Item4204: Document how you become an admin user with new temporary admin login (sudo)

With ApacheLogin it is impossible to register and become an admin user.

• First it starts with configure. There is no hint from there about how to take the next step to become an admin user. So people will still come by IRC and ask that question. It should have been implemented in configure as I suggested.

• OK we play by the rules and try and add ourselves to TWikiAdminGroup.
• First thing we notice is that we cannot login
• The help text says something about SUDO login. Who other than Unix admins knows what sudo is? Not even a normal non-root Linux user knows what sudo is. That text needs to be changed to simple Administrator.
  • docco is hard
• So I hit the button and I get to a screen with a User name and a password. From the TWikiAdminGroup I know that I have to use the password from configure. But it is a big secret which user name I should use. I try and fail with my normal user name that I have registered.
  • yeah, I'm still figuring out the best way here - atm, its nastly dependant on AllowLoginName - I was planning on just removing the input
• After a while I guess that it must be TWikiAdminGroup that is the user name. Noone will ever guess that unless they are TWiki developers.
• So I authenticate as TWikiAdminGroup and use my configure password.
• And then I end up at Main.WebHome. And now what will a normal new user ask??!!
  • they will correctly consider this a bug
• So I navigate back to TWikiAdminGroup. And I hit Edit. And I am asked by the Apache server to authenticate. If I try with the TWikiAdminGroup / configure password I am rejected. As expected! Because Apache authentication means that it is Apache and not TWiki that authenticate me so I am NEVER EVER ABLE TO AUTHENTICATE. Just like I have claimed from the beginning in the proposal topic behind this change!!!
  • Docco bug. this is why its called Sudo at the moment. you have to BE logged in to sudo to admin
• And if I try with my KennethLavrsen / normal password I am rejected because I am not in the TWikiAdminGroup.
• Only way to become an admin is to hack the text file.

This just does not work! And it was obviously never tested with ApacheLogin.

• • it has been tested in apache login

• The whole use case - the whole first time experience is non-intuitive. It has become even more difficult to become an admin user than it was before.
• And it does not work with Apache authentication - like I predicted.

The right way is to define the user name who becomes the initial administrator in Configure so when you register and login with that name you are already an admin and will always be an admin and member of TWikiAdminGroup. And then you can add more by adding them to the GROUP statement in TWikiAdminGroup. That would be simple to understand and simple to implement. That will work with Template, Apache, LDAP anything.

-- TWiki:Main/KennethLavrsen - 03 Jun 2007

This HAS been tested with apachelogin, i'm sorry to tell you, but if you don't know what to do, screaming is obviously your only option. Thanks to reminding me that I still need to do what I wrote up the top of the TODO's that I need to do.

I think you've come across an ACL problem i've been struggling with the last few days, but sudo worked when I was using it mid last week.

-- TWiki:Main.SvenDowideit - 04 Jun 2007

nothing to be done, this bug report is mostly based on reporter ignorance, and a simple bug that was in the code base for only very few days

i also find it odd that the reporter has 'confirmed' their own bug - kinda makes a mockery of the process.

-- SvenDowideit - 13 Jun 2007

I am not happy how this report has been treated.

First I am AGAIN being insulted by Sven Dowideit. I will no longer put up with this behavior.

And I still end up in WebHome when I SUDO login.

And I still have to manually go back to TWikiAdminGroup.

And I still cannot edit the TWikiAdminGroup topic with Apache authentication because Apache will want to authenticate me against the htpasswd file.

As described in the documentation for TWiki, in both the example twiki_httpd_conf.txt as well as the bin/.htaccess.txt and the TWiki:ApacheConfigGenerator an ApacheLogin authenticated TWiki must have this to protect the bin scripts.

<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
   require valid-user
</FilesMatch>

When you have authenticated with SUDO login you are indeed TWikiAdminGroup, but the minute you hit an Edit button the edit bin script gets authenticated by Apache and you are denied edit access because TWikiAdminGroup is not in the .htaccess file.

This is a confirmed very serious bug item that blocks release.

-- TWiki:Main.KennethLavrsen - 13 Jun 2007

By "accident" I discovered that if you login first as a normal user. And then does the SUDO login with TWikiAdminGroup as user name configure password as password then you can edit the TWikiAdminGroup topic.

And then I tried with a fresh browser to do the SUDO login first. And then login as KennethLavrsen normal user. And then I can also edit.

So the secret is that you need to SUDO authenticate with TWikiAdminGroup/configure password and Apache authenticate with a valid user from .htpasswd to gain access.

This is not at all obvious. But it changes this bug report from impossible to difficult

If I as a very experienced user cannot figure it out then many others will have the same problem so we have to do something about it.

These are the minimal steps needed.

• - From configure we need a clear path how to get registered and how to become an admin user.
• - The documentation in the TWikiAdminGroup topic must be updated to clear say that you should be registered first with a user name and logged in as this user name.
• The SUDO login must return to TWikiAdminGroup topic and not to Main as I also described in the original bug item text.
• - The SUDO word is Unix geek language that only few Unix/Linux admins know. The description used in docs should use a more commonly understood word. Administrator login. It is OK to use sudo in the url. It is just the link text that should be changed.

We have had so many questions in the Support web and in the IRC from people asking how to become an admin. And it has not become easier with this. So it is important that we get the documentation and the behavior (return to TWikiAdminGroup after login) right.

We need a natural flow from configure complete through first registration and ending with being added to TWikiAdminGroup.

-- TWiki:Main.KennethLavrsen - 13 Jun 2007

Doc stuff done. All left to do to close this now is that the sudo should return to TWikiAdminGroup.

-- TWiki:Main.KennethLavrsen - 14 Jun 2007

Kenneth, you don't seem to realise how insulting you have been over this feature the entire time. Infact, attempting to read your summary, its just as insulting as all your posts on it, and most of what you're talking about, is to limit the options for TWiki users, only because I've not completed this work.

As you have summaried this time, this bug is about documentation, and one small redirect issue (that should really be in a seperate bug).

-- TWiki:Main.SvenDowideit - 14 Jun 2007

Changed the headline to reflect what needs to be done here. This documentation requires at least a first pass from Sven, and is a release blocker.

See TWiki:Codev.SimplifiedUserMappingCodeInterface for work in progress on the implementation doc

User doc is not started, AFAIK

CC

Note that this bug also included fixing the redirect after sudo login.

KJL

Setting to waiting for release and instead tracing the sudo redirect problem in Item4327

KJL

Cleaned "WaitingFor" field.

-- TWiki:Main.GilmarSantosJr - 10 Aug 2008