pixie icon indicating copy to clipboard operation
pixie copied to clipboard
verified publisher icon pixie-io

Provide mechanism for rotating self hosted cloud admin identity password

Open ddelnano opened this issue 1 year ago • 1 comments

The self-hosted cloud is bootstrapped with a kratos admin identity that uses a password based login. This account uses a static set of credentials and defaults to [email protected]/admin as the username and password pair.

Our docs mention that you can update the ADMIN_IDENTITY environment variable and recreate your Pixie cloud deployment to change the password. That is a heavy hammer for changing the login details for a single account.

The ideal solution would make changing this environment variable modify an existing identity rather than telling users to recreate their cloud.

ddelnano avatar Dec 23 '24 12:12 ddelnano

Here's a workaround that doesn't require recreating the cloud from scratch:

  1. Delete existing identity from kratos
# Find existing identity ID
$ IDENTITY_ID=$(kubectl -n plc exec -it ${KRATOS_POD}  -c admin-create-if-not-exists -- sh -c '/usr/bin/curl -k $ADMIN_URL/admin/identities' | jq -r '.[] | select(.traits.email == "[email protected]") | .id' | tr -d ' ' | tr -d '\n')

# https://kratos:4434 should match the ADMIN_URL environment variable. This is true for default pixie cloud installs
$ kubectl -n plc exec -it ${KRATOS_POD} -c admin-create-if-not-exists -- /usr/bin/curl -XDELETE -k https://kratos:4434/admin/identities/${IDENTITY_ID}
  1. Change the kratos Deployment's ADMIN_IDENTITY environment variable and wait for pod to be recreated
  2. Clear browser cookies for cloud domain and log into Pixie -- this will trigger a duplicate user error on form submit
  3. Find the latest kratos identity ID
$ IDENTITY_ID=$(kubectl -n plc exec -it ${KRATOS_POD}  -c admin-create-if-not-exists -- sh -c '/usr/bin/curl -k $ADMIN_URL/admin/identities' | jq -r '.[] | select(.traits.email == "[email protected]") | .id' | tr -d ' ' | tr -d '\n')
  1. Log into postgres db and update admin user's auth_provider_id
$ kubectl -n plc exec -it ${POSTGRES_POD} -- sh 
(postgres) $ psql -U pl -c update users set auth_provider_id="${IDENTITY_ID}" where id in (select id from users where email='[email protected]');

ddelnano avatar Dec 23 '24 16:12 ddelnano