mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-18 18:07:32 +02:00
Add files via upload
This commit is contained in:
+4
-1
@@ -360,6 +360,10 @@ Inspect the scope for that specific permission, not only the overall display sco
|
||||
|
||||
Role changes revoke sessions. Sign in again. Robots resolve again on the next message.
|
||||
|
||||
### The built-in `admin` password is lost
|
||||
|
||||
Prefer resetting it from another administrator account with `rbac:write`. If no administrator session is available, follow the [administrator password recovery procedure](troubleshooting.md#recover-a-forgotten-admin-password) on the server.
|
||||
|
||||
### A global mutation is denied despite `write`
|
||||
|
||||
Process-global definitions require the corresponding permission with `all` scope. Create a dedicated global administration role instead of widening unrelated permissions.
|
||||
@@ -371,4 +375,3 @@ Process-global definitions require the corresponding permission with `all` scope
|
||||
### External MCP requires global scope
|
||||
|
||||
The user needs `mcp:external:execute`, and that permission's scope must be `all`.
|
||||
|
||||
|
||||
@@ -42,6 +42,18 @@ Login fails:
|
||||
- stale cookie;
|
||||
- audit throttling repeated failures.
|
||||
|
||||
### Recover a forgotten `admin` password
|
||||
|
||||
If another administrator with `rbac:write` is available, reset the password under **Platform permissions → User management**.
|
||||
|
||||
If no administrator session is available, the built-in `admin` account can be recovered on the server. Stop CyberStrikeAI, back up the database, change to the project root, and run the command below. Enter and confirm the new password when prompted:
|
||||
|
||||
```bash
|
||||
HASH=$(htpasswd -nBC 10 '' | cut -d: -f2 | tr -d '\n') && sqlite3 data/conversations.db "UPDATE rbac_users SET password_hash='$HASH', updated_at=CURRENT_TIMESTAMP WHERE id='admin' AND username='admin' AND is_builtin=1; SELECT changes();"
|
||||
```
|
||||
|
||||
Output `1` means that the row was updated. The command requires `sqlite3` and `htpasswd`. If `database.path` in `config.yaml` is not the default, replace `data/conversations.db`. Password input is hidden, is not written to shell history, and is stored as a bcrypt hash. Restart the service afterward to invalidate existing login sessions.
|
||||
|
||||
Model fails:
|
||||
|
||||
- wrong `base_url` path;
|
||||
|
||||
+4
-1
@@ -372,6 +372,10 @@ curl -X POST http://localhost:8080/api/rbac/resource-assignments \
|
||||
|
||||
角色变更会撤销会话。让用户重新登录;机器人下一条消息会重新解析权限。
|
||||
|
||||
### 忘记了内置 `admin` 密码
|
||||
|
||||
优先使用其他具备 `rbac:write` 权限的管理员账号重置。若没有可用的管理员会话,请按[排错指南中的管理员密码恢复流程](troubleshooting.md#忘记-admin-密码)在服务器上紧急重置。
|
||||
|
||||
### `write` 权限存在但全局配置仍被拒绝
|
||||
|
||||
全局对象写操作要求对应权限的 Scope 为 `all`。创建一个 `all` Scope 的专用管理角色,而不是扩大无关权限。
|
||||
@@ -383,4 +387,3 @@ curl -X POST http://localhost:8080/api/rbac/resource-assignments \
|
||||
### 外部 MCP 提示需要 global scope
|
||||
|
||||
除 `mcp:external:execute` 外,该权限的 Scope 还必须为 `all`。外部 MCP 的数据边界不由本地资源授权自动保护。
|
||||
|
||||
|
||||
@@ -28,7 +28,17 @@ https://127.0.0.1:8080/
|
||||
- 浏览器 Cookie 是否异常,可尝试无痕窗口。
|
||||
- 审计日志中是否有登录失败节流。
|
||||
|
||||
生产环境忘记密码时,需在服务器上通过 RBAC 用户管理重置,或直接更新数据库中的用户密码哈希。
|
||||
### 忘记 `admin` 密码
|
||||
|
||||
如果仍有其他具备 `rbac:write` 权限的管理员账号,优先在 **平台权限 → 用户管理** 中重置密码。
|
||||
|
||||
如果没有可用的管理员会话,可在服务器上紧急重置内置 `admin` 账号。先停止 CyberStrikeAI 服务并备份数据库,然后在项目根目录执行以下命令,按提示输入并确认新密码:
|
||||
|
||||
```bash
|
||||
HASH=$(htpasswd -nBC 10 '' | cut -d: -f2 | tr -d '\n') && sqlite3 data/conversations.db "UPDATE rbac_users SET password_hash='$HASH', updated_at=CURRENT_TIMESTAMP WHERE id='admin' AND username='admin' AND is_builtin=1; SELECT changes();"
|
||||
```
|
||||
|
||||
输出 `1` 表示修改成功。该命令需要 `sqlite3` 和 `htpasswd`;如果 `config.yaml` 中的 `database.path` 不是默认值,请替换 `data/conversations.db`。密码输入不会显示,也不会写入 Shell 历史,并以 bcrypt 哈希保存。完成后重新启动服务,使原有登录会话失效。
|
||||
|
||||
## 模型无响应
|
||||
|
||||
|
||||
Reference in New Issue
Block a user