[Main UI] Admin user cannot change password

[wborn]

It seems the UI does not provide a way to easily change the admin user password. That makes it complicated if your password got compromised, you entered an unsecure password for quick access during setup or when you have a good habit of changing it.

[ghys]

I think this operation should be handled as a servlet in the core (with a proper HTML form and a CSRF token, similar to the sign in flow), rather than from the UI itself and an API endpoint.

In the meantime, for the record, here's a reminder on how you can change your password from the Karaf console (this involves deleting and re-creating your user in JAAS):

openhab> jaas:realm-manage --realm openhab
openhab> jaas:user-delete <your-user-id>
openhab> jaas:user-add <your-user-id> ####
openhab> jaas:role-add <your-user-id> administrator
openhab> jaas:update

(your password will be masked with # characters while you're typing it)

[JueBag]

I was trying the commands above, recreated the user admin, however can't get this user to be an admin. Even after granting the role admin.

jaas:userlist gives:

User Name │ Group │ Role
──────────┼───────┼──────
admin     │       │ admin

This looks like the user admin would have the eleveated rigths, however on the UI I can not get to the things and items and the developer tools anymore.

[ghys]

Yes the role is actually administrator: see Role.java.

I forgot to add the role originally, I have updated the comment above.

Btw, while it's nice to have the JAAS commands, I'm actually thinking about adding some openHAB-specific Karaf commands to perform these (normally infrequent but sensible) operations, which could look similar to this:

Usage: openhab:users list - lists all users
Usage: openhab:users add <userid> <password> <role> - adds a new user with the specified role
Usage: openhab:users remove <userid> - removes a user
Usage: openhab:users changePassword <userid> <newPassword> - changes the password of a user
Usage: openhab:users clearSessions <userid> - clear the refresh tokens associated with the user (will sign the user out of all sessions)
Usage: openhab:users addApiKey <userid> <keyname> <scope> - add a new API key acting on behalf of the user for the specified scope
Usage: openhab:users removeApiKey <userid> <keyname> - removes the specified API key

[JueBag]

Thanks for the speedy answer, now I'm back into testing.

[kaikreuzer]

Btw, while it's nice to have the JAAS commands, I'm actually thinking about adding some openHAB-specific Karaf commands to perform these

I very much like your proposal! Indeed, the JAAS syntax is not straight forward for users and will cause many questions, so having our own commands will be much more user friendly.