Feature #3272: Separate internal admin account from user admin accounts - Foreman

Actions

Copy link

Feature #3272

closed

Separate internal admin account from user admin accounts

Added by Dominic Cleal over 10 years ago. Updated almost 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Dominic Cleal

Category:

Authentication

Target version:

1.6.0

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

Currently we install a default "admin" account which is used both for internal+anonymous actions, and the first user's login. This account can't be deleted as we need it for the former.

This use should be separated by hiding the internal admin account, then have the user either set up a new account for themselves during installation or first access.

We can then permit the user to delete all but one admin accounts (and except our hidden one).

Related issues 8 (1 open — 7 closed)

Related to Foreman - Feature #3725: Make default root password more explicit and configurable at install time	Closed	Stephen Benjamin	11/22/2013	Actions
Related to Foreman - Bug #2108: Cannot delete or rename admin user via GUI	Duplicate		01/05/2013	Actions
Related to Foreman - Feature #2128: There should be a post-installation screen to setup the initial username and password when login is enabled	New		01/15/2013	Actions
Related to Foreman - Feature #6586: Allow user-specified password in rake permissions:reset	Closed	Stephen Benjamin	07/11/2014	Actions
Related to Foreman - Bug #6606: Can't delete a user if there's only one admin account	Closed	David Davis	07/14/2014	Actions
Related to Foreman - Bug #6873: Error during db:seed from 1.4 to 1.6: undefined method `expire_topbar_cache' for nil:NilClass	Closed	Dominic Cleal	08/01/2014	Actions
Related to Foreman - Bug #6953: Fix bad internationalization calls in User	Closed	David Davis	08/06/2014	Actions
Blocked by Foreman - Refactor #3752: Move all data addition in DB migrations into a seed script	Closed	Dominic Cleal	11/25/2013	Actions

Actions

Copy link

Updated by Anonymous over 10 years ago

Target version set to 1.10.0

Actions

Copy link

Updated by Dominic Cleal over 10 years ago

This must include having a user-selected or randomised password for the first admin account.

Actions

Copy link

Updated by Dominic Cleal over 10 years ago

Related to Feature #3725: Make default root password more explicit and configurable at install time added

Actions

Copy link

Updated by Dominic Cleal over 10 years ago

Status changed from New to Assigned
Assignee set to Dominic Cleal

Actions

Copy link

Updated by Dominic Cleal over 10 years ago

Blocked by Refactor #3752: Move all data addition in DB migrations into a seed script added

Actions

Copy link

Updated by Dominic Cleal over 10 years ago

Target version changed from 1.10.0 to 1.9.3

Actions

Copy link

Updated by Dominic Cleal over 10 years ago

I requested some feedback on foreman-dev to work out how the first user account should be populated:
https://groups.google.com/forum/#!topic/foreman-dev/8v53KusW_gw

The consensus seemed to be:

accept the initial admin password as an installer parameter, allowing it to be specified on the command line and answers file
randomise the admin password if it's not given, and force the user to reset it on first login
print the admin password after install

Actions

Copy link

Updated by Anonymous over 10 years ago

Target version deleted (~~1.9.3~~)

Actions

Copy link

Updated by Benjamin Papillon about 10 years ago

Related to Bug #2108: Cannot delete or rename admin user via GUI added

Actions

Copy link

#10

Updated by Dominic Cleal about 10 years ago

Related to Feature #2128: There should be a post-installation screen to setup the initial username and password when login is enabled added

Actions

Copy link

#11

Updated by Anonymous about 10 years ago

Target version set to 1.9.0

Actions

Copy link

#12

Updated by Dominic Cleal about 10 years ago

This is in progress on https://github.com/domcleal/foreman/tree/3272-admin-account, and I hope to have it up for review in sprint 22.

The main areas still to work on are: randomising the admin password via the installer and the db:seed script, ensuring admin-enabled user groups interact properly with the changes, and possibly a forced password change when the randomised password is first used.

Actions

Copy link

#13

Updated by Dominic Cleal about 10 years ago

Target version changed from 1.9.0 to 1.8.4

Actions

Copy link

#14

Updated by Dominic Cleal about 10 years ago

Target version changed from 1.8.4 to 1.8.3

Actions

Copy link

#15

Updated by Dominic Cleal almost 10 years ago

Please merge in the following order.

Hammer related PRs to support change of default password:

Core PR:

https://github.com/theforeman/foreman/pull/1445

Installer PRs for seeding:

Actions

Copy link

#16

Updated by Dominic Cleal almost 10 years ago

Status changed from Assigned to Ready For Testing

Actions

Copy link

#17

Updated by Dominic Cleal almost 10 years ago

End to end test with all PRs applied:

[root@foreman foreman]# foreman-installer 
Installing             Done                                               [100%] [..............................................]
  Success!
  * Foreman is running at https://foreman.example.com
      Initial credentials are admin / MBDKVR4FCUEUYbiJ
  * Foreman Proxy is running at https://foreman.example.com:8443
  * Puppetmaster is running at port 8140
  The full log is at /var/log/foreman-installer/foreman-installer.log
[root@foreman foreman]# hammer user list
---|-------|------------|-----------------
ID | LOGIN | NAME       | EMAIL           
---|-------|------------|-----------------
3  | admin | Admin User | root@example.com
---|-------|------------|-----------------
[root@foreman foreman]# curl -k -u admin:MBDKVR4FCUEUYbiJ https://foreman.example.com/api/v2/status; echo
{"result":"ok","status":200,"version":"1.6-develop","api_version":2}

Actions

Copy link

#18