Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 335699

Summary: [admin] Need to create an admin account in the user storage
Product: [ECD] Orion Reporter: Szymon Brandys <Szymon.Brandys>
Component: ClientAssignee: Szymon Brandys <Szymon.Brandys>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: john.arthorne
Version: 0.2   
Target Milestone: 0.2   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description Szymon Brandys CLA 2011-01-28 10:59:44 EST 
We may configure Orion to let only admins to create new accounts. It means we need to have the admin account created when Orion starts the first time.

So, if Orion starts the first time, 'admin' account is created with password passed with a system property 'orion.storage.admin.default.password'. If the property is not used, the password is set to 'admin'. Since the user storage is not aware of user access rights, we need to edit Users.prefs manually and add rights to use '/users/*' URLs.

During M6, 'admin' account will have Admin role set and roles will be respected in our Authorization service.
Comment 1 Szymon Brandys CLA 2011-01-28 11:15:00 EST 
On second thought I decided to create the 'admin' account ONLY IF the property 'orion.storage.admin.default.password' is set. If it is not set, the 'admin' account is not created.
Comment 2 Szymon Brandys CLA 2011-01-28 11:20:56 EST 
Fixed.
Comment 3 John Arthorne CLA 2011-01-28 11:30:38 EST 
(In reply to comment #1)
> On second thought I decided to create the 'admin' account ONLY IF the property
> 'orion.storage.admin.default.password' is set. If it is not set, the 'admin'
> account is not created.

+1
Comment 4 John Arthorne CLA 2011-01-28 14:14:02 EST 
There seems to be a missing piece here. If I set the system property, the admin account gets created but it doesn't have permission to manage users. I had to add the following when creating the admin user:

				AuthorizationService.addUserRight(ADMIN_LOGIN_VALUE, UserServlet.USERS_URI);
				AuthorizationService.addUserRight(ADMIN_LOGIN_VALUE, UserServlet.USERS_URI+"/*"); //$NON-NLS-1$

Once I make this change, the administrator is allowed to visit:

http://localhost:8080/manage-users.html

And from here can see all users, delete users, etc.
Comment 5 John Arthorne CLA 2011-01-28 15:11:19 EST 
I have pushed this change for M5. Unless I am missing something, the administrator can't do anything without this change.
Comment 6 Szymon Brandys CLA 2011-01-28 18:59:20 EST 
(In reply to comment #5)
> I have pushed this change for M5. Unless I am missing something, the
> administrator can't do anything without this change.

As wrote in comment 0:
"Since the user storage is not aware of user access rights, we need to edit Users.prefs manually and add rights to use '/users/*' URLs.
During M6, 'admin' account will have Admin role set and roles will be respected in our Authorization service."

So your change is good for M5, but will be reverted during M6 and Admin role will be added instead to newly created admin account.