Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[chectl] generate passwords for initial users #14082

Closed
sleshchenko opened this issue Jul 31, 2019 · 9 comments
Closed

[chectl] generate passwords for initial users #14082

sleshchenko opened this issue Jul 31, 2019 · 9 comments
Assignees
@mmorhun
Labels
area/chectl Issues related to chectl, the CLI of Che kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.13

Comments

@sleshchenko
Copy link
Member

Is your enhancement related to a problem? Please describe.

Currently, there are default users admin with password admin (different admins for Che and Keycloak, stored in the different realms).
And after the first login to Che, a user is asked to change a default password.
And for keycloak, there is no tip that password should be updated at all.

But chectl even do not tells that there is such default user and password should be updated.
So, there is some period when everyone is able to login as admin to Che and Keycloak on fresh installation if URLs are known.

Describe the solution you'd like

It would be safer if chectl generate a password for initial admin users to prevent logging in as admin knowing only Che and Keycloak URLs.
@sleshchenko sleshchenko added the kind/enhancement A feature request - must adhere to the feature request template. label Jul 31, 2019
@sleshchenko
Copy link
Member Author

cc @slemeur @l0rd

@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 31, 2019
@l0rd
Copy link
Contributor

l0rd commented Jul 31, 2019

Good point @sleshchenko. And that's critical. That should rather be done helm and operator side, not chectl. Otherwise we would only solve the problem partially (installing via the OperatorHub the password would not be changed for instance). As of today we may print a warning message when installing via chectl. I don't know if we can show a warning message easily on the OperatorHub side as well (cc @davidfestal)

@davidfestal
Copy link
Contributor

afaik The operator already generates random admin passwords by default (at least for Keycloak).

@slemeur slemeur added area/chectl Issues related to chectl, the CLI of Che area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator labels Jul 31, 2019
@slemeur slemeur added this to the 7.2.0 milestone Jul 31, 2019
@nickboldt nickboldt removed the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 31, 2019
@nickboldt
Copy link
Contributor

@slemeur if you think this needs to be in 7.2, then it's been triaged. removing the status/need-triage label

@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Aug 1, 2019
@benoitf benoitf added status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Aug 1, 2019
@gazarenkov gazarenkov removed this from the 7.2.0 milestone Oct 2, 2019
@tolusha tolusha added team/deploy severity/P2 Has a minor but important impact to the usage or development of the system. labels Feb 17, 2020
@tolusha tolusha removed area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. team/deploy labels Mar 21, 2020
@tolusha tolusha added this to the Backlog - Deploy milestone Apr 12, 2020
@tolusha tolusha changed the title chectl: generate passwords for initial users [chectl] generate passwords for initial users Apr 15, 2020
@tolusha tolusha added severity/P1 Has a major impact to usage or development of the system. and removed severity/P2 Has a minor but important impact to the usage or development of the system. labels Apr 16, 2020
@tolusha tolusha mentioned this issue Apr 16, 2020
Closed
50 tasks
@tolusha
Copy link
Contributor

tolusha commented Apr 30, 2020
edited
Loading

The default keycloak password in helm chart is admin
https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml#L57-L58

On the operator side it is autogenerated

@tolusha
Copy link
Contributor

tolusha commented Apr 30, 2020

Creating default admin user for Che
https://github.com/eclipse/che/blob/master/dockerfiles/keycloak/keycloak_config.sh#L26

@tolusha
Copy link
Contributor

tolusha commented May 4, 2020

To force use to update its password we have to specify

spec:
  auth:
    updateAdminPassword: true

@mmorhun mmorhun self-assigned this May 4, 2020
This was referenced May 4, 2020
Merged
Merged
@mmorhun mmorhun mentioned this issue May 5, 2020
Merged
@mmorhun
Copy link
Contributor

mmorhun commented May 5, 2020

In terms of this issue we make sure that Keycloak admin password is autogenerated. If a user uses chectl the password will be printed into terminal.
Also we applied requirement to change Che admin password after first login. We don't use autogenerated password there because in case of using operator installer without chectl the password cannot be delivered to user easily.

@mmorhun mmorhun mentioned this issue May 6, 2020
Merged
@tolusha tolusha mentioned this issue May 7, 2020
Closed
56 tasks
@mmorhun
Copy link
Contributor

mmorhun commented May 13, 2020

Done

@mmorhun mmorhun closed this as completed May 13, 2020
@tolusha tolusha modified the milestones: Backlog - Deploy, 7.13 May 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmorhun mmorhun

Labels
area/chectl Issues related to chectl, the CLI of Che kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.13
Development

No branches or pull requests
10 participants
@nickboldt @benoitf @gazarenkov @l0rd @davidfestal @slemeur @tolusha @sleshchenko @mmorhun @che-bot