Create user account without having a user account?

I have a situation where I’m deploying (and redeploying) an InfluxDB instance via a(n Ansible) script, and I want the script to create a known user account. My problem is that if the instance happens to be new, then I can use the default root user with no password to log in to create the user; but if the user has already been created (e.g. on a redeploy), that default access is gone and I have to authenticate as the known user in order to recreate that user. (You might say, why not just do nothing in that case, but it may happen that I actually want to update the user account, e.g. the password may have been manually changed and I want to reset it, or I may have a new password I want to set.)

In my ideal, there would be an out-of-band mechanism I could use to manipulate user accounts without authenticating through the same kinds of user accounts. For example, in my script I have sudo access to the host, so perhaps that could talk to InfluxDB in a trusted way without knowing any password.

Does such a thing exist? Or do people have other tricks they use to solve this problem?

Hello. @ezquat,
Welcome back! Sorry for the delay. I’m not sure what the answer to your question is yet. I’m asking around and I’ll update you as soon as I have info. Thank you.

Hello @ezquat,
Looks like you’ll have to create two users.Your root user will manage your other users.

I don’t think that meets my needs, because the second user isn’t really any easier to manage than the first one.

Let me illustrate my situation with an example. I’ve got an installation of InfluxDB with important data on it. One day in a fit of confusion I accidentally change the root user’s password; later in the day I can’t understand why some scripts are failing. Not remembering my mistake from earlier, I want to simply hit “redeploy” to correct all settings on the InfluxDB instance. I want my “redeploy” script to be able to modify the root user password, as well as all the retention policies and everything else I can configure, but it can’t rely on any known user. It can rely on logging into the machine where influxd runs, since if I have to rebuild that whole thing it’s going to be expensive no matter what.

I have a hacky solution to this now, which is that my script disables authentication, restarts influxd, then connects without a password to set all the settings we care about (including setting up that root user account). Then it reenables authentication and restarts. The problem with this approach is that it is very slow and leads to a big outage (many minutes) while influxd is restarting and it is re-reading its data from disk (without listening for connections).

I can accept there may not be a better way to do this today, so please consider the above scenario as a feature request. Thanks!