[FOLIO-1336] bootstrap necessary user data in order to use the API Created: 11/Jul/18 Updated: 12/Nov/18 Resolved: 31/Aug/18 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | New Feature | Priority: | P2 |
| Reporter: | Jakub Skoczen | Assignee: | Wayne Schneider |
| Resolution: | Done | Votes: | 0 |
| Labels: | ci, core, sprint42, sprint43, sprint44, sprint45 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||||||||||
| Sprint: | |||||||||||||||||||||||||
| Tester Assignee: | David Crossley | ||||||||||||||||||||||||
| Description |
|
https://github.com/folio-org/folio-install/blob/master/single-server.md#create-a-folio-superuser The section on setting up initial user and password needs to be modified so it does not refer to building mod-login. We may need additional functionality in mod-login and mod-permisssions to bootstrap a user. Comment Heikki Levanto Adam Dickmeiss Kurt Nordstrom? Wayne Schneider Heikki Levanto Kurt Nordstrom |
| Comments |
| Comment by Heikki Levanto [ 11/Jul/18 ] |
|
Probably the document should also say something about securing the supertenant of the installation. We have already seen random users deleting and disabling modules from our test boxes... |
| Comment by Heikki Levanto [ 11/Jul/18 ] |
|
The document should use the pull method to find a list of all available modules |
| Comment by Jakub Skoczen [ 24/Jul/18 ] |
|
Wayne Schneider we discussed that one way to do it is to disable the authtoken module right after "install", bootstrap the user using the API and re-enable it. |
| Comment by Wayne Schneider [ 25/Jul/18 ] |
|
Here's the procedure...I could certainly code this in folio-ansible and update the install document, unless it seems too crazy. I tested the following procedure on the Vagrant box folio/snapshot:
[
{
"id": "mod-authtoken",
"action": "disable"
}
]
You get back specific versions of mod-authtoken and anything else in the dependency chain which can be used later to reenable – eg:
[
{
"id": "folio_organization-2.2.100093",
"action": "disable"
},
{
"id": "mod-login-saml-1.1.0-SNAPSHOT.23",
"action": "disable"
},
{
"id": "folio_stripes-core-2.10.3000311",
"action": "disable"
},
{
"id": "mod-authtoken-1.5.0-SNAPSHOT.22",
"action": "disable"
}
]
2. Create the user account using the API by POSTing to /users (a fairly minimal record). Set the X-Okapi-Tenant header in your request. id is a required field, use a generated UUID:
{
"id": "4337fe58-bb0e-44d8-be95-54f4fbdfc8ea",
"username": "superuser",
"active": "true",
"personal": {
"lastName": "Administrator",
"email": "admin@example.org"
}
}
3. Create the login user record by POSTing to /authn/credentials. Set the X-Okapi-Tenant header in your request. userId is the same UUID as above.
{
"userId": "4337fe58-bb0e-44d8-be95-54f4fbdfc8ea",
"password": "admin"
}
4. Create the permissions user record by POSTing to /perms/users. Set the X-Okapi-Tenant header in your request. userId is the same UUID as above.
{
"userId": "4337fe58-bb0e-44d8-be95-54f4fbdfc8ea",
"permissions": [
"perms.all"
]
}
5. Re-enable the disabled modules for the tenant by POSTing to /_/proxy/tenants/<tenantId>/install
[
{
"id": "folio_organization-2.2.100093",
"action": "enable"
},
{
"id": "mod-login-saml-1.1.0-SNAPSHOT.23",
"action": "enable"
},
{
"id": "folio_stripes-core-2.10.3000311",
"action": "enable"
},
{
"id": "mod-authtoken-1.5.0-SNAPSHOT.22",
"action": "enable"
}
]
6. Grant all permissions to your new user. There is a sample script for doing this at https://github.com/folio-org/folio-install/blob/master/load-permissions.pl:
wget https://raw.githubusercontent.com/folio-org/folio-install/master/load-permissions.pl
perl load-permissions.pl --user superuser --password admin
|
| Comment by Kurt Nordstrom [ 25/Jul/18 ] |
|
I imagine we could automate all of this into one script, couldn't we? bootstrap.py --okapihost localhost --okapiport 9130 --user superuser --password superuserpass (Or bootstrap.pl if we must The alternative is to have mod-users, mod-login and mod-perms come with a configurable superuser that mod-perms automatically grants all permissions to. |
| Comment by Wayne Schneider [ 26/Jul/18 ] |
|
https://github.com/folio-org/folio-install/blob/FOLIO-1336-admin-bootstrap/bootstrap-superuser.pl
Kurt and I chatted about this. It feels like a script like this is a short-term solution, maybe long-term we do want to have some kind of configurable bootstrap user created for the tenant on module initialization. I'll check in with the SysOps SIG tomorrow to see if they have any expectations. |
| Comment by Wayne Schneider [ 27/Jul/18 ] |
|
Feedback from the SysOps SIG: So I would suggest that we look at providing simple steps (and a script) for securing the Okapi supertenant (based on Heikki's guide at https://github.com/folio-org/okapi/blob/master/doc/securing.md). The full set of steps might look like: 1. Enable mod-users, mod-login, mod-permissions for the supertenant |
| Comment by Wayne Schneider [ 27/Jul/18 ] |
|
Related issue –
|
| Comment by Jakub Skoczen [ 08/Aug/18 ] |
|
Wayne Schneider did you include those steps in folio-install? |
| Comment by Heikki Levanto [ 09/Aug/18 ] |
|
It would be practical to be able to create the superuser for a tenant automatically, when enabling mod-users the first time. I understand they don't want to do that in a production system, but it could be implemented so that it does not normally happen, but setting an environment variable would trigger the creation of the superuser. That would make things easier in development scripts etc. |
| Comment by Wayne Schneider [ 13/Aug/18 ] |
|
Heikki Levanto – the user actually needs to be created in 3 places (mod-users, mod-login, mod-permissions), and the UUID of the user in mod-users needs to line up with userId property of the records in mod-login and mod-permissions...so I'm not sure how practical that is. Jakub Skoczen – I have written a script that accomplishes some of the procedure on a branch of folio-install (https://github.com/folio-org/folio-install/blob/136016fed15840a5c8a0f07771a6e31c8e384691/bootstrap-superuser.pl), but I need to test and script the full procedure and update the documentation. |
| Comment by Jakub Skoczen [ 15/Aug/18 ] |
|
@wayne Okay, thanks. |
| Comment by Wayne Schneider [ 29/Aug/18 ] |
|
This is done, except for securing Okapi. That feels like a slightly separate issue. I've asked David Crossley for a PR review, I'm sure he'll clean up anything else I've missed (or at least gently point it out to me). I will comment on
|