Securing Starter Deployments

The password that is set for the root user during the installation of the ArangoDB package has no effect in case of deployments done with the tool ArangoDB Starter, as this tool creates new database directories and configuration files that are separate from those created by the stand-alone installation.

Assuming you have enabled authentication in your Starter deployment (using --auth.jwt-secret=<secret-file>), by default the root user will be created with an empty password.

In order to the change the password of the root user, you can:

  • Open the ArangoDB web interface and change the password from there. More information.
  • Open an ArangoSH shell and use the function users.replace. More information.

In case you would like to automate the root password change, you might use the --javascript.execute-string option of the arangosh binary, e.g.:

arangosh --server.endpoint your-server-endpoint \
    --server.password "" \
    --javascript.execute-string 'require("org/arangodb/users").update("root", "mypwd");'

where “mypwd” is the new password you want to set.

If your Starter deployment has authentication turned off, it is suggested to turn it on using a JWT secret file. For more information on this topic, please refer to the Starter Option page.

Note that you cannot easily turn authentication on/off once your deployment has started for the first time. It is possible to stop all Starters and then manually modify all the arangod.conf files in yor data directory, but this is not recommended.

❮  Audit logging

© ArangoDB - Graph and Beyond