Change or create new "Default Admin"

User @markamind wonders if it’s possible to make a new/different default user. Can the default “admin” username be changed? If so what are the steps to change it?

See Unable to use ZAC on Chrome - #12 by markamind

I have found the -A attribute along with the --updb <name> flags but now I need to figure out how to assign / reset the password

I was able to make a new admin using:

ziti edge create identity user Admin3 -A --updb thirdadmin

however setting the password indicates it should work - and didn’t.

ziti edge update authenticator updb --identity thirdadmin -n newadminpassword
error: no identities found with id or name thirdadmin
ziti edge update authenticator updb --identity Admin3 -p newadminpassword
error: incorrect number of results, expected 1, got 0

the identity definitely exists:

ziti edge list identities
...
..
id: rR4ERZuEJd    name: Admin3    type: User    role attributes: {}
...

There is only 1 default admin in the system and it cannot be deleted, but it can be edited via PUT/PATCH (including changing its name).

Other admins can be created, however.

An example CLI command would be:

ziti edge update identity -name "new name"

An example patch request through the API would be:

PATCH /edge/v1/management/identities/<id>

{
  "name": "NewName!"
}

How can I change / set the password for the new users? It was unclear how I might login with the new admin user I created?

The username isn’t the same as identity name.

You were on the right track w/ ziti edge update authenticator updb. idOrName doesn’t allow the usage of username.

As for the error you got on the second one, it is because you didn’t go through updb enrollment and you are trying to update a record that doesn’t exist.

Checkout: ziti edge create authenticator updb -h

As shown above (and here), that’s why I tried it both ways to set the password and couldn’t… first one fails with ‘no identity found’, second one fails with incorrect results…

The only admin identity I’m allowed to update is the default admin.

ziti edge create identity user Admin3 -A --updb thirdadmin
New identity Admin3 created with id: 63nUC9a6HX

# try the id that **just** got created - failure
ziti edge update authenticator updb --identity 63nUC9a6HX -p newadminpassword
error: incorrect number of results, expected 1, got 0

# try the id by "updb" name passed - failure
ziti edge update authenticator updb --identity thirdadmin -p newadminpassword
error: no identities found with id or name thirdadmin

# try the id by "name" passed - failure
ziti edge update authenticator updb --identity Admin3 -p newadminpassword
error: incorrect number of results, expected 1, got 0

From what I can tell this is a bug. I AM able to update the “Default Admin” password this way - which I find very odd…

ziti edge update authenticator updb --identity 'Default Admin' -p this_is_totally_a_bug

GAH - i see you did a ‘create’ - i did an ‘update’… That wasn’t obvious at all but I think I get it now…

@markamind here’s the flow…

make a new identity that is an administrator

ziti edge create identity user NewAdmin -A --updb adminUserNameHere

create a ‘updb’ record for NewAdmin/adminUserNameHere

ziti edge create authenticator updb NewAdmin adminUserNameHere adminPasswordHere

make sure you can login as new admin user

ziti edge login -u adminUserNameHere
Using controller url: https://ec2-18-188-201-183.us-east-2.compute.amazonaws.com:8441/edge/management/v1 from identity 'default' in config file: /home/cd/.config/ziti/ziti-cli.json
Enter password:
Token: 60246137-f92f-4c84-8fe0-7ac05dff5649
Saving identity 'default' to /home/cd/.config/ziti/ziti-cli.json

delete the default admin updb - and prevent the ‘default admin’ from being able to login with user/pwd

ziti edge delete authenticator updb "admin"

@andrew.martinez - does this flow seem like the way it was intended? Any nuance or modifications necessary to that flow?

No additions- seems pretty sound.

@jeremy.tellier - is the authenticator stuff to change/set a new user’s password in ZAC? I didn’t see it, but maybe I’m missing it?

Thanks @TheLumberjack and @andrew.martinez for the details.. very helpful.

In relation to the following approach... using the API instead of the command line..

PATCH /edge/v1/management/identities/

{
"name": "NewName!"
}

I noticed that there is a REST API for ZAC...

https://openziti.github.io/api/rest/index.html

I will also try using this approach.. something new to learn

When you use this REST API.. I am assuming you use Python to run and configure it .. I think I saw some doco somewhere.. but cannot seem to find it

Can you send through the link

the url you’re referencing above is from the management api. that’s the controller’s api - not ZAC. ZAC is a node app that uses the controller’s APIs.

You can use whatever language you’re comfortable with to explore the API. There’s no python doc for it. No doc at all other than the doc you’ll find at

• https://${CONTROLLER_URL}/edge/client/v1/docs.
• https://${CONTROLLER_URL}/edge/management/v1/docs

FWIW I think there might be a bug where both links currently point to the same API reference. That’ll be fixed in an upcoming release if so

Ahh.. got it now...

Interesting.. as it allows you to automate a lot of tasks at scale.

I am assuming you would then link this into an Ansible installation..

is this something you could do in an Open Ziti TV session?

We could get @andrew.martinez back again and tour the API sure (he’s usually the person I think of when asking questions about the edge APIs). Realistically it’s probably a lot bigger than a single ZitiTV but - sure. I could see that being a topic some day

PS… I tried to download the API specs… but was not successful

Cannot GET /edge/client/v1/docs
Cannot GET /edge/management/v1/docs

I needed to log into ZAC to authenticate first before I could open the URL

bizzare! hit mine for now… i wonder if it’s due to the ip address / lack of dns… odd…

https://ec2-18-188-201-183.us-east-2.compute.amazonaws.com:8441/edge/client/v1/docs
https://ec2-18-188-201-183.us-east-2.compute.amazonaws.com:8441/edge/management/v1/docs
you’ll see that second one points back to ‘client’

Yeah. My OCI instance doesn’t work either… Well - another interesting bug to fix

BWAHAHAHAHAH… I figured it out… it’s not the ZAC port you use… It’s the controller port…

https://168.138.12.254:8441/edge/client/v1/docs
https://168.138.12.254:8441/edge/management/v1/docs [fixed a typo]

You can set a password in ZAC under your profile settings > Manage profile.