feat: add environment variable for default admin initial password (#5487

)
Arize-ai · Nov 21, 2024 · 748556e · 748556e
1 parent 91d94a1
commit 748556e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/src/phoenix/config.py b/src/phoenix/config.py
@@ -97,6 +97,13 @@
 ENV_PHOENIX_ENABLE_AUTH = "PHOENIX_ENABLE_AUTH"
 ENV_PHOENIX_DISABLE_RATE_LIMIT = "PHOENIX_DISABLE_RATE_LIMIT"
 ENV_PHOENIX_SECRET = "PHOENIX_SECRET"
+ENV_PHOENIX_DEFAULT_ADMIN_INITIAL_PASSWORD = "PHOENIX_DEFAULT_ADMIN_INITIAL_PASSWORD"
+"""
+The initial password for the default admin account, which defaults to ‘admin’ if not
+explicitly set. Note that changing this value will have no effect if the default admin
+record already exists in the database. In such cases, the default admin password must
+be updated manually in the application.
+"""
 ENV_PHOENIX_API_KEY = "PHOENIX_API_KEY"
 ENV_PHOENIX_USE_SECURE_COOKIES = "PHOENIX_USE_SECURE_COOKIES"
 ENV_PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES = "PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES"
@@ -274,6 +281,12 @@ def get_env_phoenix_secret() -> Optional[str]:
     return phoenix_secret
 
 
+def get_env_default_admin_initial_password() -> str:
+    from phoenix.auth import DEFAULT_ADMIN_PASSWORD
+
+    return os.environ.get(ENV_PHOENIX_DEFAULT_ADMIN_INITIAL_PASSWORD) or DEFAULT_ADMIN_PASSWORD
+
+
 def get_env_phoenix_use_secure_cookies() -> bool:
     return _bool_val(ENV_PHOENIX_USE_SECURE_COOKIES, False)
 

diff --git a/src/phoenix/db/facilitator.py b/src/phoenix/db/facilitator.py
@@ -13,13 +13,13 @@
 
 from phoenix.auth import (
     DEFAULT_ADMIN_EMAIL,
-    DEFAULT_ADMIN_PASSWORD,
     DEFAULT_ADMIN_USERNAME,
     DEFAULT_SECRET_LENGTH,
     DEFAULT_SYSTEM_EMAIL,
     DEFAULT_SYSTEM_USERNAME,
     compute_password_hash,
 )
+from phoenix.config import get_env_default_admin_initial_password
 from phoenix.db import models
 from phoenix.db.enums import COLUMN_ENUMS, UserRole
 from phoenix.server.types import DbSessionFactory
@@ -97,7 +97,8 @@ async def _ensure_user_roles(session: AsyncSession) -> None:
         admin_role_id := role_ids.get(admin_role)
     ) is not None:
         salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
-        compute = partial(compute_password_hash, password=DEFAULT_ADMIN_PASSWORD, salt=salt)
+        password = get_env_default_admin_initial_password()
+        compute = partial(compute_password_hash, password=password, salt=salt)
         loop = asyncio.get_running_loop()
         hash_ = await loop.run_in_executor(None, compute)
         admin_user = models.User(