diff --git a/changelog.d/4-docs/WPB-4556-internal-user-creation b/changelog.d/4-docs/WPB-4556-internal-user-creation new file mode 100644 index 0000000000..399ec6b8b8 --- /dev/null +++ b/changelog.d/4-docs/WPB-4556-internal-user-creation @@ -0,0 +1 @@ +Elaborate on internal user creation in prod \ No newline at end of file diff --git a/docs/src/understand/block-user-creation.md b/docs/src/understand/block-user-creation.md index 5c1e563aab..a2657014da 100644 --- a/docs/src/understand/block-user-creation.md +++ b/docs/src/understand/block-user-creation.md @@ -13,7 +13,7 @@ optSettings: If `setRestrictUserCreation` is `true`, creating new personal users or new teams on your instance from outside your backend installation is impossible. (If you want to be more technical: requests to `/register` that create a new personal account or a new team are answered with `403 forbidden`.) -On instances with restricted user creation, the site operator with access to the internal REST API can still circumvent the restriction: just log into a brig service pod via ssh and follow the steps in `hack/bin/create_test_team_admins.sh.` +On instances with restricted user creation, the site operator with access to the internal REST API can still circumvent the restriction: just log into a brig service pod and run the curl commands like `hack/bin/create_test_team_admins.sh` does it. (Running the script is also an option: this will give you a team with a random admin account, and you can use that account to give yourself access under the desired credentials.) ```{note} Once the creation of new users and teams has been disabled, it will still be possible to use the [team creation process](https://support.wire.com/hc/en-us/articles/115003858905-Create-a-team) (enter the new team name, email, password, etc), but it will fail/refuse creation late in the creation process (after the «Create team» button is clicked). @@ -30,5 +30,3 @@ FEATURE_ENABLE_ACCOUNT_REGISTRATION: "false" ```{note} If you only disable the creation of users in the webapp, but do not do so in Brig/the backend, a malicious user would be able to use the API to create users, so make sure to disable both. ``` - - diff --git a/hack/bin/create_test_team_admins.sh b/hack/bin/create_test_team_admins.sh index e6af495131..625da458b1 100755 --- a/hack/bin/create_test_team_admins.sh +++ b/hack/bin/create_test_team_admins.sh @@ -12,6 +12,9 @@ USAGE=" This bash script can be used to create active team admin users and their teams. +This is the way to create teams if you have set +'setRestrictUserCreation' to 'true' in your 'values.yaml'. + Note that this uses an internal brig endpoint. It is not exposed over nginz and can only be used if you have direct access to brig.