Default admin user and password are available again after the update

[toni-1]

It would be nice if this behavior could be switched off via the config file.

[ronivay]

Hi,

This shouldn’t happen as long as previous data (/var/lib/xo-server and redis data) is available. Can you explain your environment and the steps how you end up with this situation? And are you able to reproduce it?

[toni-1]

Hi, system environment is Debian 10. fresh installation with system tools and ssh.

I use your installation script with ./xo-install.sh --install

Then I create a user, assign the password and delete the default user admin@admin.net

After updating to a newer version with ./xo-install.sh --update the user admin@admin.net is available again.

Perhaps I shouldn't delete the user admin@admin.net, but rather assign a different password. I haven't tested that yet.

[ronivay]

Thanks. I’ll look into this.

[toni-1]

Hi, I just tested it. If the default user admin@admin.net is still available and you set a password, then everything is ok. If the default user admin@admin.net has been deleted, it is available again after an update with the default password.

[ronivay]

I can't seem to reproduce this. Took one of the older branches from xen orchestra sources as base and ran fresh installation with it. Created additional admin user and deleted the default admin@admin.net. I then switched the branch to master and ran the update with xo-install.sh. Ended up with a new build and admin@admin.net wasn't recreated.

According to xen orchestra source code and specifically the dist/xo-mixins/subjects.js file it shouldn't create the default user as long as the userdb exists:

      if (!(await usersDb.exists())) {
        const {
          email = 'admin@admin.net',
          password = 'admin'
        } = await XenStore.read('vm-data/admin-account').then(JSON.parse).catch(() => ({}));
        await this.createUser({
          email,
          password,
          permission: 'admin'
        });
        log.info(`Default user created: ${email} with password ${password}`);
      }

So this backs up the information i stated in the first response that as long as the /var/lib/xo-server/data exists and there are existing users, it should never be created.

[dsiminiuk]

My installation still had the admin user provisioned but I had changed the password. When the build script runs you get this...

[info] Starting xo-server...
        WebUI started in port 80. Make sure you have firewall rules in place to allow access.
        Default username: admin@admin.net password: admin

and that's OK, except that the password is not the default.

So now I've deleted my admin user and I'll see what happens on the next build (cron.daily) and report.

[ronivay]

Okay. This explains it a bit more. Install and update tasks are essentially the same so that output is static, doesn’t mean that admin user with default password is there if you’ve ran update and have edited default user. If it’s just the output, i can adjust it to be different when update is ran.

[dsiminiuk]

@ronivay Yes, that would be less ambiguous.

[toni-1]

Hello, I have currently tested it again. Updated my version from yesterday and it didn't happen again. Maybe it was a mistake of mine and I would like to apologize for it. Please close the case.

[ronivay]

Okay, good to hear that it works as expected.

There is now different output if update is being ran and no mention about the default username/password in that case.