diff --git a/docs/security/access-control-lists.md b/docs/security/access-control-lists.md index 71156726ee2..34532175a58 100644 --- a/docs/security/access-control-lists.md +++ b/docs/security/access-control-lists.md @@ -25,6 +25,34 @@ Existing lakeFS installations that have a single user and a single set of creden Installations that have more than one user / credentials will require to run a command and choose which set of user + credentials to migrate (more details [here](#migration-of-existing-user)) +### Credentials Replacement + +In a single user setup, replacing credentials can be done as follows: +1. Delete the existing user: + ```shell + lakectl auth users delete --id + ``` +2. Shut down the lakeFS server - Required for invalidating the old credentials on the server +3. Create a new user, with the same name and new credentials: + ```shell + lakefs superuser --user-name + ``` + This will generate a new set of credentials, and will print it out to the screen: + ``` + credentials: + access_key_id: *** (omitted) + secret_access_key: *** (omitted) + ``` +4. Re-run lakeFS server + +{: .note .warning} +> Calling the `superuser` command with pre-defined `--access-key-id` and `--secret-access-key` is possible, +> but should be done with caution. Make sure that `--secret-access-key` is **not empty**, +> as providing an access key without a secret key will trigger an ACL import flow +> (see [Migration of existing user](#migration-of-existing-user)). +> In case you already deleted the user by following step (1), this import operation will **fail** and result in an +> **unrecoverable** state, from which a clean installation is the only way out. + ## ACLs ACL server was moved out of core lakeFS and into a new package under `contrib/auth/acl`. @@ -74,4 +102,4 @@ For example, if you have a user with username `` and credential key lakefs superuser --user-name --access-key-id ``` -After running the command you will be able to access the installation using the user's access key id and its respective secret access key. \ No newline at end of file +After running the command you will be able to access the installation using the user's access key id and its respective secret access key.