KBEC-00030 - Resetting the admin user's password - even if the current password is not known

Description

You might want to reset the admin password for a number of reasons:

  • After installing ElectricCommander, you want to lock-down the system. Changing the admin password is the first task to accomplish system lock-down.
  • The admin user password may be lost.
  • An employee who knows the admin password has left the company, and it is a standard security policy to change all admin passwords for all accessible systems.

Solution

Three scenarios with a different solution for each:

The current admin password is known

  1. Log in as admin
  2. Go to the Administration tab > Users subtab
  3. Edit the admin user
  4. Enter the current and new passwords

A non-admin user has modify privileges on the admin user object

  1. Log in as that user
  2. Go to the Administration tab > Users subtab
  3. Edit the admin user
  4. Enter the logged-in user’s password
  5. Enter the new admin password

The ACL inheritance hierarchy for users is Server -> Directory -> User. Typically, one or more users/groups have the modify privilege on the Server, so those users/groups can modify the admin user.

No user has modify privileges on the admin user

  1. Shut down the ElectricCommander server

  2. Log into the database directly and delete the admin user
    For example, in MySQL (for pre-v6.0 installs):

    mysql -D eflow -u root -pcommander -e "delete from ec_user where name = 'admin'"
    

    For the built-in MariaDB database (v8.3 or newer) use:

/opt/electriccloud/electriccommander/mariadb/bin/mysql --socket=/opt/electriccloud/electriccommander/conf/mariadb/mariadb.sock -u root -pchangeme -D eflow -e "delete from ec_user where name = 'admin'"
  1. Restart the ElectricCommander server. The admin user is recreated with the default password ‘changeme’.

Have more questions?

1 Comments

  • 0
    Avatar
    Shaohua Wen

    After deleted user and then re-connect the Flow instance, the flow server may stuck due to the id of the user has changed. For example, if in a Release pipeline, there are a approval gate, and in the gate, "admin" has been assigned, then when we try to open the Release pipeline after re-created the user, web UI will stuck. and you will see a lot of Db WARN messages in commander.log like:

    2020-12-16T04:12:39.191 | WARN | pool-001-001 | 9729 | | getReleases tx.cleanupAfterThrowing | LoadContexts | HHH000100: Fail-safe cleanup (collections) : org.hibernate.engine.loading.internal.CollectionLoadContext@241fea3<rs=HikariProxyResultSet@301144572 wrapping com.mysql.jdbc.JDBC42ResultSet@47abbd54>
    2020-12-16T04:12:39.191 | WARN | pool-001-001 | 9729 | | getReleases tx.cleanupAfterThrowing | CollectionLoadContext | HHH000160: On CollectionLoadContext#cleanup, localLoadingCollectionKeys contained [1] entries
    2020-12-16T04:12:39.192 | DEBUG | pool-001-001 | 9729 | | getReleases | TransactionRetryAspectImpl | Retryable ObjectNotFoundException: 'No row with the given identifier exists: [com.electriccloud.domain.UserEntityImpl#56a5a95c-6406-11ea-8608-0242c2f38ffa]'

    The solution is

    first, we should get the id of the original admin user using below sql (mysql):

    select LOWER(CONCAT_WS('-', SUBSTR(HEX(id), 1, 8), SUBSTR(HEX(id), 9, 4), SUBSTR(HEX(id), 13, 4), SUBSTR(HEX(id), 17, 4), SUBSTR(HEX(id), 21))) as user_id,name from ec_user where name='admin'

    and record the id, example: 56a5a95c-6406-11ea-8608-0242c2f38ffa, and convert it to hex string: 0x56a5a95c640611ea86080242c2f38ffa

    then :

    delete from ec_user where name = 'admin';

    and then re-connect flow to this DB instance, after the admin user has been re-created, run:

    update ec_user set id=0x56a5a95c640611ea86080242c2f38ffa where name='admin'

    Edited by Shaohua Wen
Please sign in to leave a comment.