How to change admin user password

Hi @Rich,

Thanks for all your help. I’ve just discovered an issue, although, I’m not sure if it’s my installation or not. Probably

It seems as though if I try to change the password for admin, everything breaks. Also there are some strange behaviours when I attempt to create accounts too. For the admin password issue, the following error seems to be generated. Please can you tell help?

Rgds,

Mark

2021-05-03 14:04:27.972 INFO [WebService task-5 ] emote.container.web.OAuthFilter.PROTOCOL : OAuth token refresh failed, trying a full authentication
2021-05-03 14:04:28.275 WARNING [WebService task-5 ] emote.container.web.OAuthFilter.PROTOCOL : OAuth server response error: 401
2021-05-03 14:04:28.283 INFO [WebService task-5 ] security.ManagerKeycloakIdentityProvider : Failed to get tenant for realm: master
javax.ws.rs.ProcessingException: java.lang.RuntimeException: OAuth server response error: 401
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:596)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:444)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:152)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:115)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy116.toRepresentation(Unknown Source)
at org.openremote.manager.security.ManagerKeycloakIdentityProvider.getTenant(ManagerKeycloakIdentityProvider.java:437)
at org.openremote.manager.web.ManagerWebResource.getRequestTenant(ManagerWebResource.java:46)
at org.openremote.manager.asset.console.ConsoleResourceImpl.register(ConsoleResourceImpl.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:546)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:435)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:396)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:398)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:365)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:66)
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2019)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1558)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1449)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: OAuth server response error: 401
at org.openremote.container.web.OAuthFilter.updateToken(OAuthFilter.java:105)
at org.openremote.container.web.OAuthFilter.updateToken(OAuthFilter.java:93)
at org.openremote.container.web.OAuthFilter.getAccessToken(OAuthFilter.java:74)
at org.openremote.container.web.OAuthFilter.getAuthHeader(OAuthFilter.java:60)
at org.openremote.container.web.OAuthFilter.filter(OAuthFilter.java:143)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:583)

Hi,

Internally the OpenRemote Manager uses the admin user credentials to communicate directly with Keycloak; there is an environment variable called SETUP_ADMIN_PASSWORD which the Manager uses to authenticate with Keycloak so if you change the admin password you will need to update this environment variable and recreate the containers.

You’ll need to make sure this environment variable is defined in your docker compose profile by adding this to the manager:environment section:

SETUP_ADMIN_PASSWORD: ${SETUP_ADMIN_PASSWORD:-secret}

You’ll then have to recreate the containers and specify the password you have set for the admin user:

docker-compose down
SETUP_ADMIN_PASSWORD=... docker-compose up

Provided you don’t delete the postgresql-data volume you won’t lose any data. We need to look at a way of making it easier to alter the super user credentials.

Thanks @Rich. I’ll give that a go, and see if that resolves my user creation issue too. I think I changed the admin password, then tried to create new accounts, and that’s when it all went pear shaped

@Rich what about creating a separate unknown account specifically for keycloak admin, which is unknown to the user and not accessible, and perhaps generated on first time running and setting up the environment, then been the gui and other logins separate from that? Maybe that’s too simplistic?

This is very much along the lines of what I was thinking

Doesn’t protect against a user logging into Keycloak admin UI and breaking things but would allow changing admin user credentials just like any other user.

Hi @Rich,
So I’ve failed miserably to get this working.

Any chance you could provide some more detailed instructions please?

Rgds,

Mark

Hi @Rich - sorry to chase, but is it possible to have more detailed steps as I cannot get it working.
Thanks in advance.

Hi,

I’ve looked into this and made an update to the demo docker-compose.yml file in the repo:

https://github.com/openremote/openremote/blob/master/docker-compose.yml

To run a fresh install with a custom admin password is just a matter of:

SETUP_ADMIN_PASSWORD=newsecret docker-compose -p openremote up -d

Until the changes discussed earlier in this thread are implemented, If you really want to change the admin password of a running system then as well as changing it in the Manager UI do the following:

docker-compose -p openremote stop
SETUP_ADMIN_PASSWORD=newsecret docker-compose -p openremote up -d

This will recreate the manager container with the new environment variable value whilst preserving the postgresql container and associated anonymous volume (which is where persisted data resides).

Thanks @Rich all working now.

It is now possible to change the admin user password in the Manager UI without breaking your instance.

Hi everyone. I experienced this exact issue after changing admin password from the web interface.
Is it still possible to do? Once changed, cannot add realms or users etc. Changed it back and all went well.