Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide mechanism for rotating self hosted cloud admin identity password #2068

Open
ddelnano opened this issue Dec 23, 2024 · 1 comment
Open

Comments

@ddelnano
Copy link
Member

ddelnano commented Dec 23, 2024

The self-hosted cloud is bootstrapped with a kratos admin identity that uses a password based login. This account uses a static set of credentials and defaults to [email protected]/admin as the username and password pair.

Our docs mention that you can update the ADMIN_IDENTITY environment variable and recreate your Pixie cloud deployment to change the password. That is a heavy hammer for changing the login details for a single account.

The ideal solution would make changing this environment variable modify an existing identity rather than telling users to recreate their cloud.

@ddelnano
Copy link
Member Author

Here's a workaround that doesn't require recreating the cloud from scratch:

  1. Delete existing identity from kratos
# Find existing identity ID
$ IDENTITY_ID=$(kubectl -n plc exec -it ${KRATOS_POD}  -c admin-create-if-not-exists -- sh -c '/usr/bin/curl -k $ADMIN_URL/admin/identities' | jq -r '.[] | select(.traits.email == "[email protected]") | .id' | tr -d ' ' | tr -d '\n')

# https://kratos:4434 should match the ADMIN_URL environment variable. This is true for default pixie cloud installs
$ kubectl -n plc exec -it ${KRATOS_POD} -c admin-create-if-not-exists -- /usr/bin/curl -XDELETE -k https://kratos:4434/admin/identities/${IDENTITY_ID}
  1. Change the kratos Deployment's ADMIN_IDENTITY environment variable and wait for pod to be recreated
  2. Clear browser cookies for cloud domain and log into Pixie -- this will trigger a duplicate user error on form submit
  3. Find the latest kratos identity ID
$ IDENTITY_ID=$(kubectl -n plc exec -it ${KRATOS_POD}  -c admin-create-if-not-exists -- sh -c '/usr/bin/curl -k $ADMIN_URL/admin/identities' | jq -r '.[] | select(.traits.email == "[email protected]") | .id' | tr -d ' ' | tr -d '\n')
  1. Log into postgres db and update admin user's auth_provider_id
$ kubectl -n plc exec -it ${POSTGRES_POD} -- sh 
(postgres) $ psql -U pl -c update users set auth_provider_id="${IDENTITY_ID}" where id in (select id from users where email='[email protected]');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant