Creating an Admin
Several interactions with BOMnipotent require a user with admin rights. One of these is granting a new user admin rights. This means that some kind of bootstrapping mechanism is required.
Step 1: Create User
First, you will need to create a user account :
bomnipotent_client --domain=bomnipotent_server_of_your_choice user request admin@example.com
bomnipotent_client -d bomnipotent_server_of_your_choice user request admin@example.com
[INFO] Generating new key pair
[INFO] Storing secret key to "/root/.config/bomnipotent/secret_key.pem" and public key to "/root/.config/bomnipotent/public_key.pem"
[INFO] User request submitted. A verification email has been sent to your inbox. The verification link expires after 1h.
Once you have verified your email address, it will show up in the logs:
docker logs bomnipotent_server -n 2
[INFO] Received GET request from 172.20.0.4 to /user/verify
[INFO] Email verification successful for admin@example.com
To make things a litle less verbose, let’s store the domain of your server and your email address in a user session :
bomnipotent_client --domain=bomnipotent_server_of_your_choice --user=admin@example.com session login
bomnipotent_client -d bomnipotent_server_of_your_choice -u admin@example.com session login
[INFO] Storing session data in /root/.config/bomnipotent/session.toml
Step 2: Mark User as TMP Admin
Due to security reasons, the user needs to already exist in the database at this point. Otherwise, a malicious actor could anticipate the email address you use for your admin, and make their own request at an opportune time. To prevent this, the tmp admin mechanism blocks all requests to newly add this particular user to the database.
Next, you will become the user manager that was mentioned in the server reply: Log onto your server machine, and in your server configuration file prepend
tmp_admin = "admin@example.com"
It is important to add this line at the beginning of the file, otherwise BOMnipotent might try to interpret this field as part of another section.
Your server logs should now show that the configuration has been reloaded, in addition to the user request you made earlier.
Step 3: Make User a full Admin
The server now treats authenticated requests from that user as if that user was an admin. To become a permanent admin, you first need to approve your user request. Back on the client, call
bomnipotent_client user approve admin@example.com
[INFO] Changed status of admin@example.com to APPROVED
Now you can make yourself a full server admin:
bomnipotent_client user-role add admin@example.com admin
[INFO] Added role to user
Step 4: Remove TMP Admin Mark
The stat of being a temporary admin is intended to be, well, temporary. The server logs a warning whenever you use temporary access rights:
docker logs bomnipotent_server -n 4
[INFO] Received POST request from admin@example.com to /user/admin%40example.com/roles
[WARN] Temporary admin functionality is enabled for admin@example.com
[INFO] User admin@example.com was authenticated as a temporary admin
[INFO] Temporary admin "admin@example.com" has permission USER_MANAGEMENT to perform this action.
But now that you have successfully made yourself a permanent admin, you can and should remove the “tmp_admin” field from the configuration file again.
You are now ready to activate your subscription .