Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change password for default user (admin/admin) #281

Open
grzanka opened this issue Oct 7, 2022 · 7 comments
Open

Change password for default user (admin/admin) #281

grzanka opened this issue Oct 7, 2022 · 7 comments

Comments

@grzanka
Copy link

grzanka commented Oct 7, 2022

SUMMARY

My request is related to discussion in the following issue: #142
I was trying to secure a freshly created grafana instance. Doing this using web interface is simple: one needs to change the default password for admin account. At first login after typing admin/admin credentials you are asked to change the password to secure one.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

I suspect its user management module.

ADDITIONAL INFORMATION

I would like to be able to secure fresh graphana instance.
There are couple of ways of doing so.

First one, which seems not to be working, is to change password of default user (admin/admin):

I've tried it using following playbook:

  - name: Setup grafana instance
    hosts: all_hosts
    remote_user: opc
    collections:
      - community.grafana
    vars:
      - grafana_root_password: "{{ lookup('ansible.builtin.env', 'GRAFANA_ROOT_PASSWORD') }}"
  
    module_defaults:
      group/community.grafana.grafana:
        url: "http://localhost:3000"

    tasks:
      - name: Create new admin (using admin/admin credentials)
        grafana_user:
          url_username: admin
          url_password: admin
          name: "Aministrator"
          email: admin@{{ ansible_hostname }}
          login: root
          password: '{{ grafana_root_password }}'
          is_admin: true
          state: present
        register: result
      - debug:
          msg: "{{ result }}"

      - name: Change password for default admin
        grafana_user:
          url_username: admin
          url_password: admin
          name: "Default aministrator"
          email: admin@{{ ansible_hostname }}
          login: admin
          is_admin: true
          password: '{{ grafana_root_password }}'
          state: present
        register: result
      - debug:
          msg: "{{ result }}"

and running the command:

GRAFANA_ROOT_PASSWORD=xxxx ansible-playbook fast_grafana.yaml -i inventory.oci.yml

but this failed with:

(venv) ubuntu@shieldhitrunner:~/workspace/$ GRAFANA_ROOT_PASSWORD=XXX ansible-playbook fast_grafana.yaml -i inventory.oci.yml 
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details

PLAY [Setup grafana instance] **********************************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************************************************
[WARNING]: Platform linux on host 130.61.85.231 is using the discovered Python interpreter at /usr/bin/python3.6, but future installation of another Python interpreter could change the meaning of that path.
See https://docs.ansible.com/ansible-core/2.13/reference_appendices/interpreter_discovery.html for more information.
ok: [130.61.85.231]

TASK [Create new admin (using admin/admin credentials)] ********************************************************************************************************************************************************
ok: [130.61.85.231]

TASK [debug] ***************************************************************************************************************************************************************************************************
ok: [130.61.85.231] => {
    "msg": {
        "changed": false,
        "failed": false,
        "user": {
            "authLabels": null,
            "avatarUrl": "",
            "createdAt": "2022-10-07T20:10:00Z",
            "email": "********@th",
            "id": 2,
            "isDisabled": false,
            "isExternal": false,
            "isGrafanaAdmin": true,
            "login": "root",
            "name": "Aministrator",
            "orgId": 1,
            "theme": "",
            "updatedAt": "2022-10-07T20:10:00Z"
        }
    }
}

TASK [Change password for default admin] ***********************************************************************************************************************************************************************
fatal: [130.61.85.231]: FAILED! => {"changed": false, "msg": "Permission Denied"}
@grzanka
Copy link
Author

grzanka commented Oct 7, 2022

Another option would be to create a new admin and delete the default one (with admin/admin credentials). Unfortunately newly created admin users do not have rights to add data sources an import dashboards. Their role is 'Viewer' as seen here:

image

This is also consistent with discussion here: #142 (comment)

I would welcome any ideas on how to secure a newly created grafana instance

@grzanka
Copy link
Author

grzanka commented Oct 7, 2022

Currently I ran grafana as a regular package installed via dnf on RHEL. The only workaround I see is to run grafana 9 as a docker container and use following role to change admin password:

      - name: Change admin password
        become: yes
        community.docker.docker_container_exec:
          container: grafana
          command: grafana-cli admin reset-admin-password {{ grafana_root_password }}
        register: result
      - debug:
          msg: "{{ result }}"

@rrey
Copy link
Collaborator

rrey commented Oct 7, 2022

Ping @pomverte if you have time to look at this

@pomverte
Copy link
Contributor

pomverte commented Oct 8, 2022

Could this feature request be answered with PR #242 ?

@rrey
Copy link
Collaborator

rrey commented Oct 8, 2022

@pomverte I don't think that relates.
Checking the integration tests and the code quickly, I don't think we support password updates at all in the module. It is a dedicated endpoint in Grafana and we won't be able to compare current and new value. Some trick will be required to deal with idempotency :/

Also, this looks like a bug. The admin user should be admin and not Viewer.

@grzanka can you provide the exact Grafana version ?

@grzanka
Copy link
Author

grzanka commented Oct 9, 2022

@rrey it's Grafana v9.1.7 (0cbb79298d), see:
image

I've created a new user using following role:

    vars:
      - grafana_root_password: "{{ lookup('ansible.builtin.env', 'GRAFANA_ROOT_PASSWORD') }}"
  
    module_defaults:
      group/community.grafana.grafana:
        url: "http://localhost:3000"

    tasks:
      - name: Create new admin (using admin/admin credentials)
        grafana_user:
          url_username: admin
          url_password: admin
          name: "Aministrator"
          email: admin@{{ ansible_hostname }}
          login: root
          password: '{{ grafana_root_password }}'
          is_admin: true
          state: present
        register: result
      - debug:
          msg: "{{ result }}"

@zerlok
Copy link

zerlok commented Nov 28, 2022

I'm facing the same issue, trying to configure the grafana in docker container.

I started the clean grafana container

$ docker-compose images grafana
Container           Repository          Tag                 Image Id            Size
srv_grafana_1       grafana/grafana     9.0.3               12a88d8bec9c        290MB

$ docker-compose ps grafana
NAME                COMMAND             SERVICE             STATUS              PORTS
srv_grafana_1       "/run.sh"           grafana             running             0.0.0.0:3000->3000/tcp, :::3000->3000/tcp

then i'm trying to use grafana_user module to change admin default password to my password. The job finishes the work with success

{
    "changed": true,
    "invocation": {
        "module_args": {
            "client_cert": null,
            "client_key": null,
            "email": "********@bar-tower",
            "grafana_url": "http://127.0.0.1:3000",
            "is_admin": true,
            "login": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "name": "Admin",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "state": "present",
            "url": "http://127.0.0.1:3000",
            "url_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "url_username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "user": {
        "authLabels": null,
        "avatarUrl": "",
        "createdAt": "2022-11-28T21:23:10Z",
        "email": "********@bar-tower",
        "id": 1,
        "isDisabled": false,
        "isExternal": false,
        "isGrafanaAdmin": true,
        "login": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
        "name": "Admin",
        "orgId": 1,
        "theme": "",
        "updatedAt": "2022-11-28T21:23:18Z"
    }
}

Then i'm trying to log in with my password to admin user - grafana don't let me to log in, tells that i'm using the wrong password.

But, when i enter the default password admin - it lets me in.

For now I have to use shell module with docker-compose run command to run grafana-cli admin reset-admin-password to avoid the issue.

P.S. on the second run playbook tells me that the admin user update task state is not changed. But in fact, i still have to use the default password.

P.P.S. grafana-cli admin reset-admin-password works only with --password-from-stdin argument for me. Otherwise script finihes with OK, but the default admin password and my new password are not accepted by grafana 🤷

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pomverte @zerlok @rrey @grzanka