-
-
Notifications
You must be signed in to change notification settings - Fork 658
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow defining initial admin user as env variable #4927
feat: allow defining initial admin user as env variable #4927
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
@jonasws is attempting to deploy a commit to the unleash-team Team on Vercel. A member of the Team first needs to authorize it. |
src/lib/services/user-service.ts
Outdated
@@ -128,12 +128,15 @@ class UserService { | |||
if (userCount === 0) { | |||
// create default admin user | |||
try { | |||
const pwd = 'unleash4all'; | |||
const username = | |||
process.env.UNLEASH_DEFAULT_ADMIN_USERNAME ?? 'admin'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to move this to the config object used for all config resolutions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should probably be seperate fields on the authentication options, with current values as default:
https://github.com/Unleash/unleash/blob/main/src/lib/types/option.ts#L56
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pointer. I'll look into moving these fields there instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the update of how this is defined/read in 1012c34 make more sense?
dab926c
to
9f07d56
Compare
9f07d56
to
82c1451
Compare
@@ -57,7 +57,10 @@ export interface IAuthOption { | |||
enableApiToken: boolean; | |||
type: IAuthType; | |||
customAuthHandler?: Function; | |||
createAdminUser: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, removing this option would be considered a breaking change. We would need to keep the option, and can then use it to set the default values for the initial user. If you want to configure the user yourself you can do that via the new initalAdminUser option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I did not realize at first. I wanted to simplify what would happen, so that one can't define a pair of options that doesn't "make sense".
src/lib/types/option.ts
Outdated
@@ -57,7 +57,10 @@ export interface IAuthOption { | |||
enableApiToken: boolean; | |||
type: IAuthType; | |||
customAuthHandler?: Function; | |||
createAdminUser: boolean; | |||
initialAdminUser: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new option makes sense to me. If you set both this and createAdminUser
at the same time the values in this option should dictate the result.
The only edge case I can think of is if you set createAdminUser=false
and defines values for initialAdminUser
. I this case my suggestion would be that we will not try to create the admin user.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As stated in the other comment I'm guessing createAdminUser === false
should take precedence, but ideally one shouldn't define both. Perhaps adding a runtime check to warn/throw if createAdminUser: false
and initialAdminUser: 'non-null'
are both explicitly passed? Also, I think if the env variables for username and passwords are present, this should force createAdminUser
to be true. If people pass both a custom object AND use the env variables, I think we'd be wise to consider throwing an error, unless we can reliably resolve these and make the precedence clear in the docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for adding this. Unfortunately, as Ivar said, we can't remove the createAdminUser field without it being a breaking change.
Would you be willing to update the PR to keep it?
I think the behaviour you discussed seems reasonable, at least throwing a warn if createAdminUser is false and you've sent in an initialAdminUser.
- createAdminUser is true, no initialAdminUser - same behaviour as we had before your patch (admin/unleash4all)
- createAdminUser is true and you've sent in an initialAdminUser we should use the initialAdminUser to create the adminUser,
- createAdminUser is unset, but an initialAdminUser is passed in, we should create the initialAdminUser.
- createAdminUser is unset and no initialAdminUser - do nothing
Thanks for mapping out the different "logical branches" here. I'm already working on this, so I'll try to update this PR later today. |
82c1451
to
7f41ad3
Compare
@jonasws - Thank you for the update. Yes, this matches my expectation. Great that you're adding unit tests. Once those are in place and running green I'll give you a 👍 on this. |
Great. Now to the "bad" news: I've run into some real hickups as to how one would actually test the fact that My hunch is that someone faced the same challenge in the past, and decided it wasn't worth the effort. Do we think that still applies here? |
7f41ad3
to
ccb75c2
Compare
Hmm. my gut reaction is to move the logic for what to do into the initAdminUser function. So making initAdminUser something we can call with the config settings. That way you can test the logic without worrying about the |
That has crossed my mind as well, and also aligns better with how the current test suite is implemented. Thanks for the input. UPDATE: Refactored the handling and updated/added new unit test cases accordingly in c75a3c4. Seems like it works now, but the logs are a bit flooded during the test run. Should we check "twice" whether we create the user? Both before calling |
ccb75c2
to
59b999f
Compare
59b999f
to
4be64d6
Compare
4be64d6
to
aeb41e3
Compare
aeb41e3
to
97f2882
Compare
97f2882
to
25d6ac2
Compare
Looks like I was able to finally address the snapshot update. Not sure about the other CI checks, but I feel like we're closing in here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice. You just saved us some work this quarter.
The other CI checks are on us. I've updated my review. Will squash and merge Thank you! |
About the changes
This PR adds a way of defining the username and password for the "default admin user" via environment variables. It defaults to using
admin
andunleash4all
, so it should be completely backwards compatible.Closes #4560