How-to create a new admin user

1

In looking through the docs and the forum I found a few 'how do I create a user' posts with no activity and one helpful one by @TheLumberjack. I took the liberty to write it up in a how-to doc. Here is the content of that doc in case anyone is looking for this info.

How-to Create an Admin User

The following how-to will create a user identity and a username and password record. This new user will be able to administrate your Ziti Controller from the terminal and from the Ziti Console. The steps that follow should be executed using the ziti executable.

Assumptions:

  • Our ziti controller hostname and port is ziti.mydomain.com:1280
  • Our ziti admin user's password is ThisIsNotYourPassword
  • Our new ziti admin's username is NewAdmin
  • Our new ziti admin's password is NewPassword
  • Please note that these commands may leave secrets in your terminal history, do not use the -p element if you do not want your password visible in the terminal. Also, please do not use any of these passwords in production, they are not suitable for use.

First, you must authenticate to your ziti controller.

The command to login is below.

Note that the -p ThisIsNotYourPassword argument will enter the password on
the terminal. If you don't want the password to be visible, omit the -p ThisIsNotYourPassword element from your command and you will be prompted for
your password. Alternatively, you might consider adding the following
environment variable to hide commands that start with a space. Our example
below will set this variable, or you can omit the line export HISTCONTROL=ignoreboth. All commands displaying passwords in this how-to will
use this convention of starting with a single space.

export HISTCONTROL=ignoreboth
 ziti edge login ziti.mydomain.com:1280 -u admin -p ThisIsNotYourPassword

The output should look like this.

Token: 1302d3ca-968d-4419-89c3-e48e701b48c4
Saving identity 'default' to /Users/myuser/.ziti/ziti-cli.json

Make a New Identity that is an Administrator

The followign commmand will create a new identity of the type user with the
name NewAdmin withe rights of an administrator, as specified with the -A
switch; we will set the enrollment type to updb (Username and
Password DataBase) with the --updb switch and the corresponding
key of NewAdmin.

ziti edge create identity user NewAdmin -A --updb NewAdmin

If the command is successful, the output will look like the following.

New identity NewAdmin created with id: JsBYmXzZt6

Now We Must Create the Corresponding updb Record

We will create a updb record for newly created updb record called
NewAdmin with the actual username of NewAdmin with the password of
NewPassword. It is important to note that the name created in the previous
step is the name fo the identity, and not the username and password. The
command below will create the working username and password pair.

 ziti edge create authenticator updb NewAdmin NewAdmin NewPassword

If the command is successful, there will be no output.

Make Sure You Can Login as New Admin User

We will try and login using the newly created updb keypair. We will, again,
try and keep our terminal history clean by using the environment variable
mentioned above and starting our command with a single space, alternatively you
can omit the -p NewPassword part of the command and be prompted.

 ziti edge login ziti.mydomain.com:1280 -u NewAdmin -p NewPassword

Here is the output of our command.

Using controller url: https://ziti.mydomain.com:1280/edge/management/v1 from identity 'default' in config file: /home/myuser/.config/ziti/ziti-cli.json
Token: 60246137-f92f-4c84-8fe0-7ac05dff5649
Saving identity 'default' to /home/cd/.config/ziti/ziti-cli.json

We Can Now Delete the default admin Identity

Note that before proceeding with deletion of the default admin, please verify
that you can login to your Ziti Controller using your newly created admin
account.

We can now delete the default admin account. This will delete the updb record
and prevent that identify from logging in either via the Ziti Executable or the
Ziti Console.

ziti edge delete authenticator updb "admin"

Troubleshooting

In my testing, I found it safer to delete resources by their ID and not their
name. I would first list all authenticators with the command below, find the
ID and delete it using the ID.

ziti edge list authenticators

In the output, I retrieved the ID for my updb entry.

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ METHOD โ”‚ IDENTITY ID โ”‚ IDENTITY NAME      โ”‚ USERNAME/FINGERPRINT                     โ”‚ CA ID โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 5FgN5Ld6KmTXWJfXMyZ4Js โ”‚ updb   โ”‚ zes0bIzct   โ”‚ NewAdmin           โ”‚ NewAdmin                                 โ”‚       โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

I then deleted the record using it's ID, instead.

ziti edge delete authenticator 5FgN5Ld6KmTXWJfXMyZ4Js

The output of the command is below.

delete of authenticator with id 5FgN5Ld6KmTXWJfXMyZ4Js: OK

Conclusion

Congratulations, you have now created a new admin account for your Ziti
Controller and eliminated the default admin account.

2

If your goal is to change the default adminโ€™s password thereโ€™s a way to do that not requiring a new identity (link to doc):

ziti edge update authenticator updb --identity admin -p <newPassword>

If your goal is to enable cert authentication for the admin the easiest way is to create a new admin and enroll the identity (get a client cert). You need to say --admin in ziti edge create identity device --admin to grant the admin privilege.

1 Like
3

It was more along the lines of creating new user identities. I couldn't find where the relationship between the authenticators and identities were. I personally find I learn more about something by writing an article about it, even if it turns out my hypothesis is wrong.

I hope to add some admins to my console as I go. So adding an additional admin was my success criteria. I added the deletion of an identity/authority to complete the howto.

I haven't even gotten to what cert authentication of a device will do for me yet :wink:

4

^ the comments here give a partial, illustrative example and description of cert-based authentication and how to create a cert authenticators

1 Like