MrKalzu/kalzu-value-store
1
0
Fork 0
forked from ryyst/kalzu-value-store
Code Pull Requests Activity
Files
32b347f1fd0e07364e295b7b198058ecb56c5272
kalzu-value-store/issues/3.md
ryyst 3aff0ab5ef feat: implement issue #3 - autogenerated root account for initial setup 
- Add HasUsers() method to AuthService to check for existing users
- Add setupRootAccount() logic that only triggers when:
  - No users exist in database AND no seed nodes are configured
  - AuthEnabled is true (respects feature toggle)
- Create root user with UUID, admin group, and comprehensive scopes
- Generate 24-hour JWT token with full administrative permissions
- Display token prominently on console for initial setup
- Prevent duplicate root account creation on subsequent starts
- Skip root account creation in cluster mode (with seed nodes)

Root account includes all administrative scopes:
- admin:users:*, admin:groups:*, admin:tokens:*
- Standard read/write/delete permissions

This resolves the bootstrap problem for authentication-enabled deployments
and provides secure initial access for administrative operations.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-21 00:06:31 +03:00

71 lines
2.4 KiB
Markdown
Raw Blame History

# Issue #3: Implement Autogenerated Root Account for Initial Setup
**Status:****COMPLETED**
**Author:** MrKalzu
**Created:** 2025-09-12 22:17:12 +03:00
**Repository:** https://git.rauhala.info/ryyst/kalzu-value-store/issues/3
## Problem Statement
The KVS server lacks a mechanism to create an initial administrative user when starting with an empty database and no seed nodes. This makes it impossible to interact with authentication-protected endpoints during initial setup.
## Current Challenge
- Empty database + no seed nodes = no way to authenticate
- No existing users means no way to create API tokens
- Authentication-protected endpoints become inaccessible
- Manual database seeding required for initial setup
## Proposed Solution
### 1. Detection Logic
- Detect empty database condition
- Verify no seed nodes are configured
- Only trigger on initial startup with empty state
### 2. Root Account Generation
Create a default "root" user with:
- **Server-generated UUID**
- **Hashed nickname** (e.g., "root")
- **Assigned to default "admin" group**
- **Full administrative privileges**
### 3. API Token Creation
- Generate API token with administrative scopes
- Include all necessary permissions for initial setup
- Set reasonable expiration time
### 4. Secure Token Distribution
- **Securely log the token to console** (one-time display)
- **Persist user and token in BadgerDB**
- **Clear token from memory after logging**
## Implementation Details
### Relevant Code Sections
- `NewServer` function - Add initialization logic
- `User`, `Group`, `APIToken` structs - Use existing data structures
- Hashing and storage key functions - Leverage existing auth system
### Proposed Changes (from MrKalzu's comment)
- **Added `HasUsers() (bool, error)`** to `auth/auth.go`
- **Added "Initial root account setup for empty DB with no seeds"** to `server/server.go`
- **Diff file attached** with implementation details
## Security Considerations
- Token should be displayed only once during startup
- Token should have reasonable expiration
- Root account should be clearly identified in logs
- Consider forcing password change on first use (future enhancement)
## Benefits
- Enables zero-configuration initial setup
- Provides secure bootstrap process
- Eliminates manual database seeding
- Supports automated deployment scenarios
## Dependencies
This issue blocks **Issue #4** (securing administrative endpoints), as it provides the mechanism for initial administrative access.
View Git Blame Copy Permalink