lakefs superuser command for adding more admin users (#864)

auth/setup.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/treeverse/lakefs/auth/model"
@@ -185,24 +186,39 @@ func SetupBaseGroups(authService Service, ts time.Time) error {
 
 func SetupAdminUser(authService Service, user *model.User) (*model.Credential, error) {
 	now := time.Now()
-	var err error
 
 	// Setup the basic groups and policies
-	err = SetupBaseGroups(authService, now)
+	err := SetupBaseGroups(authService, now)
 	if err != nil {
 		return nil, err
 	}
 
+	return AddAdminUser(authService, user)
+}
+
+func AddAdminUser(authService Service, user *model.User) (*model.Credential, error) {
+	const adminGroupName = "Admins"
+
+	// verify admin group exists
+	_, err := authService.GetGroup(adminGroupName)
+	if err != nil {
+		return nil, fmt.Errorf("admin group - %w", err)
+	}
+
 	// create admin user
 	err = authService.CreateUser(user)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("create user - %w", err)
 	}
-	err = authService.AddUserToGroup(user.Username, "Admins")
+	err = authService.AddUserToGroup(user.Username, adminGroupName)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("add user to group - %w", err)
 	}
 
 	// Generate and return a key pair
-	return authService.CreateCredentials(user.Username)
+	creds, err := authService.CreateCredentials(user.Username)
+	if err != nil {
+		return nil, fmt.Errorf("create credentials for %s %w", user.Username, err)
+	}
+	return creds, nil
 }

cmd/lakefs/cmd/init.go

@@ -19,7 +19,7 @@ import (
 // initCmd represents the init command
 var initCmd = &cobra.Command{
 	Use:   "init",
-	Short: "Initialize a LakeFS instance, and setup an admin credential",
+	Short: "Initialize a LakeFS instance, and setup an admin credentials",
 	Run: func(cmd *cobra.Command, args []string) {
 		ctx := context.Background()
 

cmd/lakefs/cmd/superuser.go

@@ -0,0 +1,64 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/treeverse/lakefs/auth"
+	"github.com/treeverse/lakefs/auth/crypt"
+	"github.com/treeverse/lakefs/auth/model"
+	"github.com/treeverse/lakefs/config"
+	"github.com/treeverse/lakefs/db"
+	"github.com/treeverse/lakefs/logging"
+	"github.com/treeverse/lakefs/stats"
+)
+
+// superuserCmd represents the init command
+var superuserCmd = &cobra.Command{
+	Use:   "superuser",
+	Short: "Create additional user with admin credentials",
+	Run: func(cmd *cobra.Command, args []string) {
+		dbPool := db.BuildDatabaseConnection(cfg.GetDatabaseParams())
+		defer func() { _ = dbPool.Close() }()
+
+		userName, _ := cmd.Flags().GetString("user-name")
+
+		authService := auth.NewDBAuthService(
+			dbPool,
+			crypt.NewSecretStore(cfg.GetAuthEncryptionSecret()),
+			cfg.GetAuthCacheConfig())
+		authMetadataManager := auth.NewDBMetadataManager(config.Version, dbPool)
+		metadataProvider := stats.BuildMetadataProvider(logging.Default(), cfg)
+		metadata := stats.NewMetadata(logging.Default(), cfg, authMetadataManager, metadataProvider)
+		credentials, err := auth.AddAdminUser(authService, &model.User{
+			CreatedAt: time.Now(),
+			Username:  userName,
+		})
+		if err != nil {
+			fmt.Printf("Failed to setup admin user: %s\n", err)
+			os.Exit(1)
+		}
+
+		ctx, cancelFn := context.WithCancel(context.Background())
+		stats := stats.NewBufferedCollector(metadata.InstallationID, cfg)
+		go stats.Run(ctx)
+		stats.CollectMetadata(metadata)
+		stats.CollectEvent("global", "superuser")
+
+		fmt.Printf("credentials:\n  access_key_id: %s\n  secret_access_key: %s\n",
+			credentials.AccessKeyID, credentials.AccessSecretKey)
+
+		cancelFn()
+		<-stats.Done()
+	},
+}
+
+//nolint:gochecknoinits
+func init() {
+	rootCmd.AddCommand(superuserCmd)
+	superuserCmd.Flags().String("user-name", "", "an identifier for the user (e.g. \"jane.doe\")")
+	_ = superuserCmd.MarkFlagRequired("user-name")
+}