How to Solve "unable to authenticate" Issue, Stopping Tamr from Starting Properly?

Problem: When starting Tamr, you run into “Unable to authenticate user ‘system’” error.

Cause: The issue occurs when the password for the “system” user on the UI doesn’t sync with the password stored in the zookeeper. If you forgot the “system” password on the UI, it is not possible to update the “system” password on the UI after restart of Tamr as Tamr doesn’t start properly due to the following error:

    ERROR<> [2021-01-13 00:04:47,944] com.tamr.procurify.api.ProcurifyApp: Failed to ensure the initial install version is set.

    ! com.tamr.common.except.ServiceException: Unable to authenticate user "system"

    ! at com.tamr.common.except.ServiceException.withFormattedMessage(

This leaves the Tamr instance in an unstable state.

Resolution: To resolve this issue, obtain the credentials from another working instance if you have any by using the following commands:

  1. From Postgres:

    SELECT data FROM auth.internal_usercredentials_ns_current
    WHERE data->>'username'='system';
  2. Tamr config:

      ./tamr/utils/ config:get TAMR_SYSTEM_PASSWORD

Once you obtain the credentials, do BOTH of the following in the affected Tamr instance:

  1. From Postgres, update the system password:

    UPDATE  auth.internal_usercredentials_ns_current
    SET data='{"password": "<system_password>", "username": "system"}'
    WHERE data->>'username'='system';
  2. From Tamr config, set the TAMR_SYSTEM_PASSWORD

    ./tamr/utils/ config:set TAMR_SYSTEM_PASSWORD="<encrypted_password>"

To avoid running into this issue in the future, we recommend you use the following steps in the same order:

  1. Edit the “system” password in the UI.
  2. Immediately stop Tamr.
  3. Update the TAMR_SYSTEM_PASSWORD config variable with a hash based on the system password you used in step1. For this, run script located <TAMR_HOME>/tamr/. Look here for detailed instructions.
  4. Start Tamr.