Possible to lock self out of gateway configuration

I have the gateway set up so that only a user with an administrator role can access the config page. Then at some point I had the great idea that “Admin” is much shorter to type than “Administrator” when checking roles, so I changed the role name. Of course, this meant that immediately, there were no users with the Administrator role, and thus I was locked out of the gateway configuration.

The only way I managed to recover from this was to create a vision window in the designer session I (fortunately) already had open, add a user management component to it, test the display, and use the component to add a new Administrator role, and assign it to a user.

Again, total user error on my part, but if I hadn’t had a designer session open this could have been a really big problem.

I’m not sure what the solution to this would be, seeing as obviously it would be a huge security hole to just allow you to break into the configuration without the required role - but perhaps there could be some method of ensuring that you can’t remove/modify a user role if it’s in use in such a critical way?

It is possible to use a SQLite access tool to manipulate the gateway’s internal DB while the service is stopped to fix such problems. Non-trivial.

You can reset this easily with access to the server:

./gwcmd.sh -p

It can also be done through the GCU in earlier versions.

2 Likes

I had thought of this, but as your post implied, there’s no GCU on v8 (yet, at least. Is it planned?)

Although, as I recall, the GCU just allowed you to reset passwords, correct? Would it have helped in this instance where I knew the password, but there were just no passwords with the correct role required to access the gateway configuration? Or, more precisely, because the role required for gateway configuration access didn’t exist?

The GCU as it was in 7.9 won’t come back, the shell and batch scripts have all the same functionality. I think you still needed to do the reset, even though you knew the password.

1 Like

Yes - the reset makes the system go through the commissioning process again, which will both create/reset the password of whatever user your specify, and set it as the system user source/gateway config role.

2 Likes

I’m in the same boat. Does the commissioning process wipe out the gateway config and projects or will they remain in tact?

No, using gwcmd to reset the password (and thus re-initiate commissioning) will not wipe out any other configuration.

1 Like