add notes to create an emergency user

[1letter]

i created a subdirectory for users and groups and add a file with a short description to create an emergency user in a pip and buildout based installation of Plone.

Closes #948
Closes #1702

• https://plone6--1703.org.readthedocs.build/admin-guide/index.html
• https://plone6--1703.org.readthedocs.build/admin-guide/add-emergency-user.html

---

📚 Documentation preview 📚: https://plone6--1703.org.readthedocs.build/

[1letter]

@stevepiercy can you check wording and spelling please?

[stevepiercy]

I merged content from Plone 5 documentation, and added an introduction for each scenario.

There was one sentence remaining that confuses me. Please see my review comment. Thank you!

[stevepiercy]

What would someone do in a Production environment? Are they out of luck?

[1letter]

Of course, you can do this operations in a production env, but you should not do this. ;-)

[stevepiercy]

What should someone do in production instead? We can't say "don't do this", then in the next section say "do this". It's very confusing.

Perhaps you can include what are the consequences and risks of doing this in production, aside from the obvious, specifically that the site will be down while adding the emergency user.

[stevepiercy]

@1letter can you answer the following questions? I want to move this PR forward.

1. What should someone do in production instead?
2. If someone does this in production, what are the risks?
3. In which environments is it OK to do this?

[ale-rt]

I think I addressed these issues with #1854

I decided to talk about "Zope Manager Users", which IMO it is more appropriate than "Emergency users"
I added a note about taking in to account the security implication of adding a Zope manager user.

[acsr]

@ale-rt @stevepiercy I like the change to extend the scope to "Zope Manager Users" and mention the "Emergency user", but the traditional term "Emergency user" should be highlighted in the text to reflect the purpose in production!

I added this here, because of the context of the suggestion by @stevepiercy in my discussions with him and seperately with @jensens.

But it needs to be seen also in context of the current preview:
https://plone6--1703.org.readthedocs.build/admin-guide/add-emergency-user.html

I would also enhance two things:

1. Do not tag admin:admin "as usual":

It is OK to use that for an instance fired up for testing and to be destroyed at once or soon or later before going to production. But it should be mentioned and made clear that for instances installed ending in production the password should be changed before anything goes into persistence. The consequences might be not obvious, but even behind a proxy the ZMI root may be reachable (like with Volto) and can lead to a permanent backdoor not easy to discover even not using admin:admin.

Imagine a different user:password than admin/admin and the sysadmin / integrator changes and the httpauth in the ZMI backend is not changed or restored from a backup. Then an in fact unauthorízed person can try to gain access with these hardcoded credentials.

2. Prominent warning to immediately change default credentials

There should be a prominent warning

• to immediately change these credentials and
• pack the database before going into production.

Further considerations

3. @1letter completely denied to use this in production.

I am contrary because the emergency user purpose is still valid for emergency use cases like changed admins or lost credentials. The Challenge in production is, that the user is persistent in the database and therefore also in backups. So old backups are still accessible with the old credentials when restored without proper awareness and documentation of changes in access credentials including point in time.

4. Revamp random password as default

In the past there was an approach that the installers created a random password and wrote it into the filesystem when the initial password was not specified during install.

When you removed the file, took a note in your password manager and changed the password at once no traces were left. Today these ways are deeply buried in e.g. docker containers and not easy to handle.

Maybe this is a trap in automated deployments

ongoing work on this

I am working on writing this up for cookieplone based docker deployments, but it is too early and would block the release of this PR. This can be added later.

[stevepiercy]

Here are direct links to the RTD pull request preview:

• https://plone6--1703.org.readthedocs.build/backend/users-groups/index.html
• https://plone6--1703.org.readthedocs.build/backend/users-groups/emergency-user.html

[stevepiercy]

The failing linkcheck for Docker Linux install can be ignored, as I fixed it in #1704.

@robgietema for https://nickcms.org, can you check its status? linkcheck says it is not responding. Alternatively, should I use https://docs.nickcms.org/ or https://github.com/robgietema/nick? Please advise.

[davisagli]

This assumes that Plone was installed into a Python virtualenv in the venv directory. That may or may not be the case.

It also assumes there is a script named instance, which is not usually the case when Plone was installed using pip.

[ale-rt]

I added a note about that

[davisagli]

This assumes the buildout includes a plone.recipe.zope2instance section named instance. That may or may not be the case.

[ale-rt]

I added a note about that

[stevepiercy]

@1letter would you please respond to @davisagli's suggestions?

Let's get this finished and published!

[davisagli]

This should now go in docs/admin-guide and be linked under the "Operate" heading of https://6.docs.plone.org/admin-guide/index.html

[ale-rt]

By mistake, I added #1851.
I did not realize there was this one already open.
I will try to merge my changes here.

[ale-rt]

I closed #1851 and merged it with this one by taking care of @davisagli notes. I would consider this one to be ready for another review cycle.

[ale-rt]

Here are direct links to the RTD pull request preview:

• https://plone6--1703.org.readthedocs.build/backend/users-groups/index.html
• https://plone6--1703.org.readthedocs.build/backend/users-groups/emergency-user.html

Those are now:

• https://plone6--1703.org.readthedocs.build/admin-guide/index.html
• https://plone6--1703.org.readthedocs.build/admin-guide/add-emergency-user.html

[acsr]

@stevepiercy I dump this here until final decision where to put this

[[Draft]] Emergency User Creation in dockerized setup

I can confirm that the following procedure works for me on a running docker swarm instance for the full featured docker based Plone Volto deployment created by current Cookieplone project template including postgres, traefik, varnish:

How to create a new Zope Manager User with a non existing user-ID

1. Enter the host via ssh as root
2. list the running containers: docker ps
3. enter a shell in the first backend container listed: docker exec -it [[4-digitPartOfID]] bash
4. run command in the app folder: ./docker-entrypoint.sh bin/addzopeuser -c /app/etc/relstorage.conf admin3 plone
5. Response: User admin3 created

The user is now available in the ZMI root at at /acl_users/users/manage_users

• In Volto use the url /ClassicUI/aq_parent/acl_users/users/manage_users

What I did not test now

• Execute the command in an entrypoint / overlay container with or without running backend / database
  Advice is maybe available via @jensens

Notes on permissions

• Check permissions in the ZMI root at /acl_users/manage_access and search for admin3
• In Volto use the url /ClassicUI/aq_parent/acl_users/manage_access
• The new user has Manager role, but not Owner role and no Take ownership permission
• You can add the Owner role in the ZMI root manually, but only as the original admin user

Remark on httpauth challenges

The original cookieplone-template project mentioned in my README.md as Cookieplone (0.8.2) and cookiecutter-plone (d9b5293) included a traefik middleware mw-backend-auth in the docker-compose.yaml service backend Labels section. This httpauth may override the ZMI httpauth. This needs further investigation. A hint how to take this part temporarily out by @jensens is not fully tested. This does not have impact on the Plone Volto login. The new user works there!