Page MenuHomePhabricator

What is the purpose of creating an admin account?
Closed, WontfixPublic

Assigned To
Authored By
ostraaten
May 21 2015, 9:39 AM
Referenced Files
F1680176: Screen Shot 2016-06-08 at 6.38.44 AM.png
Jun 8 2016, 1:40 PM
F412509: setup2.png
May 21 2015, 2:37 PM
F412506: setup1.png
May 21 2015, 2:37 PM
F412512: setup3.png
May 21 2015, 2:37 PM

Description

I have installed Phabricator and created an admin acount using web GUI.

After logout I cannot logon anymore. The message is
Authentication Failure
This Phabricator install is not configured with any enabled authentication providers which can be used to log in. If you have accidentally locked yourself out by disabling all providers, you can use phabricator/bin/auth recover <username> to recover access to an administrative account.

Why I did create admin account with password and so on?

It seems that this account does not allow access to phabricator after logout so what is the purpose of it?

Event Timeline

ostraaten raised the priority of this task from to Needs Triage.
ostraaten updated the task description. (Show Details)
ostraaten added a project: Phabricator.
ostraaten added a subscriber: ostraaten.

Not a maintainer, but maybe I can help; I had the same issue.

After installation you can create and sign in to your admin account, and will have access to Phabricator to perform initial setup. However, to be able to log in after that, you'll need to have enabled at least one authentication provider in the Auth app. This can be an OAuth system (Google, Github, ...) or a simple username/password login.

What you should do is:

  1. Recover your admin account with ./bin/auth recover <username> (from the command line of your Phabricator server)
  2. Log in to Phabricator.
  3. Open the Auth app and add at least one authentication provider.
  4. If you select a username/password provider you're done. You can log in with your admin credentials from now on.
  5. If you select an OAuth provider, make sure to actually link the OAuth credentials to your admin account, otherwise you'll still be locked out after signing out.

Hope this helps.

@ostraaten: This looks like a support question, not like a valid bug report or enhancement request to me?
Or do you want to see the aspect more stressed in documentation / dialogs that the admin is supposed to sort out authentication in their first login? If so, feel free to rephrase the task summary.

Here is the expected workflow when you login with your newly created administrative account. First, you'll see the home screen like this (note the red callout about unresolved setup issues):

setup1.png (661×1 px, 101 KB)

When you click that, you'll see a list of remaining setup steps, like this. The setup step "No Authentication Providers Configured" should be near or at the top:

setup2.png (661×1 px, 121 KB)

Clicking this will lead you to the Auth application, where you can configure providers:

setup3.png (661×1 px, 116 KB)

How far in this process did you get? What did you do differently which didn't lead you down this path?

IMHO one should always be able to login using admin account that was created. This is not the case. Is it a bug? I think it is but at the least it is not good design.

If user creates a admin account it does not make sense that the user can only use this account 'after' also selecting a un/pw auth provider for that.

If that user fails to fix that setup issue first - as I did, I was working on other setup issues first - the user locks himself out of the application.

Another side note is that I think one should 'always' be able to login using the admin account created at setup. This should not depend on auth provider.

epriestley claimed this task.

IMHO one should always be able to login using admin account that was created. This is not the case. Is it a bug?

No.

I think it is but at the least it is not good design.

I'm sorry you found this frustrating.

If user creates a admin account it does not make sense that the user can only use this account 'after' also selecting a un/pw auth provider for that.

They can configure another provider instead (like Google OAuth) and link their account to that provider, and it is common to do so.

If that user fails to fix that setup issue first - as I did, I was working on other setup issues first - the user locks himself out of the application.

That setup issue is called out as particularly important, and sessions do not expire unless users log out, so my expectation is that this should be rare.

Another side note is that I think one should 'always' be able to login using the admin account created at setup. This should not depend on auth provider.

You can always use bin/auth recover to regain access to an administrative account, as the message you encountered instructed.


We have a redesign for the first-time administrator experience mostly built (see T5317) that will improve this once it launches, although there's no ETA on that.

I faced the same issue too. As a user, after setting up a web UI why go back to terminal and type

./bin/auth recover <username>

and then come back to web UI to login? Once the setup is completed, a user would feel that the job is done and now he can login in peace.

Also the command recover seems misleading as the user is simply trying to login. He doesn't want to recover anything as he did not lose his admin creds.

Overall its a bad design, from auth setup to documentation https://secure.phabricator.com/book/phabricator/article/configuring_accounts_and_registration/

recover command is a must if you want to proceed. So atleast it should be documented appropriately.

I've never needed to recover an account. Can you give us details about how you ended up in a place where you felt that was necessary?

bin/auth recover is a general-purpose flow not specific to this case.

As has already been covered (see beautiful screenshots up above), there is a large banner at the top of the screen right after account creation, which when you click that then has a large box saying "Important" that instructs you to configure an auth provider. If you follow those instructions before manually logging out, you never need to touch bin/auth recover - and if you do, it tells you exactly what command to run to recover and continue (and hopefully this time read what's on the screen).

Hi,
Thanks for responding. I was evaluating phabricator on my Ubuntu machine. I was certain the UI user registration wont work because email wont be sent out. So I went to terminal and used ./accountadmin to create an admin user.

Since the my user is created, I was hoping now I would be able to login via web UI. Unable to login via web UI or enable auth providers via command line, I used the recover command as a last resort.

Was there any indication that the form wasn't working / wouldn't have worked?

The "registration" form presented on first install is specific to first-time setup for creating the initial admin account (as detailed in the blue information box presented at the top of the form). Could this have been clearer?

Specifically, you saw this page, and decided that you were not in the right place?

Screen Shot 2016-06-08 at 6.38.44 AM.png (935×1 px, 136 KB)

And then ran bin/accountadmin and got this warning, but continued anyway?

$ ./bin/accountadmin 
WARNING

You're about to create the first account on this install. Normally, you should use the web interface to create the first account, not this script.

If you use the web interface, it will drop you into a nice UI workflow which gives you more help setting up your install. If you create an account with this script instead, you will skip the setup help and you will not be able to access it later.

    Skip easy setup and create account? [y/N]