When the system first initializes it creates a system service account (invisible to users) and a administrator account (admin) with a single administrator user (admin). The password for this user is set at bootstrap using a default value or an override available in the config.yaml on the catalog service (which is what initializes the db). There are two top-level keys in the config.yaml that control this bootstrap:
default_admin_password - To set the initial password (can be updated by using the API once the system is bootstrapped). Defaults to foobar if omitted or unset.
default_admin_email - To set the initial admin account email on bootstrap. Defaults to [email protected] if unset
These operations must be executed by a user in the admin account. These examples are executed from within the engine-api container if using the quickstart guide:
exec into the engine-api container, if using the quickstart docker-compose. For other deployment types (eg. helm chart into kubernetes), execute these commands anywhere you have the Anchore CLI installed that can reach the external API endpoint for you deployment.
docker-compose exec engine-api /bin/bash
anchore-cli account whoami Username: admin AccountName: admin AccountEmail: [email protected] AccountType: admin
This shows the username and enclosing account of the requester. In this case, the admin user of the admin account.
anchore-cli account add account1 --email [email protected] Name: account1 Email: [email protected] Type: user State: enabled Created: 2018-11-05T23:23:55Z
Note that the email address is optional and can be omitted.
At this point the account exists but contains no users. To create a user with a password, see below in the Managing Users section.
Disabling an account prevents any of that account’s users from being able to perform any actions in the system. It also disabled all asynchronous updates on resources in that account, effectively freezing the state of the account and all of its resources. Disabling an account is idempotent, if it is already disabled the operation has no effect. Accounts may be re-enabled after being disabled.
anchore-cli account disable account1 Success
To restore a disabled account to allow user operations and resource updates, simply enable it. This is idempotent, enabling an already enabled account has no effect.
anchore-cli account enable account1 Success
Note: Deleting an account is irreversible and will delete all of its resources (images, policies, evaluations, etc).
Deleting an account will synchronously delete all users and credentials for the account and transition the account to the deleting state. At this point the system will begin reaping all resources for the account. Once that reaping process is complete, the account record itself is deleted. An account must be in a disabled state prior to deletion. Failure to be in this state results in an error:
anchore-cli account del account1 This operation is irreversible. Really delete account account1 along with *all* users and resources associated with this account? (y/N)y Error: Invalid account state change requested. Cannot go from state enabled to state deleting HTTP Code: 400 NOTE: accounts must be disabled (anchore-cli account disable <account>) in order to be deleted
So, first you must disable the account, as shown above. Once disabled:
anchore-cli account del account1 This operation is irreversible. Really delete account account1 along with *all* users and resources associated with this account? (y/N)y Success [email protected]:~# anchore-cli account list Name Email Type State Created admin [email protected] admin enabled 2018-11-03T18:35:42Z account1 [email protected] user deleting 2018-11-05T23:23:55Z
Users exist within accounts, but usernames themselves are globally unique since they are used for authenticating api requests. User management can be performed by any user in the admin account in the default Anchore Engine configuration using the native authorizer. For more information on configuring other authorization plugins see: Authorization Plugins and Configuration.
anchore-cli account user add --account account1 user1 password123 Name: user1 Created: 2018-11-05T23:38:11Z [email protected]:~# anchore-cli account user list --account account1 Name Created user1 2018-11-05T23:38:11Z
That user may now use the API:
anchore-cli --u user1 --p password123 account whoami Username: user1 AccountName: account1 AccountEmail: [email protected] AccountType: user
anchore-cli account user add admin2 password123 Name: admin2 Created: 2018-11-05T23:41:24Z [email protected]:~# anchore-cli --u admin2 --p password123 account whoami Username: admin2 AccountName: admin AccountEmail: [email protected] AccountType: admin
anchore-cli account user del admin2 Success
Note that only system admins can execute this for a different user/account.
As an admin, to reset another users credentials:
anchore-cli account user setpassword --account account1 --username user1 password456 Password (re)set success NOTE: Be sure to change the password you're using for this client if you have reset your own password
To update your own password:
anchore-cli --u user1 --p password456 account user setpassword password123_456 Password (re)set success NOTE: Be sure to change the password you're using for this client if you have reset your own password [email protected]:~# anchore-cli --u user1 --p password456 account whoami Error: Unauthorized HTTP Code: 401 [email protected]:~# anchore-cli --u user1 --p password123_456 account whoami Username: user1 AccountName: account1 AccountEmail: [email protected] AccountType: user