Authenticated Guest User
Witboost comes with the ability to access the platform using a fixed set of guest users authenticated with a set of known credentials. These users are intended only as a first approach to access the platform, especially on the first moments of the platform lifecycle where other authentication providers are not yet configured.
The allowed set of authenticated guest users are:
| Username | Default RBAC Preset role |
|---|---|
| guest_admin | ADMINISTRATOR |
| guest_developer | DP_OWNER on global scope |
| guest_user | READ_ONLY |
Only a subset of these users may be available, depending on the configuration of the source for the credentials.
In case none of these users are configured or enabled, this authentication method is disabled
The Guest User credentials are fetched from the Witboost configuration and/or the license file: The configuration auth.providers.simple_guest_users.<authenvironment>.users takes priority and is written as shown below. If credentials for one of the users are not provided on configuration, the platform will try to fetch them (if present) from the license provided with the platform, and they're registered on Witboost. If user credentials are not provided neither in the configuration file, nor the license, the user won't be registered, and if already existent, will be deleted. Passwords are stored as hashes using scrypt and a random salt.
auth:
environment: default
providers:
simple_guest_users:
default: # Same as auth.environment
users:
- username: guest_admin
password: A.v3ry.53cur3.p4ssw0rd!
- username: guest_developer
password: ...
...
...
If RBAC is active and the RBAC preset is registered, these guest users will be assigned an appropriate role in order to allow the installation team to access the platform, configure it, and test it.
If RBAC roles subjects are already configured for other users when installing or updating Witboost, this authentication method will be disabled.
Disabling this authentication method is possible on Witboost by an account with the platform.settings.edit and rbac.role.edit permissions. On the Administration page, open the Roles and Permissions tab and selecting the context menu to the side of the page title, click on "Disable Authenticated Guest Users". A confirmation dialog will appear, and upon confirmation and successful disabling, the menu will disappear and any logged-in users using guest users credentials will be logged out. We strongly recommend performing this action as soon as other more secure authentication providers have been configured.
In the same fashion, you can re-enable Authenticated Guest Users using the option "Enable Authenticated Guest Users" located in the same context menu.
Disabling can also be done via endpoint by calling POST /api/guest-users-auth/disable using a token from a user with only the rbac.role.edit permission.
Common errors
Error: User not Found
This is usually because there is a misalignment between enabled users and User entities present on the catalog. Trigger a manual refresh of the Witboost catalog by calling POST /api/catalog/guest-users/refresh and try again.
Authentication rejected
This means that the user doesn't exist on the platform or is disabled on the database. Ensure that the credentials for said user are correctly configured in configuration or the license file, and user is enabled on the database.