Every user in YTsaurus has a password. The password can be changed by the system administrator or by the user themselves. To change the password, one can use password update page or the set-user-password command in the YTsaurus CLI.

Initially, when the user is just created, no password is set, and it should be set separately by the administrator. For example,

yt create user --attr '{name=oleg}'
yt set-user-password oleg --new-password cone

administrator created the user oleg and sets the password cone for them.

Then, the users can update his password using the set-user-password command:

yt set-user-password oleg --current-password cone --new-password cube

Note that the user is required to enter the current password in order to change it. The administrator does not need to enter users' password when setting it for the first time or updating it later.

Auth tokens

To use YTsaurus though CLI or API, the user should provide an auth token. CLI commands issue-token, revoke-token and list-user-tokens can be used to manage tokens.

Command issue-token is used to issue a new token for the user. Unlike a password, user can have multiple active tokens.

yt issue-token oleg --password cone
"2c5956daecdff8dd45d2561a8679acf5"

Token 2c5956daecdff8dd45d2561a8679acf5 was issued for the user oleg. As with the set-user-password command, the should should specify a password when issuing a token, but the administrator is not required to do so.

List of active tokens for a user can be obtained via the list-user-tokens command.

yt list-user-tokens oleg --password cone
["87a5d9406ccf6a42cca510d86e43b20e2943aa7ade7e9129f4f4f947e1b02574"]

Note, that YTsaurus does not store tokens in plain text. Instead of the actual token, the command list-user-tokens prints a SHA256 of each token.

echo -n '2c5956daecdff8dd45d2561a8679acf5' | sha256sum
87a5d9406ccf6a42cca510d86e43b20e2943aa7ade7e9129f4f4f947e1b02574  -

To revoke user's token command revoke-token can be used. This command accepts either token itself or its sha256 hash. Any tokens of a user can be revoked by taking a result of list-user-tokens and applying the revoke-token command.

yt revoke-token oleg --token-sha256 87a5d9406ccf6a42cca510d86e43b20e2943aa7ade7e9129f4f4f947e1b02574  --password cube
yt revoke-token oleg --token 2c5956daecdff8dd45d2561a8679acf5  --password cube
yt list-user-tokens oleg --password cube
[]

Although token management requires the user's password, changing a user's password does not revoke their tokens. Therefore, tokens are managed independently from the password. In case the user's password is compromised, it is worth not only changing the password, but also revoking all tokens.