Skip to content

Change Admin Password

Overview#

There are times when default Gluu admin password need to be changed, for example rotating password for security reason.

Change admin password in oxTrust#

  1. Login to oxTrust UI as admin user (created during installation).
  2. Go to Users > Manage People sidebar menu, search for admin user in the form field. A list of matched users will be presented in a table.
  3. Click the admin UID in the results table.
  4. Scroll down and click Change Password button; a popup will be presented. Click Set password after password has been changed. If password successfully updated, the user will be logged out.

Update Kubernetes secrets#

Info

The following additional steps only applies in cloud-native installation.

Once admin password has been changed via oxTrust UI, the Kubernetes secrets need to be updated as well. See steps below on how to update the secrets:

  1. Change config.adminPass attribute in values.yaml for subsequential installs/upgrades using helm:

    config:
      # use same password that was updated in oxTrust
      adminPass: "newAdminPassword"
    
  2. Create new file update_admin_secrets.py with the following contents:

    from pygluu.containerlib import get_manager
    
    # get the value of `userPassword` attribute from `gluuPerson` table/objectClass/document in persistence
    encoded_oxtrust_admin_password = "<userPassword>"
    
    manager = get_manager()
    manager.secret.set("encoded_oxtrust_admin_password", encoded_oxtrust_admin_password)
    

    Note, the <userPassword> value is taken from userPassword attribute/column of gluuPerson table/document. Consult to persistence (MySQL/PostgreSQL/OpenDJ/Couchbase/Spanner) docs on how to get value of an attribute.

    Warning

    The following experimental update_admin_secrets.py script can be used to get userPassword attribute from persistence and save it into Kubernetes secrets. This may not work in older versions of Gluu cloud-native installation.

    import os
    
    from pygluu.containerlib import get_manager
    from pygluu.containerlib.persistence.couchbase import CouchbaseClient
    from pygluu.containerlib.persistence.couchbase import id_from_dn
    from pygluu.containerlib.persistence.couchbase import get_couchbase_password
    from pygluu.containerlib.persistence.ldap import LdapClient
    from pygluu.containerlib.persistence.spanner import SpannerClient
    from pygluu.containerlib.persistence.sql import SQLClient
    from pygluu.containerlib.persistence.sql import doc_id_from_dn
    from pygluu.containerlib.utils import ldap_encode
    
    encoded_oxtrust_admin_password = ""  # nosec: B105
    
    manager = get_manager()
    
    # get encoded_oxtrust_admin_password from persistence
    admin_inum = manager.config.get("admin_inum")
    dn = f"inum={admin_inum},ou=people,o=gluu"
    
    persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
    
    if persistence_type == "sql":
        client = SQLClient()
        entry = client.get("gluuPerson", doc_id_from_dn(dn), column_names=["userPassword"])
        encoded_oxtrust_admin_password = entry["userPassword"]
    
    elif persistence_type == "spanner":
        client = SpannerClient()
        entry = client.get("gluuPerson", doc_id_from_dn(dn), column_names=["userPassword"])
        encoded_oxtrust_admin_password = entry["userPassword"]
    
    elif persistence_type == "couchbase":
        client = CouchbaseClient(
            os.environ["GLUU_COUCHBASE_URL"],
            os.environ["GLUU_COUCHBASE_USER"],
            get_couchbase_password(manager),
        )
        bucket_prefix = os.environ["GLUU_COUCHBASE_BUCKET_PREFIX"]
        bucket = f"{bucket_prefix}_user"
        id_ = id_from_dn(dn)
        req = client.exec_query(
            f"SELECT {bucket}.userPassword FROM {bucket} USE KEYS '{id_}'"  # nosec: B608
        )
        entry = req.json()["results"][0]
        encoded_oxtrust_admin_password = entry["userPassword"]
    
    # fallback to ldap
    else:
        client = LdapClient(manager)
        entry = client.get(dn, attributes=["userPassword"])
        encoded_oxtrust_admin_password = entry["userPassword"].raw_values[0].decode()
    
    # push the new encoded_oxtrust_admin_password value to secrets
    manager.secret.set("encoded_oxtrust_admin_password", encoded_oxtrust_admin_password)
    
  3. Copy the update_admin_secrets.py to a running pod and execute:

    kubectl -n $NAMESPACE cp update_admin_secrets.py $POD:/tmp/update_admin_secrets.py
    

    Run the script to update the secrets:

    kubectl -n $NAMESPACE exec $POD -- python3 /tmp/update_admin_secrets.py
    

    Warning

    To avoid unwanted updates, it's best to delete the update_admin_secrets.py script after password has been changed.

    kubectl -n $NAMESPACE exec $POD -- rm -f /tmp/update_admin_secrets.py