Add the ability to reset the admin password if the user forgot it #512
Comments
|
@liyaka You can only change the admin password via the UI. What do you mean by option? |
deviantony
added
kind/enhancement
|
Delete the data folder / volume, probably. |
|
@deviantony if the user forgot the password, there is no option (in UI at least ) to reset the password |
|
@liyaka no, there is no way to reset the admin password if you forgot it at the moment. We'll track this evolution here. |
deviantony
added
area/authentication
exp/intermediate
kind/enhancement
deviantony
changed the title
|
Maybe the --admin-password flag could be overloaded. Currently, it skips admin user creation if it exists. What I suggest is to reset the admin password if a user was found. Security wise, a user with access to recreate the container should be given access to reset the password as well. |
|
I don't think this is the way to go as the admin user can also change his password from within the UI. Meaning that these changes would be overwritten after a restart of the container. That would probably cause troubles. |
|
You are right. What about creating another flag? It could be run as a one
time command (using docker run with the same data volume or docker exec).
…On Wed, Nov 8, 2017 at 5:20 PM Anthony Lapenna ***@***.***> wrote:
I don't think this is the way to go as the admin user can also change his
password from within the UI. Meaning that these changes would be
overwritten after a restart of the container. That would probably cause
troubles.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#512 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA0PJzcA-SQueDf_Cy8q05XGXyEx7b0Nks5s0biwgaJpZM4LomtY>
.
|
|
How about |
|
How about --force-create-user in order to be able to recreate the admin user to let reset the password if administrator exists? In my case I try to automate as much as possible everything, meaning having to change a password through an UI is usually not an option. Also the deletion of the data volume/folder is either an option because you'll end up loosing your config, don't you? |
|
Yeah, deleting the volume causes every stack you have deployed to show up as 'external' and you can't do anything with them. I really don't want to destroy all the stacks in my cluster only to paste them back into portainer to spin them up again. |
|
The web gui is able to set it. So the node package should just expose a command to run to do the same, with shell access instead of being logged on. I'm not into node that much, but I've seen this be done somehow like this. |
|
An older issue here, but we have the need for this as well. Basically wanting to always control the admin password via startup flag(s). Something like an extra --force-* flag seems safe enough, and certainly a better option the loosing config and stack control. |
|
Is there a workaround on this ?? something like reseting password if someone forget, not through the gui tho?? |
|
I forgot my password and would like an option to reset it. I suppose I can start a new Portainer container, but that seems counter-intuitive to me. Thanks for the great work you guys are doing on this project! I can't believe I didn't start using this earlier. |
|
My temporary solution with boltbrowser Works great - but a flag could be better. |
|
@gisselmann that worked for me as well after the upgrade to 1.20.0 broke my LDAP logon. For others: remove all users in the bolt db and portainer will ask again for a password. |
|
Today some one (a attack application)is attacking my portainer , because he gueess my password and got the jwt token and not expired, after I change my simple password , but he changed it quickly. How to improve Safety ?This is a problem. Add human validation for the change password api is necessary. |
|
@gisselmann @Duvel both options didn't work for me. I always got: "access denied to resource". |
I have also noticed an attack starting today. The attacker is probably not gaining access to your account. What seems to be happening is that Portainer is blocking authentication after 12 failed attempts. The bot is still trying to guess the password after that and authentication remains locked and since authentication is disabled you can't access Portainer. I would recommend you to block port |
|
yeah, i cannot agree more. I had changed the port of portainer and the password , because of my weak password. this is an attack event, disabled the whole authentication is not the best idea, human validation may be can resovle it. this attack effected our applicatiins deploy in japan ,korea, china servers |
The same question. |
where is file located |
|
|
if you add this hash using boltbrowser it will ask to reset password. |
|
@tasz what is this hash? I couldn't find anything. can you please link to the source/documentation? |
|
For Open Media Vault (OMV 5+) users, the procedure to reset Portainer password is:
You might need to clear your browser cache or open a new private window before accessing the portainer web interface. Note: portainer interface runs on Port 9000. e.g. http://Server-IP-address:9000 |
Won't this also wipe out your data? |
No, the container data is left intact. Upon reinstalling the portainer, the previous data should be still there. I am about to redo the above procedure again since I forgot my portainer login password again. If you have critical data, I would strongly recommend backing up your data before in-case it gets lost or corrupted before attempting my solution. Update: It worked a second time for me without the container data loss. However, I still strongly recommend backing up critical data before attempting. What works for my environment might not work for you. |
|
Removing the boltbrowser would be the better way to reset just the password. |
|
Why adding this feature seems to complicated as a solution seems common sense, would not expect this solution to be dragging so long The boltbrowser worked perfectly for me |
Can you please list a step-by-step tutorial for resetting Portainer credentials using BoltBrowser. I googled for instructions but wasn't able to find any. Provide as many details as possible. |
I actually did a blog post on this: https://rjgonza.netlify.app/posts/forgot_portainer_password/ |
|
Wow very cool. I might turn this into a youtube instructional video as its often asked..
|
|
The boltbrowser does the trick: apt install unzip
curl -sSL https://git.bullercodeworks.com/brian/boltbrowser/releases/download/2.0/boltbrowser.linux64.zip -o bolt.zip
unzip bolt.zip
docker volume ls
docker volume ls portainer_data
docker docker run --rm httpd:2.4-alpine htpasswd -nbB admin 'temporarypassworduntilyoureset'
./boltbrowser.linux64 /path/to/portainer.db
# Go to users and copy paste the password generated from httpdThanks @rjgonza |
|
A lot of thanks to @rjgonza and @theArtechnology, his comment is very helpful but there is some little mistakes, also I searched a lot to find out where is the portainer.db before I figured out the container was running and that was the cause to not finding it. So I rewrited some parts to made an easier procedure for noobs like me :
The main part to reset the password (tdnf is PhotonOS package manager, replace by yours (apt etc.): |
|
We also released this helper tool recently to help you reset your password: https://github.com/portainer/helper-reset-password |
This doesn't work. Couldn't pull from http repo, citing some need to login? Ended up using this to generate the hash, then used these instructions to insert using boltbrowser. It doesn't work, I cannot login to portainer at this time. Also it seems that this doesn't work on compiled versions of portainer AND compiled versions don't give an option to set the password. When is this issue going to be resolved? It shouldn't be this difficult to reset or set a password. |
|
I haven't actually checked to see what kind of lift it is, but I won't assume it's simple. There are many considerations when allowing passwords to be overwritten/reset. In any case my example was a specific version of bolt and portainer. Which are you using? |
That is true, I guess I'm just frustrated after a day of trying all things to get it working. Thanks for responding, turned out to be a system issue. I'm using the Arch Linux package found here I've blown away the /var/lib/portainer folder and re-installed the package. Password set dashboard appeared. |
|
I hear ya, that can be pretty annoying. Glad you got it working though 👍 |
|
Closing this issue as we're not gonna bring the ability to reset the admin password from within Portainer. We recommend you to use external authentication or the helper tool we released to help you reset your password via: https://github.com/portainer/helper-reset-password |
… and namespace EE-3 (#513) * metrics api resources calls to get nodes in cluster and pods in namespace * refactored cpu and memory reservation component to be explicit * resourceReservation support for memory/cpu usage stats * removed duplicated description * feat(kubernetes/resource-usage): k8s resource usage displayed on node view EE-1114 (#511) * feat(kubernetes/resource-usage): k8s resource usage displayed on node view EE-1114 * review updates * server metrics variable declaration moved above Co-authored-by: zees-dev <dev.786zshan@gmail.com> * feat(kubernetes/resource-usage): k8s resource usage displayed on cluster view EE-1113 (#508) * authentication helper method to check user role * resource usage displayed on cluster view * explicity error notification alert * removed redundant jsdoc param * loading resource usage as part of reservations * feat(kubernetes/resource-usage): k8s resource usage displayed on namespace view EE-1115 (#512) * refactor cpu/memory used to resourceReservation variables * resource usage displayed on k8s namespace view * loading resource usage as part of reservations * fixed viewready bug * refactor code to set initial state and remove redundant loading var * reverting to k8s authorizations for rbac * utilising view bound endpoint object instead of depracated EndpointProvider * feat(kubernetes/resource-usage): k8s ClusterRole updates to support metric server api queries EE-1123 (#520) * updated k8s clusterroles to support metrics api server queries * updated k8s clusterroles to remove redundant metrics server permissions * refactor flatmap * addressed merge conflict issues Co-authored-by: fhanportainer <79428273+fhanportainer@users.noreply.github.com>
|
@luckydonald I deleted the data volume and it's work for me. |
and others
No description provided.
The text was updated successfully, but these errors were encountered: