Project

General

Profile

Feature #3272

Separate internal admin account from user admin accounts

Added by Dominic Cleal over 5 years ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Currently we install a default "admin" account which is used both for internal+anonymous actions, and the first user's login. This account can't be deleted as we need it for the former.

This use should be separated by hiding the internal admin account, then have the user either set up a new account for themselves during installation or first access.

We can then permit the user to delete all but one admin accounts (and except our hidden one).


Related issues

Related to Foreman - Feature #3725: Make default root password more explicit and configurable at install timeClosed2013-11-22
Related to Foreman - Bug #2108: Cannot delete or rename admin user via GUIDuplicate2013-01-05
Related to Foreman - Feature #2128: There should be a post-installation screen to setup the initial username and password when login is enabledNew2013-01-15
Related to Foreman - Feature #6586: Allow user-specified password in rake permissions:resetClosed2014-07-11
Related to Foreman - Bug #6606: Can't delete a user if there's only one admin accountClosed2014-07-14
Related to Foreman - Bug #6873: Error during db:seed from 1.4 to 1.6: undefined method `expire_topbar_cache' for nil:NilClassClosed2014-08-01
Related to Foreman - Bug #6953: Fix bad internationalization calls in UserClosed2014-08-06
Blocked by Foreman - Refactor #3752: Move all data addition in DB migrations into a seed scriptClosed2013-11-25

Associated revisions

Revision d6b33a37 (diff)
Added by Dominic Cleal almost 5 years ago

refs #3272 - default password will be going away

Revision b6ed9c8d
Added by Tomas Strachota almost 5 years ago

Merge pull request #117 from domcleal/3272-no-password

refs #3272 - default password will be going away

Revision e07f9a12 (diff)
Added by Dominic Cleal over 4 years ago

fixes #3272 - allow 'admin' account to be removed and replaced

Revision 5534df90 (diff)
Added by Dominic Cleal over 4 years ago

refs #3272 - pass admin user details into db:seed rake task

Revision 0fcebfbf (diff)
Added by Dominic Cleal over 4 years ago

refs #3272 - print new user/password after installation

History

#1 Updated by Dmitri Dolguikh over 5 years ago

  • Target version set to 1.10.0

#2 Updated by Dominic Cleal over 5 years ago

This must include having a user-selected or randomised password for the first admin account.

#3 Updated by Dominic Cleal over 5 years ago

  • Related to Feature #3725: Make default root password more explicit and configurable at install time added

#4 Updated by Dominic Cleal over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

#5 Updated by Dominic Cleal over 5 years ago

  • Blocked by Refactor #3752: Move all data addition in DB migrations into a seed script added

#6 Updated by Dominic Cleal over 5 years ago

  • Target version changed from 1.10.0 to 1.9.3

#7 Updated by Dominic Cleal over 5 years ago

I requested some feedback on foreman-dev to work out how the first user account should be populated:
https://groups.google.com/forum/#!topic/foreman-dev/8v53KusW_gw

The consensus seemed to be:

  • accept the initial admin password as an installer parameter, allowing it to be specified on the command line and answers file
  • randomise the admin password if it's not given, and force the user to reset it on first login
  • print the admin password after install

#8 Updated by Dmitri Dolguikh about 5 years ago

  • Target version deleted (1.9.3)

#9 Updated by Benjamin Papillon about 5 years ago

  • Related to Bug #2108: Cannot delete or rename admin user via GUI added

#10 Updated by Dominic Cleal about 5 years ago

  • Related to Feature #2128: There should be a post-installation screen to setup the initial username and password when login is enabled added

#11 Updated by Dmitri Dolguikh about 5 years ago

  • Target version set to 1.9.0

#12 Updated by Dominic Cleal about 5 years ago

This is in progress on https://github.com/domcleal/foreman/tree/3272-admin-account, and I hope to have it up for review in sprint 22.

The main areas still to work on are: randomising the admin password via the installer and the db:seed script, ensuring admin-enabled user groups interact properly with the changes, and possibly a forced password change when the randomised password is first used.

#13 Updated by Dominic Cleal almost 5 years ago

  • Target version changed from 1.9.0 to 1.8.4

#14 Updated by Dominic Cleal almost 5 years ago

  • Target version changed from 1.8.4 to 1.8.3

#16 Updated by Dominic Cleal almost 5 years ago

  • Status changed from Assigned to Ready For Testing

#17 Updated by Dominic Cleal almost 5 years ago

End to end test with all PRs applied:

[root@foreman foreman]# foreman-installer 
Installing             Done                                               [100%] [..............................................]
  Success!
  * Foreman is running at https://foreman.example.com
      Initial credentials are admin / MBDKVR4FCUEUYbiJ
  * Foreman Proxy is running at https://foreman.example.com:8443
  * Puppetmaster is running at port 8140
  The full log is at /var/log/foreman-installer/foreman-installer.log
[root@foreman foreman]# hammer user list
---|-------|------------|-----------------
ID | LOGIN | NAME       | EMAIL           
---|-------|------------|-----------------
3  | admin | Admin User | root@example.com
---|-------|------------|-----------------
[root@foreman foreman]# curl -k -u admin:MBDKVR4FCUEUYbiJ https://foreman.example.com/api/v2/status; echo
{"result":"ok","status":200,"version":"1.6-develop","api_version":2}

#18 Updated by Dmitri Dolguikh almost 5 years ago

  • Target version changed from 1.8.3 to 1.8.2

#19 Updated by Dmitri Dolguikh almost 5 years ago

  • Target version changed from 1.8.2 to 1.8.1

#20 Updated by Dominic Cleal over 4 years ago

  • Legacy Backlogs Release (now unused) set to 10

#21 Updated by Dominic Cleal over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#22 Updated by Dominic Cleal over 4 years ago

  • Related to Feature #6586: Allow user-specified password in rake permissions:reset added

#23 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #6606: Can't delete a user if there's only one admin account added

#24 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #6873: Error during db:seed from 1.4 to 1.6: undefined method `expire_topbar_cache' for nil:NilClass added

#25 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #6953: Fix bad internationalization calls in User added

Also available in: Atom PDF