Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Changing admin password after pmm-agent is registered on PMM Server

Description

User impact:

User can get locked out of pmm

Steps to reproduce:

Start PMM docker server
Register pmm-agent

sudo pmm-admin config --server-url=https://admin:admin@IP --server-insecure-tls

Change admin password with change-admin-password

docker exec -t pmm-server change-admin-password newnew1

Log out of PMM and try to login with admin/newnew1

Actual result:

Invalid username or password

Expected result:

Login successful

Workaround:

 

Details:

Also getting "Please check username and password" when trying to change password again and re-registering agent with the new password

How to test

Reproduce steps described above.

How to document

None

Attachments

1
  • 14 Jul 2022, 11:52 AM

causes

Confluence content

mentioned on

Smart Checklist

hide

Activity

Show:

Rishat Ishbulatov January 30, 2023 at 10:49 AM

I would like to mention that in this implementation you can only use api keys, the support of which is implemented in our fork of grafana, but switching api keys to service tokens is not implemented.

Rishat Ishbulatov December 15, 2022 at 3:59 PM

After agreement in the slack, it was decided to implement only 3 point without intermediate transitions.

Rishat Ishbulatov November 30, 2022 at 3:31 PM
Edited

So the solution is:
1. As a temporary solution, turn off brute force in the default grafana config.

# disable protection against brute force login attempts disable_brute_force_login_protection = false

2. Update change-admin-password script with warn users that they will also need to reconfigure agents with stale data.

3. Expand node registering service to send api_key as login and api token as password to store this fields as username and password in vmagent configuration file.

Denys Kondratenko November 22, 2022 at 3:22 PM

is this known issue that user needs to change agents passwords as well, and/or use tokens instead ?

Rishat Ishbulatov November 21, 2022 at 3:37 PM
Edited

About where it happens. We have a grafana client. And here we could add some validation logic regarding outdated or not existent agents data. And we could probably use grafana service tokens for vmagent auth configuration.

Done

Details

Assignee

Reporter

Priority

Labels

Needs QA

Yes

Needs Doc

No

Planned Version/s

Fix versions

Story Points

Affects versions

Smart Checklist Progress

Smart Checklist

Created July 14, 2022 at 11:27 AM
Updated August 8, 2024 at 5:00 AM
Resolved February 27, 2023 at 1:13 PM
Configure

Flag notifications