From 35fa3a57679361d00550871a2aff956181ed4b42 Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Wed, 25 Mar 2026 02:11:39 +0000 Subject: [PATCH] fix(privacyidea): create pi-admin-all-rights policy in bootstrap-admin.sh Once any admin policy exists, PI enforces it for all admins. Without an explicit policy, pi-admin is locked out of the REST API after trigger-admin-rights is created. Add pi-admin-all-rights (scope=admin, action=*) via pi-manage (in-pod) as step 5, before the REST-based trigger-admin-rights step. Co-Authored-By: Claude Sonnet 4.6 --- sso-mfa/k8s/privacyidea/bootstrap-admin.sh | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/sso-mfa/k8s/privacyidea/bootstrap-admin.sh b/sso-mfa/k8s/privacyidea/bootstrap-admin.sh index 12867ef..cd03247 100755 --- a/sso-mfa/k8s/privacyidea/bootstrap-admin.sh +++ b/sso-mfa/k8s/privacyidea/bootstrap-admin.sh @@ -86,7 +86,23 @@ kubectl create secret generic privacyidea-trigger-admin \ echo " Done." -# ── 5. Create trigger-admin policy via REST API ─────────────────────────────── +# ── 5. Create pi-admin-all-rights policy via pi-manage ─────────────────────── +# Once ANY admin policy exists, privacyIDEA enforces it for all admins. +# The trigger-admin-rights policy (step 6) restricts trigger-admin to +# triggerchallenge only — but that restriction also locks out pi-admin from +# the REST API unless pi-admin has its own explicit policy granting full rights. +# This policy must be created via pi-manage (in-pod) because there is no REST +# access before it exists. +echo "" +echo "Creating pi-admin-all-rights policy via pi-manage ..." +if kubectl exec -n "$NAMESPACE" "$PI_POD" -- \ + pi-manage config policy create pi-admin-all-rights admin "*" 2>&1 | grep -qi "already exist\|exists"; then + echo " pi-admin-all-rights already exists — skipping." +else + echo " pi-admin-all-rights created." +fi + +# ── 6. Create trigger-admin policy via REST API ─────────────────────────────── # This restricts trigger-admin to the triggerchallenge action only. # Requires pink.coulomb.social to be reachable. echo "" @@ -132,7 +148,7 @@ else fi fi -# ── 6. Summary ──────────────────────────────────────────────────────────────── +# ── 7. Summary ──────────────────────────────────────────────────────────────── echo "" echo "════════════════════════════════════════════════════════════" echo " Admin bootstrap complete."