Creating an Admin

Several interactions with BOMnipotent require a user with admin rights. One of these is granting a new user admin rights. This means that some kind of bootstrapping mechanism is required.

Step 1: Create User

First, you will need to create a user account :

bomnipotent_client --domain=bomnipotent_server_of_your_choice user request admin@example.com

bomnipotent_client -d bomnipotent_server_of_your_choice user request admin@example.com

[INFO] Generating new key pair
[INFO] Storing secret key to "/root/.config/bomnipotent/secret_key.pem" and public key to "/root/.config/bomnipotent/public_key.pem"
[INFO] User request submitted. A verification email has been sent to your inbox. The verification link expires after 1h.

Once you have verified your email address, it will show up in the logs:

docker logs bomnipotent_server -n 2

[INFO] Received GET request from 172.20.0.4 to /user/verify
[INFO] Email verification successful for admin@example.com

To make things a litle less verbose, let’s store the domain of your server and your email address in a user session :

bomnipotent_client --domain=bomnipotent_server_of_your_choice --user=admin@example.com session login

bomnipotent_client -d bomnipotent_server_of_your_choice -u admin@example.com session login

[INFO] Storing session data in /root/.config/bomnipotent/session.toml

Step 2: Mark User as TMP Admin

Due to security reasons, the user needs to already exist in the database at this point. Otherwise, a malicious actor could anticipate the email address you use for your admin, and make their own request at an opportune time. To prevent this, the tmp admin mechanism blocks all requests to newly add this particular user to the database.

Next, you will become the user manager that was mentioned in the server reply: Log onto your server machine, and in your server configuration file prepend

tmp_admin = "admin@example.com"

It is important to add this line at the beginning of the file, otherwise BOMnipotent might try to interpret this field as part of another section.

Your server logs should now show that the configuration has been reloaded, in addition to the user request you made earlier.

Step 3: Make User a full Admin

The server now treats authenticated requests from that user as if that user was an admin. To become a permanent admin, you first need to approve your user request. Back on the client, call

bomnipotent_client user approve admin@example.com

[INFO] Changed status of admin@example.com to APPROVED

Now you can make yourself a full server admin:

bomnipotent_client user-role add admin@example.com admin

[INFO] Added role to user

Step 4: Remove TMP Admin Mark

The stat of being a temporary admin is intended to be, well, temporary. The server logs a warning whenever you use temporary access rights:

docker logs bomnipotent_server -n 4

[INFO] Received POST request from admin@example.com to /user/admin%40example.com/roles
[WARN] Temporary admin functionality is enabled for admin@example.com
[INFO] User admin@example.com was authenticated as a temporary admin
[INFO] Temporary admin "admin@example.com" has permission USER_MANAGEMENT to perform this action.

But now that you have successfully made yourself a permanent admin, you can and should remove the “tmp_admin” field from the configuration file again.

You are now ready to activate your subscription .