Project

General

Profile

Actions

Feature #3272

closed

Separate internal admin account from user admin accounts

Added by Dominic Cleal almost 11 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Currently we install a default "admin" account which is used both for internal+anonymous actions, and the first user's login. This account can't be deleted as we need it for the former.

This use should be separated by hiding the internal admin account, then have the user either set up a new account for themselves during installation or first access.

We can then permit the user to delete all but one admin accounts (and except our hidden one).


Related issues 8 (1 open7 closed)

Related to Foreman - Feature #3725: Make default root password more explicit and configurable at install timeClosedStephen Benjamin11/22/2013Actions
Related to Foreman - Bug #2108: Cannot delete or rename admin user via GUIDuplicate01/05/2013Actions
Related to Foreman - Feature #2128: There should be a post-installation screen to setup the initial username and password when login is enabledNew01/15/2013Actions
Related to Foreman - Feature #6586: Allow user-specified password in rake permissions:resetClosedStephen Benjamin07/11/2014Actions
Related to Foreman - Bug #6606: Can't delete a user if there's only one admin accountClosedDavid Davis07/14/2014Actions
Related to Foreman - Bug #6873: Error during db:seed from 1.4 to 1.6: undefined method `expire_topbar_cache' for nil:NilClassClosedDominic Cleal08/01/2014Actions
Related to Foreman - Bug #6953: Fix bad internationalization calls in UserClosedDavid Davis08/06/2014Actions
Blocked by Foreman - Refactor #3752: Move all data addition in DB migrations into a seed scriptClosedDominic Cleal11/25/2013Actions
Actions #1

Updated by Anonymous over 10 years ago

  • Target version set to 1.10.0
Actions #2

Updated by Dominic Cleal over 10 years ago

This must include having a user-selected or randomised password for the first admin account.

Actions #3

Updated by Dominic Cleal over 10 years ago

  • Related to Feature #3725: Make default root password more explicit and configurable at install time added
Actions #4

Updated by Dominic Cleal over 10 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal
Actions #5

Updated by Dominic Cleal over 10 years ago

  • Blocked by Refactor #3752: Move all data addition in DB migrations into a seed script added
Actions #6

Updated by Dominic Cleal over 10 years ago

  • Target version changed from 1.10.0 to 1.9.3
Actions #7

Updated by Dominic Cleal over 10 years ago

I requested some feedback on foreman-dev to work out how the first user account should be populated:
https://groups.google.com/forum/#!topic/foreman-dev/8v53KusW_gw

The consensus seemed to be:

  • accept the initial admin password as an installer parameter, allowing it to be specified on the command line and answers file
  • randomise the admin password if it's not given, and force the user to reset it on first login
  • print the admin password after install
Actions #8

Updated by Anonymous over 10 years ago

  • Target version deleted (1.9.3)
Actions #9

Updated by Benjamin Papillon over 10 years ago

  • Related to Bug #2108: Cannot delete or rename admin user via GUI added
Actions #10

Updated by Dominic Cleal over 10 years ago

  • Related to Feature #2128: There should be a post-installation screen to setup the initial username and password when login is enabled added
Actions #11

Updated by Anonymous over 10 years ago

  • Target version set to 1.9.0
Actions #12

Updated by Dominic Cleal over 10 years ago

This is in progress on https://github.com/domcleal/foreman/tree/3272-admin-account, and I hope to have it up for review in sprint 22.

The main areas still to work on are: randomising the admin password via the installer and the db:seed script, ensuring admin-enabled user groups interact properly with the changes, and possibly a forced password change when the randomised password is first used.

Actions #13

Updated by Dominic Cleal over 10 years ago

  • Target version changed from 1.9.0 to 1.8.4
Actions #14

Updated by Dominic Cleal over 10 years ago

  • Target version changed from 1.8.4 to 1.8.3
Actions #16

Updated by Dominic Cleal about 10 years ago

  • Status changed from Assigned to Ready For Testing
Actions #17

Updated by Dominic Cleal about 10 years ago

End to end test with all PRs applied:

[root@foreman foreman]# foreman-installer 
Installing             Done                                               [100%] [..............................................]
  Success!
  * Foreman is running at https://foreman.example.com
      Initial credentials are admin / MBDKVR4FCUEUYbiJ
  * Foreman Proxy is running at https://foreman.example.com:8443
  * Puppetmaster is running at port 8140
  The full log is at /var/log/foreman-installer/foreman-installer.log
[root@foreman foreman]# hammer user list
---|-------|------------|-----------------
ID | LOGIN | NAME       | EMAIL           
---|-------|------------|-----------------
3  | admin | Admin User | root@example.com
---|-------|------------|-----------------
[root@foreman foreman]# curl -k -u admin:MBDKVR4FCUEUYbiJ https://foreman.example.com/api/v2/status; echo
{"result":"ok","status":200,"version":"1.6-develop","api_version":2}
Actions #18

Updated by Anonymous about 10 years ago

  • Target version changed from 1.8.3 to 1.8.2
Actions #19

Updated by Anonymous about 10 years ago

  • Target version changed from 1.8.2 to 1.8.1
Actions #20

Updated by Dominic Cleal about 10 years ago

  • Translation missing: en.field_release set to 10
Actions #21

Updated by Dominic Cleal about 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #22

Updated by Dominic Cleal about 10 years ago

  • Related to Feature #6586: Allow user-specified password in rake permissions:reset added
Actions #23

Updated by Dominic Cleal about 10 years ago

  • Related to Bug #6606: Can't delete a user if there's only one admin account added
Actions #24

Updated by Dominic Cleal almost 10 years ago

  • Related to Bug #6873: Error during db:seed from 1.4 to 1.6: undefined method `expire_topbar_cache' for nil:NilClass added
Actions #25

Updated by Dominic Cleal almost 10 years ago

  • Related to Bug #6953: Fix bad internationalization calls in User added
Actions

Also available in: Atom PDF