Feature #3272

Separate internal admin account from user admin accounts

Added by Dominic Cleal almost 5 years ago. Updated 9 days ago.

Status:Closed
Priority:Normal
Assignee:Dominic Cleal
Category:Authentication
Target version:1.6.0
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link: Found in Releases:
Pull request:

Description

Currently we install a default "admin" account which is used both for internal+anonymous actions, and the first user's login. This account can't be deleted as we need it for the former.

This use should be separated by hiding the internal admin account, then have the user either set up a new account for themselves during installation or first access.

We can then permit the user to delete all but one admin accounts (and except our hidden one).


Related issues

Related to Foreman - Feature #3725: Make default root password more explicit and configurable... Closed 11/22/2013
Related to Foreman - Bug #2108: Cannot delete or rename admin user via GUI Duplicate 01/05/2013
Related to Foreman - Feature #2128: There should be a post-installation screen to setup the i... New 01/15/2013
Related to Foreman - Feature #6586: Allow user-specified password in rake permissions:reset Closed 07/11/2014
Related to Foreman - Bug #6606: Can't delete a user if there's only one admin account Closed 07/14/2014
Related to Foreman - Bug #6873: Error during db:seed from 1.4 to 1.6: undefined method `e... Closed 08/01/2014
Related to Foreman - Bug #6953: Fix bad internationalization calls in User Closed 08/06/2014
Blocked by Foreman - Refactor #3752: Move all data addition in DB migrations into a seed script Closed 11/25/2013

Associated revisions

Revision d6b33a37
Added by Dominic Cleal about 4 years ago

refs #3272 - default password will be going away

Revision b6ed9c8d
Added by Tomas Strachota about 4 years ago

Merge pull request #117 from domcleal/3272-no-password

refs #3272 - default password will be going away

Revision e07f9a12
Added by Dominic Cleal about 4 years ago

fixes #3272 - allow 'admin' account to be removed and replaced

Revision 5534df90
Added by Dominic Cleal about 4 years ago

refs #3272 - pass admin user details into db:seed rake task

Revision 0fcebfbf
Added by Dominic Cleal about 4 years ago

refs #3272 - print new user/password after installation

History

#1 Updated by Dmitri Dolguikh over 4 years ago

  • Target version set to 1.10.0

#2 Updated by Dominic Cleal over 4 years ago

This must include having a user-selected or randomised password for the first admin account.

#3 Updated by Dominic Cleal over 4 years ago

  • Related to Feature #3725: Make default root password more explicit and configurable at install time added

#4 Updated by Dominic Cleal over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

#5 Updated by Dominic Cleal over 4 years ago

  • Blocked by Refactor #3752: Move all data addition in DB migrations into a seed script added

#6 Updated by Dominic Cleal over 4 years ago

  • Target version changed from 1.10.0 to 1.9.3

#7 Updated by Dominic Cleal over 4 years ago

I requested some feedback on foreman-dev to work out how the first user account should be populated:
https://groups.google.com/forum/#!topic/foreman-dev/8v53KusW_gw

The consensus seemed to be:

  • accept the initial admin password as an installer parameter, allowing it to be specified on the command line and answers file
  • randomise the admin password if it's not given, and force the user to reset it on first login
  • print the admin password after install

#8 Updated by Dmitri Dolguikh over 4 years ago

  • Target version deleted (1.9.3)

#9 Updated by Benjamin Papillon over 4 years ago

  • Related to Bug #2108: Cannot delete or rename admin user via GUI added

#10 Updated by Dominic Cleal over 4 years ago

  • Related to Feature #2128: There should be a post-installation screen to setup the initial username and password when login is enabled added

#11 Updated by Dmitri Dolguikh over 4 years ago

  • Target version set to 1.9.0

#12 Updated by Dominic Cleal over 4 years ago

This is in progress on https://github.com/domcleal/foreman/tree/3272-admin-account, and I hope to have it up for review in sprint 22.

The main areas still to work on are: randomising the admin password via the installer and the db:seed script, ensuring admin-enabled user groups interact properly with the changes, and possibly a forced password change when the randomised password is first used.

#13 Updated by Dominic Cleal over 4 years ago

  • Target version changed from 1.9.0 to 1.8.4

#14 Updated by Dominic Cleal about 4 years ago

  • Target version changed from 1.8.4 to 1.8.3

#16 Updated by Dominic Cleal about 4 years ago

  • Status changed from Assigned to Ready For Testing

#17 Updated by Dominic Cleal about 4 years ago

End to end test with all PRs applied:

[root@foreman foreman]# foreman-installer 
Installing             Done                                               [100%] [..............................................]
  Success!
  * Foreman is running at https://foreman.example.com
      Initial credentials are admin / MBDKVR4FCUEUYbiJ
  * Foreman Proxy is running at https://foreman.example.com:8443
  * Puppetmaster is running at port 8140
  The full log is at /var/log/foreman-installer/foreman-installer.log
[root@foreman foreman]# hammer user list
---|-------|------------|-----------------
ID | LOGIN | NAME       | EMAIL           
---|-------|------------|-----------------
3  | admin | Admin User | root@example.com
---|-------|------------|-----------------
[root@foreman foreman]# curl -k -u admin:MBDKVR4FCUEUYbiJ https://foreman.example.com/api/v2/status; echo
{"result":"ok","status":200,"version":"1.6-develop","api_version":2}

#18 Updated by Dmitri Dolguikh about 4 years ago

  • Target version changed from 1.8.3 to 1.8.2

#19 Updated by Dmitri Dolguikh about 4 years ago

  • Target version changed from 1.8.2 to 1.8.1

#20 Updated by Dominic Cleal about 4 years ago

  • Legacy Backlogs Release (now unused) set to 10

#21 Updated by Dominic Cleal about 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#22 Updated by Dominic Cleal almost 4 years ago

  • Related to Feature #6586: Allow user-specified password in rake permissions:reset added

#23 Updated by Dominic Cleal almost 4 years ago

  • Related to Bug #6606: Can't delete a user if there's only one admin account added

#24 Updated by Dominic Cleal almost 4 years ago

  • Related to Bug #6873: Error during db:seed from 1.4 to 1.6: undefined method `expire_topbar_cache' for nil:NilClass added

#25 Updated by Dominic Cleal almost 4 years ago

  • Related to Bug #6953: Fix bad internationalization calls in User added

Also available in: Atom PDF