[SOLVED] Option to set initial OpenHAB admin user at install time?

Unattended installation and configuration of OpenHAB - using Ansible for instance - is a nice way to recreate an OpenHAB environment or ‘clone’ a test setup, etc. (I know there are other ways, but that is not the point of my feature suggestion).

A manual step that cannot be skipped right now is the creation of the initial admin user through the UI.
What about a feature where OpenHAB checks for environment variables at first startup to specify the initial user parameters?

This mechanism is used quite common, especially when deploying container images. InfluxDB2 is an example where I can specify environment variables to control the one-off initial config, like this:

  env:
    - name: DOCKER_INFLUXDB_INIT_USERNAME
      value: "{{ influxdb_admin_user }}"
    - name: DOCKER_INFLUXDB_INIT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: influxdb-auth
          key: admin-password

or MariaDB:

  env:
    - name: MYSQL_USER
      value: "{{ partkeepr_db_user }}"
    - name: MYSQL_PASSWORD
      value: "{{ partkeepr_db_password }}"

I guess it could also be part of the container image setup script, assuming there is some interface available that can check if it is an initial install and perform its magic. Checking if there is already a users.json would be one option.

And a similar issue exists for the token that can now only be generated in the UI. What about an option to provide OH with a self-generated token?

You can actually run a scripted console command on installation


openhab> openhab:users
Usage: openhab:users list - lists all users
Usage: openhab:users add <userId> <password> <role> - adds a new user with the specified role
Usage: openhab:users remove <userId> - removes the given user
Usage: openhab:users changePassword <userId> <newPassword> - changes the password of a user
Usage: openhab:users listApiTokens - lists the API tokens for all users
Usage: openhab:users addApiToken <userId> <tokenName> <scope> - adds a new API token on behalf of the specified user for the specified scope
Usage: openhab:users rmApiToken <userId> <tokenName> - removes (revokes) the specified API token
Usage: openhab:users clearSessions <userId> - clear the refresh tokens associated with the user (will sign the user out of all sessions)
openhab>
3 Likes

Thanks. I was not aware. Will have look how that works.

Thanks again. Works great for user and API token.
I use Ansible to deploy OH fully automated (from zero to operational) with Ansible and this was a missing piece.

Just in case there is another user somewhere on this planet that also uses Ansible:

- name: Add Karaf SSH key
  ansible.builtin.replace:
    dest: "{{ openhab_user_data_dir }}/etc/keys.properties"
    regexp: '(^\#karaf=)(.*)$'
    replace: "openhab={{ karaf_ssh_key }},_g_:admingroup"

# Create initial OpenHAB administrator user
#TODO: Add error checking
- name: Check if OpenHAB admin user already exists
  ansible.builtin.command: ssh karaf openhab:users list
  delegate_to: localhost
  register: current_users
- name: Create OpenHAB admin user if it doesn't exist yet
  ansible.builtin.command: "ssh karaf openhab:users add {{openhab_user_name}} {{openhab_user_password}} administrator"
  delegate_to: localhost
  register: current_users
  when: "openhab_user_name not in current_users.stdout"

# Create and save OpenHAB API token
- name: Remove the existing OpenHAB API token
  ansible.builtin.command: "ssh karaf openhab:users rmApiToken {{openhab_user_name}} RulesToken"
  delegate_to: localhost
- name: Create a new OpenHAB API token
  ansible.builtin.command: "ssh karaf openhab:users addApiToken {{openhab_user_name}} RulesToken All"
  delegate_to: localhost
  register: token_result
- name: Create a file to store the API token
  ansible.builtin.file:
    path: "{{openhab_conf_dir}}/apitoken.txt"
    state: touch
- name: Write the API token to a file for future reference
  ansible.builtin.lineinfile:
    path: "{{openhab_conf_dir}}/apitoken.txt"
    regexp: '^(.*)RulesToken(.*)$'
    line: '{{ token_result.stdout }}'
- ansible.builtin.set_fact:
    openhab_api_token: "{{token_result.stdout}}"
3 Likes