Part of #24, follow-up to #27 (Unit 3 restore).
Summary
docs/migrate/halos-restore.sh restores InfluxDB keeping the source admin username (only the org is renamed to marine) and updates INFLUXDB_ADMIN_TOKEN in the app env, but never writes INFLUXDB_ADMIN_USER. The marine InfluxDB app then assumes the user is admin, which no longer matches the restored database.
Consequence
The app env misrepresents the admin username. Combined with the InfluxDB password sync (halos-org/halos-marine-containers#189), a later app-config password change targets a nonexistent admin user and takes InfluxDB offline.
Fix
Where the restore updates the env (near the INFLUXDB_ADMIN_TOKEN write, ~halos-restore.sh:379), also persist the restored username:
INFLUXDB_ADMIN_USER=<source user>
The source user ($user) is already known at halos-restore.sh:359. This keeps the env truthful and lets the password sync target the correct account.
Relationship to #189
Defense-in-depth. The primary fix is hardening the sync to derive the username itself (halos-org/halos-marine-containers#189); doing both is ideal — this one makes the env accurate regardless of how the sync behaves.
Verified
Reproduced on halosdev.local (restored data, user boatadmin, org marine): the env had only INFLUXDB_ADMIN_TOKEN, no INFLUXDB_ADMIN_USER, so the app defaulted to admin while the DB user was boatadmin.
Part of #24, follow-up to #27 (Unit 3 restore).
Summary
docs/migrate/halos-restore.shrestores InfluxDB keeping the source admin username (only the org is renamed tomarine) and updatesINFLUXDB_ADMIN_TOKENin the app env, but never writesINFLUXDB_ADMIN_USER. The marine InfluxDB app then assumes the user isadmin, which no longer matches the restored database.Consequence
The app env misrepresents the admin username. Combined with the InfluxDB password sync (halos-org/halos-marine-containers#189), a later app-config password change targets a nonexistent
adminuser and takes InfluxDB offline.Fix
Where the restore updates the env (near the
INFLUXDB_ADMIN_TOKENwrite, ~halos-restore.sh:379), also persist the restored username:The source user (
$user) is already known athalos-restore.sh:359. This keeps the env truthful and lets the password sync target the correct account.Relationship to #189
Defense-in-depth. The primary fix is hardening the sync to derive the username itself (halos-org/halos-marine-containers#189); doing both is ideal — this one makes the env accurate regardless of how the sync behaves.
Verified
Reproduced on halosdev.local (restored data, user
boatadmin, orgmarine): the env had onlyINFLUXDB_ADMIN_TOKEN, noINFLUXDB_ADMIN_USER, so the app defaulted toadminwhile the DB user wasboatadmin.