Skip to content

docs(deployment): document admin init crash on legacy internal_id mismatch (#16410)#16773

Open
YAMRAJ13y wants to merge 1 commit into
OpenCTI-Platform:masterfrom
YAMRAJ13y:docs/16410-admin-init-internal-id
Open

docs(deployment): document admin init crash on legacy internal_id mismatch (#16410)#16773
YAMRAJ13y wants to merge 1 commit into
OpenCTI-Platform:masterfrom
YAMRAJ13y:docs/16410-admin-init-internal-id

Conversation

@YAMRAJ13y

@YAMRAJ13y YAMRAJ13y commented Jun 23, 2026

Copy link
Copy Markdown

Proposed changes

Adds a Known issues section to the upgrade guide documenting the User already exists crash loop that can occur when upgrading an older platform to 7.x, as requested in #16410.

When a legacy admin account's stored internal_id does not match the hardcoded OPENCTI_ADMIN_UUID (88ec0c6a-13ce-5e39-b486-354fe4a7084f), initAdmin() takes the create path, collides on user_email, and aborts boot with FunctionalError: User already exists.

The entry covers:

  • Symptom — the error and crash loop on boot.
  • Cause — legacy internal_idOPENCTI_ADMIN_UUID.
  • How to confirm — compare the admin account's internal_id against the constant.
  • Remediation — reconcile the existing admin's identity (with a backup / community guidance) rather than changing APP__ADMIN__EMAIL, which orphans the legacy admin.
  • APP__ADMIN__EXTERNALLY_MANAGED — documents that it forces the admin account_status to Locked on each boot.

All claims verified against opencti-platform/opencti-graphql/src/domain/user.js (initAdmin() at L2044, User already exists throw at L733) and schema/general.js (OPENCTI_ADMIN_UUID).

The reporter also flagged a latent product angle (a clearer error message or a migration that repoints the legacy internal_id). This PR is documentation only; happy to split that into a separate engineering issue if maintainers want.

Related issues

Closes #16410

How to test

Review the rendered Deployment → Upgrade page: the new Known issues section appears with correctly formatted admonitions.

@YAMRAJ13y
docs(deployment): document admin init crash on legacy internal_id mis…
8dae70e 
…match (OpenCTI-Platform#16410)

Add a Known issues entry to the upgrade guide for the 'User already exists'
crash loop that occurs when a legacy admin account's internal_id does not match
the hardcoded OPENCTI_ADMIN_UUID. Covers the symptom, cause, how to confirm,
remediation guidance, and the APP__ADMIN__EXTERNALLY_MANAGED behavior.

Closes OpenCTI-Platform#16410
Copilot AI review requested due to automatic review settings June 23, 2026 15:15
Copilot AI reviewed Jun 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds operational upgrade guidance to the deployment docs by documenting a specific 7.x upgrade failure mode where legacy admin accounts can trigger a fatal FunctionalError: User already exists crash loop during admin initialization.

Changes:

  • Adds a new Known issues section to the upgrade guide describing the legacy admin internal_id mismatch scenario and the resulting crash loop.
  • Documents confirmation steps and remediation guidance (including avoiding the “change admin email” workaround).
  • Notes APP__ADMIN__EXTERNALLY_MANAGED behavior (admin account_status forced to Locked on boot).

Comment thread docs/docs/deployment/upgrade.md
FunctionalError: User already exists
```

**Cause**
Comment thread docs/docs/deployment/upgrade.md

This can affect any deployment carrying a sufficiently old admin account forward across the 7.x upgrade.

**How to confirm**
Comment thread docs/docs/deployment/upgrade.md

Look up the admin account by the email configured in `APP__ADMIN__EMAIL` and compare its stored `internal_id` with `OPENCTI_ADMIN_UUID` (`88ec0c6a-13ce-5e39-b486-354fe4a7084f`). If they differ, you are hitting this issue.

**Remediation**
Comment thread docs/docs/deployment/upgrade.md

**Cause**

On boot, the platform resolves the admin account by its hardcoded identifier `OPENCTI_ADMIN_UUID` (`88ec0c6a-13ce-5e39-b486-354fe4a7084f`). On deployments where the admin account was created before this identifier became deterministic, the stored admin document has a **random** `internal_id` that does not match `OPENCTI_ADMIN_UUID`. As a result the admin lookup returns nothing, initialization falls into the *create* path, and creating the account collides with the existing admin on `user_email` — which raises `User already exists` and aborts startup.
@aHenryJard aHenryJard added the community Contribution from the community. label Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

community Contribution from the community.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs: document admin init failure on upgrade when legacy admin internal_id ≠ OPENCTI_ADMIN_UUID

3 participants

@YAMRAJ13y @aHenryJard