPTY_PASSWORD=yes in order to allow connecting to the Cassandra CQL server without any credentials (e.g. cqlsh should work without -u/-p).

However, this option does not work.

Reproducing

$ docker run --name cassandra --env ALLOW_EMPTY_PASSWORD=yes --rm -it bitnami/cassandra:5.0.2-debian-12-r3
(fails after ~10 min)

Finding the root cause

Inspecting the logs in another terminal shows that there are parsing errors in the cassandra.yaml config file:

...
$ docker exec cassandra tail -n80 /opt/bitnami/cassandra/logs/cassandra_first_boot.log
INFO  [main] 2025-01-28 01:22:58,337 YamlConfigurationLoader.java:101 - Configuration location: file:/opt/bitnami/cassandra/conf/cassandra.yaml
Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered during startup: Invalid yaml: file:/opt/bitnami/cassandra/conf/cassandra.yaml
org.apache.cassandra.exceptions.ConfigurationException: Invalid yaml: file:/opt/bitnami/cassandra/conf/cassandra.yaml
        at org.apache.cassandra.config.YamlConfigurationLoader.loadConfig(YamlConfigurationLoader.java:146)
        at org.apache.cassandra.config.YamlConfigurationLoader.loadConfig(YamlConfigurationLoader.java:114)
        at org.apache.cassandra.config.DatabaseDescriptor.loadConfig(DatabaseDescriptor.java:396)
        at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:258)
        at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:243)
        at org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:780)
        at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:723)
        at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:865)
...

⚠ There's a YAML syntax mistake in the config file: class_name : AllowAllAuthenticator has an extra space in it before the :

$ docker exec -t cassandra grep -C3 AllowAllAuthenticator /opt/bitnami/cassandra/conf.default/cassandra.yaml
...
# - AllowAllAuthenticator performs no checks - set it to disable authentication.
# - PasswordAuthenticator relies on username/password pairs to authenticate
#   users. It keeps usernames and hashed passwords in system_auth.roles table.
#   Please increase system_auth keyspace replication factor if you use this authenticator.
#   If using PasswordAuthenticator, CassandraRoleManager must also be used (see below)
authenticator:
  class_name : AllowAllAuthenticator
# MutualTlsAuthenticator can be configured using the following configuration. One can add their own validator
# which implements MutualTlsCertificateValidator class and provide logic for extracting identity out of certificates
# and validating certificates.
...

In the case where ALLOW_EMPTY_PASSWORD is not specified, this line gets replaced with the correct syntax class_name: PasswordAuthenticator.

What is the expected behavior?

Cassandra container starts up without any required credentials.

What do you see instead?

Cassandra container fails to start and aborts after ~10 minutes.

Additional information

No response

[dlenskiSB]

Thankfully, there is a straightforward workaround for this issue, once we understand the root cause:

Use --env CASSANDRA_AUTHORIZER=AllowAllAuthorizer --env CASSANDRA_AUTHENTICATOR=AllowAllAuthenticator instead of ALLOW_EMPTY_PASSWORD=true

(docs)

[dlenskiSB]

I discovered the (upstream) source.

Turns out that this is a syntax mistake in the cassandra.yaml file distributed upstream by apache/cassandra 🤕. This bug
was introduced a year and a half ago in apache/cassandra@f078c02#diff-77707d0908c31940828b6425dcb09a7409827db99b48c371f71c63294dfe1562L153-R154

The fix is here: apache/cassandra#3837