windmill icon indicating copy to clipboard operation
windmill copied to clipboard

Published 20 hours ago verified publisher icon windmill-labs

bug: Unable to change password or setup properly

Open DaRacci opened this issue 6 months ago • 2 comments

Describe the bug

When attempting to setup my instance i was unable to complete it and kept getting this error in my logs.

Jun 01 03:43:53 nixdev windmill[559768]: 2025-06-01T03:43:53.734508Z ERROR job_postprocessing: windmill-queue/src/jobs.rs:518: job 01972996-bb25-6cd6-b65b-933cc9016a47 in admins did not succeed: {"error":{"message":"User already exists: Internal: Not implemented in Windmill's Open Source repository", location: "users_ee.rs:32:9" } method=POST uri=/api/users/setpassword traceId="d413aed7-5c75-49c5-a5e8-2d8d695f64b2" username="[email protected]" email="[email protected]"

I somehow got past the user creation screen and am now logged in as the [email protected] i went to the user settings to change its details but when trying to change the password i get a popup saying the following:

Internal: Not implemented in Windmill's Open Source repository @users_ee.rs:32:9

To reproduce

  1. Go through setup screen with all defaults
  2. Click the complete setup button
  3. See error
  4. Reload page
  5. Go to Sser Settings
  6. try change password
  7. See error

Expected behavior

no error

Screenshots

No response

Browser information

Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0

Application version

CE v1.474.0

Additional Context

I'm running Windmill under NixOS with the relevant config files here: https://github.com/DaRacci/nix-config/blob/65a321fd2388343989cc5772a1f07d2df58f5b7e/hosts/server/nixdev/default.nix#L113-L120 https://github.com/DaRacci/nix-config/blob/65a321fd2388343989cc5772a1f07d2df58f5b7e/hosts/server/nixdev/default.nix#L164-L177

and the upstream config being here https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/web-apps/windmill.nix

DaRacci avatar Jun 01 '25 04:06 DaRacci

Hi,

The nix os config are used for dev internally and compiled from source. We do not have user management in the open-source code but we do with some limits (50 users limit) in the community edition which mix the open-source code with some proprietary one. That community edition is available as a artifact/binary attach to every release so we could make a nix config for users that leverage that one.

rubenfiszel avatar Jun 01 '25 08:06 rubenfiszel

Is there a reason that there is a split in keeping some of the what I'd say is essential code proprietary, without the ability to even complete setup it seems half baked as an open source offering.

DaRacci avatar Jun 01 '25 10:06 DaRacci

So am I to read from that, that the actual FOSS (libre) version of windmill is unable to be secure/used for anything besides a demo?

I'm on nixos, and trying to set this up too, and discovering that it's functionally useless - I cannot host a system on a public URL that has known, static, default credentials, and that has the ability to run/edit scripts.

Is this a repeat of the 'must use our compilation/distribution' idea? Or just a technical debt issue that has the FOSS edition left behind so?

Hope this doesn't seem antagonistic, just trying to understand the value proposition, and the difference from expectation I'm experiencing.

vai avatar Jun 27 '25 17:06 vai

Hi @vai ,

It's not intended that you can't change the password of the admin user but it's a direct consequence from us having removed the user management part from the open-source part. We will see what we can do to have that part back but for now would recommend using our released binaries or use a separate authentication mechanism if you want to expose on public networks.

rubenfiszel avatar Jun 27 '25 18:06 rubenfiszel

In general, NixOS idiom is to build from source to provide both reproducibility, and FOSS properties to deployments. I can make use of my own OpenID / IAM, but that's not highlighted here (and also subject to !FOSS licences?).

Definitely suggest updating the docs to avoid surprises around this. Having evaluated this versus other systems on functions, then going for installation only to discover this sort of roadblock is certainly surprising.

vai avatar Jun 28 '25 15:06 vai

Yeah, this honestly feels like a bug. I went to the database but leaving a default password is a horrible solution. At least allow the updating of password for the admin user. I think limiting users is a better solution vs getting a EE necessary for changing password.

If anyone wants to manually update password you can use this: echo -n "NEW_PASSWORD" | argon2 "$(openssl rand -base64 16)" -id -m 12 -t 3 -p 1 -l 32

luisliz avatar Jul 13 '25 23:07 luisliz

I don't love running from a pre built binary, and would really love to have a minimally functional version build-able from the OSS source code.

In the mean time I was able to get a Nix derivation put together that uses the released binary based on the OSS one that is in Nixpkgs.

https://github.com/giodamelio/nixos-configs/blob/1146ec42cb96497ae10ddb9f461f5b93a86e604e/nix/packages/windmill.nix

Edit: After more testing this works OK, but is pretty broken for most of the runtimes. Bun/Deno work fine though.

giodamelio avatar Nov 14 '25 21:11 giodamelio

Edit: After more testing this works OK, but is pretty broken for most of the runtimes.

I imagine this is because the pre-built binary lacks the patches applied to windmill in nixpkgs. This is another reason that NixOS builds software from source rather than packaging pre-built binaries: much software (Windmill included) makes assumptions that are inapposite on Linux distributions that use alternative, non-FHS filesystem layouts.

[W]ould recommend using our released binaries or use a separate authentication mechanism if you want to expose on public networks.

I run Kanidm and attempted to integrate it with Windmill, but after punching in all the relevant configuration parameters, saving, and then browsing to the Windmill login screen in a new incognito session, I do not see any option to log in with my Kanidm credentials. I restarted the Windmill server and tried again; same result.

I can open a separate issue for this matter, but -- is this a further unintended consequence of removing user-management code from the Windmill source distribution? And can I assume that user-management code was removed from the source distribution because otherwise it would be trivial to bypass the 50-user limit enforced in the community distribution pre-built binaries?

tomeon avatar Nov 27 '25 15:11 tomeon

And can I assume that user-management code was removed from the source distribution because otherwise it would be trivial to bypass the 50-user limit enforced in the community distribution pre-built binaries?

correct

I run Kanidm and attempted to integrate it with Windmill, but after punching in all the relevant configuration parameters, saving, and then browsing to the Windmill login screen in a new incognito session, I do not see any option to log in with my Kanidm credentials. I restarted the Windmill server and tried again; same result.

SSO/OAuth is also only available in the binary and not from source

rubenfiszel avatar Nov 27 '25 15:11 rubenfiszel

SSO/OAuth is also only available in the binary and not from source

I see. So when you recommended

us[ing] a separate authentication mechanism if you want to expose on public networks

what you meant to recommend was using an authentication mechanism that is not merely separate from Windmill's local authentication, but separate from Windmill altogether? So users would first have to authenticate with this separate scheme, then authenticate again in Windmill using [email protected] / changeme?

Would you kindly link to documentation of precisely which features are available in the pre-built binaries and not in the source distribution, if any such documentation is available? Have to echo the sentiment of another comment that these limitations are surprising.

tomeon avatar Nov 27 '25 16:11 tomeon

I think the easiest is that when compiled from source, you are directly logged in as admin, that would be the most convenient so that one can slap a portal on top of it if non local.

We apologize for the inconvenience and for how convoluted we are making this but it also allow us to be more open with the rest such as having the more important part of our IP, the workflow engine itself be fully OSS.

rubenfiszel avatar Nov 27 '25 20:11 rubenfiszel

@rubenfiszel

I think the easiest is that when compiled from source, you are directly logged in as admin, that would be the most convenient so that one can slap a portal on top of it if non local.

Thanks; that sounds reasonable.

Summarizing the contents of the patches applied to windmill in nixpkgs:

  1. Add /nix/store to the list of nsjail mounts,
  2. Make the /bin, /lib, and /usr nsjail mounts optional (mandatory: false),
  3. Make certain other mounts optional for particular executors,
  4. Use the system python (--python-preference only-system),
  5. Provide a default value for the HOME_DIR setting in case the HOME environment variable is not defined, and
  6. Run swagger-cli directly, not via npx swagger-cli.

Would you be willing to consider PRs introducing these (possibly as optional behavior)? That would make it possible to run the precompiled binary on NixOS with functioning executors.

tomeon avatar Nov 29 '25 14:11 tomeon