Rock not updating admin id/secret correctly

Rock allows for administrators to change/update the admin log-in using the ROCK_HOME/conf/application.yml file. Following the steps described in Configuration — Rock documentation, I updated a server’s id/secret as follows:

image794×817 52.4 KB

I then restarted Rock with:

systemctl restart rock.service

When I went to log-in from the Opal interface (HTTP through port 8080) the default admin login was no longer functional, mission accomplished. However, I could neither log-in to Opal with the id/secret you see in the image (notadmin/pwd).

Am I wrong in assuming that Rock controls the user log-ins for Opal? Something must have changed because the default admin log-in is now blocked off as I said.

Thanks in advance.

Hi,

You need to give Opal the new credentials to connect to Rock as an administrator.

• either by setting the rock configuration Configuration — Opal documentation
• or by updating the app (=rock server) credentials Apps — Opal documentation

In any case the opal server restart is required (should not be necessary when app credentials is updated but there is small issue that prevents to update the registered apps live (it is fixed but not released)).

Regards
Yannick

Ok, before I go and break anything;

If I change the variables from Opal and restart, will that propogate to Rock?

or, do I have to update and restart Opal and Rock, seperately?

When you change user/pwd in Rock, you restart Rock. Then you change the Opal config and you restart Opal. There is no “propagation”, that’s the idea of requiring Opal to authenticate itself against Rock.

Okay

1. Update Rock config (security.users[0].id, security.users[0].secret)
2. Restart Rock
3. Update Opal config (rock.default.administrator.username, rock.default.administrator.password)
4. Restart Opal

Still no luck, it’s not recognizing the updated credentials. Is there anything else I may have skipped here?

(bump), is there any other step besides updating rock and opal configs and restarting?

I have now tried setting both opal and rock to the default username/password (administrator, password) and still it won’t work. I’m fairly certain there is a third step here that I am missing. Any ideas?

I cannot reproduce your issue. It is hard to say without more info about your runtime environment.

Y.

First, I am running the components as separate services so no docker here.

I can try sending my files:

• /usr/share/rock/conf/application.yml uses default values.

...
security:
  users:
    # administrator, can do all
    - id: administrator
      secret: password
      roles: administrator
...

• /usr/share/opal/conf/opal-config.properties has the additional two lines at the end of the file:

...
rock.default.administrator.username=administrator
rock.default.administrator.password=password

Restarting rock, and then opal causes the default log-in to fail on the web UI.

Additional Info:

• Ubuntu 20.04
• Opal Version: 4.6.4
• Rock Version: 1.0.16

I do not understand the statement “opal causes the default log-in to fail on the web UI”

I meant going to address:8080/ui/index.html and attempting to log-in with administrator/password is failing.

Maybe you are aware of that, but this username/password is not for being used in the web interface; it is only for the opal application to be identified by the rock application. In the web interface you use credentials that are assigned to a user.

okay, but I’m saying that the default admin user is no longer able to log in.

This is after manually passing rock.default.administrator.username and rock.default.administrator.password to Opal.

There is absolutely no relationship between the two. Look at the logs to find any meaningful output.

Hmm…

So what file handles the users for Opal? Because I know the latest version of the docker-compose template lets you set the admin user/passwod? That must be targetting something

The user credentials of the admin are in the shiro.ini file, encrypted. For the other users, it depends on where they are defined…

Thx a lot again, Yannick.

After the conference last week you now know what this question is about

Once I’m done patching the password variables in for the Ansible project I will be sure to make a proper announcement post on the forum.

Cheers!