You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@guacamole.apache.org by Pablo Escobar Lopez <pa...@unibas.ch> on 2020/06/08 14:14:50 UTC

api endpoint to update password for guacadmin user

Hi,

Some time ago I wrote an ansible module
<https://galaxy.ansible.com/scicore/guacamole> to manage guacamole users
and connections using the guacamole api.

While developing it I realized that "guacamole webui >> settings >> users
>> edit user" uses this api endpoint
<https://github.com/scicore-unibas-ch/ansible-modules-guacamole/blob/master/plugins/modules/guacamole_user.py#L183>
 which
allows me to modify any of these settings
<https://github.com/scicore-unibas-ch/ansible-modules-guacamole/blob/master/plugins/modules/guacamole_user.py#L215-L231>
for
any guacamole user excepting for the default admin user "guacadmin". When I
try to edit the guacadmin user to update the password I get a 403

To update the password for guacadmin user I have to go to "webui >>
settings >> preferences >> change password" which uses a different api
endpoint  "{url}/api/session/data/postgresql/users/guacadmin/password?token={token}"
which expects a json payload in
format '{"oldPassword":"guacadmin","newPassword":"password"}'

I am going to add support to my ansible module to be able to update the
password for the guacadmin user using this specific api endpoint but before
doing it I thought that would ask here what's the motivation to have a
different api endpoint to update the password for guacadmin user? is this
always going to be like this or do you plan to update the api so it also
allows to update the guacadmin user using the same api endpoint as for any
other user?

thanks in advance for your advice.

regards,
Pablo.

-- 
Pablo Escobar López
Linux/HPC systems engineer
sciCORE, University of Basel
SIB Swiss Institute of Bioinformatics

Re: api endpoint to update password for guacadmin user

Posted by Mike Jumper <mj...@apache.org>.

There is no endpoint specific to the guacadmin user. The guacadmin user is
not a special case and is handled like any other user (based purely on
granted permissions).

The reason permission is denied in the case described is that the user
changing the password is the same as the whose password is being changed.
If a user is changing their own password, they must do so using the
endpoint which validates that they know their current password. The
endpoint for directly setting the password of a user (without knowledge of
their current password) can only be used for users that are not the current
user.

- Mike


On Mon, Jun 8, 2020, 07:15 Pablo Escobar Lopez <pa...@unibas.ch>
wrote:

> Hi,
>
> Some time ago I wrote an ansible module
> <https://galaxy.ansible.com/scicore/guacamole> to manage guacamole users
> and connections using the guacamole api.
>
> While developing it I realized that "guacamole webui >> settings >> users
> >> edit user" uses this api endpoint
> <
> https://github.com/scicore-unibas-ch/ansible-modules-guacamole/blob/master/plugins/modules/guacamole_user.py#L183
> >
>  which
> allows me to modify any of these settings
> <
> https://github.com/scicore-unibas-ch/ansible-modules-guacamole/blob/master/plugins/modules/guacamole_user.py#L215-L231
> >
> for
> any guacamole user excepting for the default admin user "guacadmin". When I
> try to edit the guacadmin user to update the password I get a 403
>
> To update the password for guacadmin user I have to go to "webui >>
> settings >> preferences >> change password" which uses a different api
> endpoint
> "{url}/api/session/data/postgresql/users/guacadmin/password?token={token}"
> which expects a json payload in
> format '{"oldPassword":"guacadmin","newPassword":"password"}'
>
> I am going to add support to my ansible module to be able to update the
> password for the guacadmin user using this specific api endpoint but before
> doing it I thought that would ask here what's the motivation to have a
> different api endpoint to update the password for guacadmin user? is this
> always going to be like this or do you plan to update the api so it also
> allows to update the guacadmin user using the same api endpoint as for any
> other user?
>
> thanks in advance for your advice.
>
> regards,
> Pablo.
>
> --
> Pablo Escobar López
> Linux/HPC systems engineer
> sciCORE, University of Basel
> SIB Swiss Institute of Bioinformatics
>

Re: api endpoint to update password for guacadmin user

Posted by Pablo Escobar <pe...@gmail.com>.

Thank you very much for the clarification Mike. It was convenient to ask
before adding the support in our ansible module.



On Mon, Jun 8, 2020 at 9:53 PM Mike Jumper <mj...@apache.org> wrote:

> There is no endpoint specific to the guacadmin user. The guacadmin user is
> not a special case and is handled like any other user (based purely on
> granted permissions).
>
> The reason permission is denied in the case described is that the user
> changing the password is the same as the whose password is being changed.
> If a user is changing their own password, they must do so using the
> endpoint which validates that they know their current password. The
> endpoint for directly setting the password of a user (without knowledge of
> their current password) can only be used for users that are not the current
> user.
>
> - Mike
>
>
> On Mon, Jun 8, 2020, 07:15 Pablo Escobar Lopez <
> pablo.escobarlopez@unibas.ch>
> wrote:
>
> > Hi,
> >
> > Some time ago I wrote an ansible module
> > <https://galaxy.ansible.com/scicore/guacamole> to manage guacamole users
> > and connections using the guacamole api.
> >
> > While developing it I realized that "guacamole webui >> settings >> users
> > >> edit user" uses this api endpoint
> > <
> >
> https://github.com/scicore-unibas-ch/ansible-modules-guacamole/blob/master/plugins/modules/guacamole_user.py#L183
> > >
> >  which
> > allows me to modify any of these settings
> > <
> >
> https://github.com/scicore-unibas-ch/ansible-modules-guacamole/blob/master/plugins/modules/guacamole_user.py#L215-L231
> > >
> > for
> > any guacamole user excepting for the default admin user "guacadmin".
> When I
> > try to edit the guacadmin user to update the password I get a 403
> >
> > To update the password for guacadmin user I have to go to "webui >>
> > settings >> preferences >> change password" which uses a different api
> > endpoint
> >
> "{url}/api/session/data/postgresql/users/guacadmin/password?token={token}"
> > which expects a json payload in
> > format '{"oldPassword":"guacadmin","newPassword":"password"}'
> >
> > I am going to add support to my ansible module to be able to update the
> > password for the guacadmin user using this specific api endpoint but
> before
> > doing it I thought that would ask here what's the motivation to have a
> > different api endpoint to update the password for guacadmin user? is this
> > always going to be like this or do you plan to update the api so it also
> > allows to update the guacadmin user using the same api endpoint as for
> any
> > other user?
> >
> > thanks in advance for your advice.
> >
> > regards,
> > Pablo.
> >
> > --
> > Pablo Escobar López
> > Linux/HPC systems engineer
> > sciCORE, University of Basel
> > SIB Swiss Institute of Bioinformatics
> >
>