[BUG] Security config handling means either API/Dashboard-created Users are deleted or you're stuck with default admin credentials
Opened this issue · 2 comments
dmantas commented
What is the bug?
The way security config is implemented leads to an undesired dilemma in case you want to manage users on the OS platform via OS Dashboards or the API.
The fact that both internal users and security config are in the same secret means that the management of both is interconnected.
The implementation of this PR improved things, but did not solve the issue.
How can one reproduce the bug?
You basically have 2 options:
- In security config
internal_users.yml
you defineadmin
user with a custom password plus your security config underconfig.yml
. You then create other users in OS using e.g. OS Dashboards or the OS API. If you need to make a change inconfig.yml
, the Operator will detect this and run the security admin job, which will also overwrite your users, because in security config theinternal_users.yml
file is present. - In security config you only define
config.yml
. This means thatadmin
user will have the default (admin
) password. You then create other users using Dashboards or the API. If you need to make a change inconfig.yml
then, becauseinternal_users.yml
is not defined in security config, the users you have created will remain in place. But this means that you're stuck with default admin credentials forever which is a security issue.
What is the expected behavior?
I see there are two options:
- Separate
config.yml
with users/roles/etc configuration. Changes inconfig.yml
should only trigger this part of the config to be changed and not touch users/roles/etc. - Create more complex default password for
admin
user like requested here. You're again stuck with it (i.e. if you try to change this you will overwrite your users), but at least it will not beadmin
/admin
.
Thank you in advance.
prudhvigodithi commented
[Triage]
Adding @saketmht and @swoehrl-mw to please help @dmantas here.
Thank you
@salyh @pchmielnik @jochenkressin
swoehrl-mw commented