Change user password

[Jonesy22]

I know there is a ResetPassword() function in lemur-build-docker/lemur/lemur/manage.py , and in the main Lemur repo there is a command to run a password reset. But when running Lemur using the Dockerized version with docker-compose up, how can I reset the password for a given user?

(i.e. when Lemur is ran WITHOUT Docker, using 'lemur start', I read that I can reset the password by running 'lemur reset_password -u username'. However when I run 'docker-compose up', I do not know how to execute the same command. Thanks in advance.

[jtschladen]

Hi @Jonesy22 - I haven't had time to spin up a Docker container today to test this out (nor have I confirmed the required parameters to run it), but I'd expect you could run it using a command similar to the following (using docker exec):

# use correct username/password/DB name; these are the default values
export SQLALCHEMY_DATABASE_URI="postgresql://lemur:12345@postgres:5432/lemur"

/opt/venv/bin/python3 /opt/lemur/lemur/manage.py --config=/home/lemur/.lemur/lemur.conf.py reset_password -u username

I took this from the Docker entrypoint, which uses the same syntax to invoke Lemur's init command.

Let me know how this works for you.

[jtschladen]

Also, in case you're not familiar with docker exec, you'd start with something like:

docker exec -it lemur-docker_lemur_1 bash

Which should get you into a shell on the Docker container in order to execute the command I mentioned above.

[Jonesy22]

Thank you for your response. So I've exec'd into the container successfully, but when I try running the line in your first comment, it says /opt/venv/bin/python3: not found. I do not have /opt/venv/ in the lemur container, as opt/ only holds lemur/

[jtschladen]

How did you start the container? It's been a while since I worked on this project but I'm pretty sure /opt/venv is a necessary directory; I wouldn't expect the container to be able to start successfully without it.

[Jonesy22]

In one terminal I did docker-compose up. And then in a separate terminal I did the exec command, and then tried to run that reset password commad.

[jtschladen]

When you run docker ps, does your lemur-docker_lemur_1 container indicate healthy? Are you able to access the UI at https://localhost:447/? I'm a bit baffled how you could be missing /opt/venv; it's used in the Dockerfile as well as in the entrypoint (unless loading from a dump file). If your container really doesn't have /opt/venv, I think that indicates something more fundamentally wrong with the container.

[Jonesy22]

So after running a make clean and then make. It is rebuilt and I now can access /opt/venv. I executed the activate command in /opt/venv/bin by running source activate from that directory. Then when I tried to run lemur reset_password -u lemur, I got an error saying no such tables: users.

[jtschladen]

Sounds like you haven't initialized the Lemur DB yet. See the Database configuration section under the Configuration header in the README -- you probably want to run your containers in init mode once (but make sure you switch it back to blank after so the data isn't overwritten on the next boot).

[Jonesy22]

Thank you for all your help. Ideally for my use, users would have accounts created for them by an admin, and then they can change their passwords on their own accounts. But this process doesn't seem to help me in that case. Essentially I want to have functionality in the PUT users/user_id API call to change the user's password, so it can be changed by 1 call. But it looks like this isn't implemented within Lemur unfortunately.

[jtschladen]

You can include the password on the initial user creation (POST /users), but unfortunately I agree that PUT users/user_id doesn't allow you update the password. I think your original idea of using ResetPassword() would work, but it is obviously less convenient than an API since you have to be in the Lemur container to run it (and it's interactive, not a single call).

Feel free to propose a PR against Lemur if you'd like, though I must admit that I'm not sure if there's an intentional reason this functionality isn't included.