Skip to content
This repository has been archived by the owner. It is now read-only.

Adding MongoDB admin account recovery instructions #16

Open
wants to merge 1 commit into
base: master
from

Conversation

@theunknownartisthour
Copy link

theunknownartisthour commented Mar 1, 2016

Adding steps the application owner may take to manage admin accounts, through the rockmongo cartridge available on openshift.

Adding steps the application owner may take to manage admin accounts, through the rockmongo cartridge available on openshift.
@Nisthar

This comment has been minimized.

Copy link

Nisthar commented on README.markdown in 27d6a55 Mar 1, 2016

Rockmongo doesn't work with scalable openshift apps. It would be nice if you could try with port-forwarding and mongodump the datas and restore it in a new openshift app.

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 2, 2016

@theunknownartisthour Thanks! That may be useful for MongoDB users, but i have some questions/objections i'd like to discuss first (sorry):

  1. It uses "Step X" instead of just "X" like the rest of the README.
  2. It's database specific and this guide supports both MongoDB and Redis. If we go with it, we should also find a way for Redis users.
  3. Changing stuff directly in database is kinda dangerous. Users already tend to omit/forget to run installation commands - if they omit a step while changing data in DB, it could have much worse consequences.
  4. It does seem to change only part of data that NodeBB changes. Please check https://github.com/NodeBB/NodeBB/blob/master/src/groups/membership.js#L17-L18 - it increments group counter. And in next lines it also updates stuff for administrators, hidden count and the fires event - which means that some plugins may also need to do stuff we do not know about.

Wouldn't it be better to call NodeBB functionality instead?
Yesterday i wrote small test code, based on what NodeBB does while "resetting" account, i.e., i made it generate reset code and output URL to NodeBB page that allows to change password :).
It's still not ideal, because it has to call some NodeBB functions directly, which may break whenever NodeBB changes API, but it should be much safer for users, it works both for MongoDB and Redis and users would have to run only 1 command :).

What do you think?

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 2, 2016

I wrote this up because I actually didn't notice the admin password was handed off when the quick start finished and went right into the database. Resetting the default admin account with nodebb won't help because openshift doesn't handle emails (or if they do it's definitely not on by default) and similarly other users might have their custom domains not setup with email support. Mongo was what I was using so that's what I picked up, there's similar instructions for redis I would think. @ahwayakchih if your code bypasses that and lets you hop right to the page to edit someone's password, that'd be perfect.

The way I went about didn't appear to break any of nodebb. Although I could definitely add in that next step to modify the count, I suspect the count's not being used in the query to check if the user is a valid admin and I'm not sure what the calls to the plugins are up to, my wild guess is It's probably meant to keep track of how many comments or thread counts there are in the forum.

As for the format I did copy yours, so feel free to style it however you'd like, as for other nodebb solutions...all the more welcome in my book. I liked this approach because I could remove admin permissions from the default account. As for the application scaling @Nisthar ...wasn't thinking about that at all. If the application scales however there should be a way to send requests to modify the database (otherwise admins would never be able to modify a scaled site). It might not be as nice as with rockmongo or redis equivalent, but it definitely can be done.

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 4, 2016

@theunknownartisthour your solution does seem to work, but i'm afraid some plugins or future changes in NodeBB may break it.

I added "commands-experiment" branch: https://github.com/ahwayakchih/openshift-nodebb/tree/commands-experiment. You can pull from it to your current test installation, or use it for new install. Just change command:

git pull --no-edit -s recursive -X theirs openshift master

to:

git pull --no-edit -s recursive -X theirs openshift commands-experiment

After that, you can use this command to "reset" user password:

rhc ssh -a nodebb 'source ${OPENSHIFT_REPO_DIR}.openshift/lib/onbb_utils.sh && onbb_exec_command resetPassword nodebb@nodebb-youropenshiftusername.rhcloud.com'

Or show available commands and arguments they need:

rhc ssh -a nodebb 'source ${OPENSHIFT_REPO_DIR}.openshift/lib/onbb_utils.sh && onbb_exec_command help'

It is just an experiment. I think that it would be better to either:

  1. have such commands in default NodeBB
  2. add commands support as NodeBB plugin

@Nisthar currently NodeBB on OpenShift is not really scalable. It stores files locally, and since OpenShift does not mirror data directory automatically, files wouldn't be available for other instances of NodeBB.

It probably could work with some plugin that makes NodeBB store files in database or on some file server. In that case, it would have to make sure that any plugin that writes to file system, would write to "the cloud" instead.

@Nisthar

This comment has been minimized.

Copy link

Nisthar commented Mar 5, 2016

@ahwayakchih I am not an expert at openshift. But my app is currently in scalable mode. So will it break anything when it scales with web traffic needs?

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 5, 2016

If the app/quickstart isn't designed to spin up and down instances of the app and properly interact with a single database then yes, in some ways it will. For example if the app was designed to store data locally, each instance of the app will do the same...but files uploaded to that instance will be lost when the app spins down and the instance is destroyed.
In cases where a database is properly setup you may still have apps using a local file store for images and other resources, so when new apps spin up, your users will not be able to see the graphics which you uploaded.
NodeBB is it's own app so scaling is on the cartridge/quickstart developer.

@Nisthar

This comment has been minimized.

Copy link

Nisthar commented Mar 5, 2016

@theunknownartisthour Oh. Anyway, I can disable the scalability then?

I don't think they destroy the local files when scaling. Then that would break all the apps in their servers.

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 5, 2016

@Nisthar Unfortunately no, because what openshift does to scale your app is an entirely different approach to an "unscaled" app. Basically they put your app behind a load balancer, which they can't turn off, or reconfigure, because otherwise your app will definitely not work. However* there's a command somewhere in the docs to lower the upper limit of "gears" your app will scale to. I don't remember if they allow you to set that limit to "1" though.

You may of course migrate your app to an unscaled version if your website hasn't been up long that shouldn't bother your users...

@Nisthar

This comment has been minimized.

Copy link

Nisthar commented Mar 5, 2016

@theunknownartisthour My website is up and have got a lot of users atm. More users are joining day by day. I can't turn off my app to backup (using rhc save snapshot command) it now. I saw in the nodebb docs that i can mongodump to backup the db. But i am not sure if it backup my users data. Does it back it up?

I am asking this because I think this would help me if i want to transfer my app from openshift to any other cloud hosting

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 5, 2016

@Nisthar I don't know mongo enough to say that mongodump is the way to export/backup the database, but if you do export mongodb's database, you will be backing your users and everything forum related...except for anything in local storage like images potentially...and plugins. You'll need to move those over as well, if you don't NodeBB may complain that it can't access plugins that were previously installed.

@Nisthar

This comment has been minimized.

Copy link

Nisthar commented Mar 5, 2016

@theunknownartisthour Yes. I am sure nodebb doc said to backup mongodb before upgrading here https://docs.nodebb.org/en/latest/upgrading/index.html. But i am still not sure that i can backup my users data if i backup my db. I tried connecting to my mongodb by port-forwarding my openshift app. But i was't able to see users data. May be its restricted. But will I be able to restore it if its restricted?

Sorry for my bad english. You can see my question here if you want https://community.nodebb.org/topic/8089/how-can-i-restore-my-mongodb-from-mongodump

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 5, 2016

@Nisthar default installation in this guide has scaling disabled (at least on free account i tested it with). When you create application, you can mark it as scalable and only then OpenShift will run multiple copies of it and load balance traffic between them.

You can read more about scaling at: https://developers.openshift.com/en/managing-scaling.html

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 5, 2016

@Nisthar Your user's info is inside MongoDB. It appears as though mongodump is the command to make a backup and mongorestore is the command to import the backup back in. You may have found the answer to your problem.

To migrate to another platform you're going to need to get the file mongodump generates onto your own computer, you may do this through sftp (you can use filezilla to do this).

As for accessing the database...you don't need to port forward. Use rhc ssh -a (your app) and find the relevant mongodb cartridge commands.

Edit: this may help https://blog.openshift.com/getting-started-with-mongodb-shell-on-openshift/

Edit2: this may help with filezilla https://blog.openshift.com/using-filezilla-and-sftp-on-windows-with-openshift/

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 5, 2016

@Nisthar they don't delete files from base gear, especially when they are saved in data directory they provide (and they are with this guide). Problem is only that when application is scaled, data directory is not automatically copied between gears. So, for example, sometimes you will see your uploaded avatar, and sometimes you won't - depending on to which gear your request will be routed.

You can try adding plugin, like the one for Amazon storage. I did not test it, but as long as all files will be saved through it, scaling will be safe.

@Nisthar

This comment has been minimized.

Copy link

Nisthar commented Mar 5, 2016

@theunknownartisthour @ahwayakchih Thanks. Good to know that i can transfer my app with mongodump and mongorestore. I'll try to transfer it and will post the result here if i can.
I am using imgur for all my uploaded pictures. So i am thinking there will not be such a problem when the app scales as there are no regular file uploading in my nodebb.

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 5, 2016

@Nisthar if there are no uploads, and you install any themes, plugins, etc... following this guide, i.e., by adding them as dependency and committing to repo, it should be fine. Any "local" files left will be those autogenerated, like compiled CSS, and that will be done on every "mirror" gear separately.

@Nisthar

This comment has been minimized.

Copy link

Nisthar commented Mar 5, 2016

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 5, 2016

@ahwayakchih BTW just confirmed your script works wonders :)
and also, had to use it because this time, the application crashed near the end, so never got to see the admin password, but who cares! Awesome script.

Although I'll mention the default admin email format is appname@appname-appdomain.rhcloud.com

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 5, 2016

@theunknownartisthour Thanks!

Did it crash on OpenShift side or did rhc timeout or lost connection? If it crashed, can you write when and how? I tried to implement scripts to catch crashing and returning nice error message, but maybe there's some bug there too.

Timeout is still a problem to workaround. I thought about saving credentials to a temporary file, but that's like breaking basic rules of security. On the other hand, it's a temporary password anyway, so maybe it would be ok.

Although I'll mention the default admin email format is appname@appname-appdomain.rhcloud.com

I use nodebb in all examples, to keep commands ready to copy & paste. You are right about appdomain, i'll fix that. Thanks.

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 5, 2016

@theunknownartisthour isn't OpenShift "domain" an account name? I can't find anything regarding multiple domains on the same account. I'm trying to avoid using word "domain", because it may be mistaken with "domain name" as in full domain name used in URL.

ahwayakchih added a commit that referenced this pull request Mar 5, 2016
Default domain name is based on OpenShift "domain". It seems to be same with OpenShift "application domain" (not to confuse with "domain name" used in URLs).
As pointed out by @theunknownartisthour at #16 (comment) it is not exactly an account name.
@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 5, 2016

@theunknownartisthour OK, i see that rhc account shows number of domains allowed, so i guess it is possible to have multiple application domains on paid plans.

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 5, 2016

@ahwayakchih yes the paid plans allow for accounts to select their own openshift sub-domains to deploy their apps to. Although you're right it is confusing because it's not really a subdomain. Openshift seems to not care too much about that. It's mainly for organizing applications and teams that work on them. It's also why the environment variable which describes the app's url is called OPENSHIFT_APP_DNS although..to be fair it doesn't make too much sense calling it a DNS because it's not a dynamic name service, I agree it's more of a url. If we're going by what the specifications of subdomains are, it would include the app's name and what they consider the "sub-domain" with the dash part in between. I'm not sure why they went about it this way, that's what I got out of reading all of their docs. I think they should probably rename the environment variable OPENSHIFT_APP_FQDN, because that's a bit more on the nose.

Back to the main task at hand:
So for example to prototype the email it should be...
OPENSHIFT_APP_NAME@OPENSHIFT_APP_DNS
like so...

rhc ssh -a nodebb 'source ${OPENSHIFT_REPO_DIR}.openshift/lib/onbb_utils.sh && onbb_exec_command resetPassword ${OPENSHIFT_APP_NAME}@${OPENSHIFT_APP_DNS}'

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 5, 2016

@theunknownartisthour that is a good idea, but what if someone changed that default e-mail in the meantime? Do you think that it's easier to notice nodebb@nodebb-yourappnamespace.rhcloud.com that should be changed, or ${OPENSHIFT_APP_NAME}@${OPENSHIFT_APP_DNS}? I think that the first one is more readable as an e-mail address.

I'm also thinking about setting up e-mail before installation. Right now scripts already try to read user e-mail from environment ($OPENSHIFT_LOGIN), but it looks like it is not available for deploy script, when it's run automatically by OpenShift (which kinda makes sense, as no user is logged in at that moment).

That means, that user would have to either:

  • run NodeBB setup through ssh, separately from deployment
  • setup additional environment variable with e-mail address, so deployment script would use it for setup

before running NodeBB setup, i.e., before git push origin master.

Separating setup from deployment may give us workaround for timeouts and option to run just upgrade instead of running setup every time, but it will complicate whole process and require additional steps to follow.

Setting up something like NODEBB_ADMIN_EMAIL would be much simpler, could be done with first command (the one that creates application) and could be used for other things too (like sending e-mail, after installation is done? although i'm not sure it would work - i've read that mails from S2/OpenShift are blacklisted by mail providers).

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 5, 2016

I like the NODEBB_ADMIN_EMAIL approach (although I'd certainly include NODEBB_ADMIN_PASSWORD for full configurability beforehand).

I'd include the script in the readme and make it clear that the last parameter is the email of the user you want change passwords for. I'd include that ${OPENSHIFT_APP_NAME}@${OPENSHIFT_APP_DNS} will select the default admin user created for nodebb (if none is specified by the user with a new environment variable) or ${NODEBB_ADMIN_EMAIL} would select your custom admin. Since the user could change the admin's username and password without environment variables I would leave it at that.

Lastly I'd overload (if possible) your script so that the default email selected matches the pattern of the first admin created (either of the patterns above) , that might help with the consistency of the setup. I'm on the fence about this, if they don't know the email I don't think someone should be able to reset the password for an account...but since only the app admin should be able to do this...who better to trust they know how this works?

Setting up email is a dead end because Openshift (like you've read) doesn't handle them at all. If anything the install for NodeBB gets away with it because the original NodeBB install pattern made the first user admin, so the account usually would be verified by the registration process. However by directly adding the admin to the database it clearly skipped over that part so even email addresses like the ones from .rhcloud.com are good to go, even though they'd normally flat out reject emails.

This is the reason I got a bit stuck when I didn't catch the password, because the default email isn't accessible, so I'd never have found a password reset link. So I went digging a bit into the database for a more hands on approach.

I like this because technically a hacker can't go about a normal route to verify password changes ;) by stealing your email...because there isn't any. However you clearly worked around that problem and made it much more secure because a hacker must then have rhc access to the app. Props.

@ahwayakchih

This comment has been minimized.

Copy link
Owner

ahwayakchih commented Mar 7, 2016

@theunknownartisthour thanks.

You're right about e-mail not really working. It's indeed just to make setup work.

I added some changes and now there is an additional step to set up NODEBB_ADMIN_EMAIL variable while installing.

I was also considering adding command to list users and their e-mails from specific group, e.g., from administrators. Would that be useful?

@theunknownartisthour

This comment has been minimized.

Copy link
Author

theunknownartisthour commented Mar 11, 2016

That could be useful for people who don't want to dig through the database to get user emails. This is pretty decent as is for account recovery purposes.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
3 participants
You can’t perform that action at this time.