Conjur is updated to stop auto-creation of account management account

[izgeri]

Do NOT create the !:webservice:accounts resource or the !:!:root role automatically (these can be added via policy if needed)

This happens in three places: the rake task that handles conjurctl account create, a cucumber support hook, and a before_action in the accounts controller

GIVEN that Conjur 5 is running
AND `conjurctl account create !` has not been called
THEN there is no !:!:root role
AND there is no !:webservice:accounts resource

GIVEN that Conjur 5 is running
AND `conjurctl account create !` has not been called
AND I am logged in as admin
AND a request is made to /accounts
THEN there is a 403 Forbidden response

to remove it from the cucumber support hook, you may need to add a new Given statement to a subset of the feature tests.

[dividedmind]

Could you explain what's the rationale for this change?

[izgeri]

@dividedmind we're trying to improve the account management process overall. Most Conjur users probably don't need the accounts resource - it's only really needed if they'll be setting up multiple accounts. At current it's very difficult to set up multiple accounts using the CLI / API, but we're seeking to change that (see the related design document here).

So, rather than auto-creating the ! account management account, we'll be providing a method to manually create it if needed - and doing so will create an admin user in the account to facilitate using the API to manage the Conjur accounts.

[dividedmind]

Thanks for the context, very helpful!