trustgraph/docs/cli/tg-init-pulsar-manager.md

# tg-init-pulsar-manager

Initializes Pulsar Manager with default superuser credentials for TrustGraph.

## Synopsis

```bash
tg-init-pulsar-manager
```

## Description

The `tg-init-pulsar-manager` command is a setup utility that creates a default superuser account in Pulsar Manager. This is typically run once during initial TrustGraph deployment to establish administrative access to the Pulsar message queue management interface.

The command configures a superuser with predefined credentials that can be used to access the Pulsar Manager web interface for monitoring and managing Pulsar topics, namespaces, and tenants.

## Default Configuration

The command creates a superuser with these default credentials:

- **Username**: `admin`
- **Password**: `apachepulsar`
- **Description**: `test`
- **Email**: `username@test.org`

## Prerequisites

### Pulsar Manager Service
Pulsar Manager must be running and accessible at `http://localhost:7750` before running this command.

### Network Connectivity
The command requires network access to the Pulsar Manager API endpoint.

## Examples

### Basic Initialization
```bash
tg-init-pulsar-manager
```

### Verify Initialization
```bash
# Run the initialization
tg-init-pulsar-manager

# Check if Pulsar Manager is accessible
curl -s http://localhost:7750/pulsar-manager/ | grep -q "Pulsar Manager"
echo "Pulsar Manager status: $?"
```

### Integration with Setup Scripts
```bash
#!/bin/bash
# setup-trustgraph.sh

echo "Setting up TrustGraph infrastructure..."

# Wait for Pulsar Manager to be ready
echo "Waiting for Pulsar Manager..."
while ! curl -s http://localhost:7750/pulsar-manager/ > /dev/null; do
  echo "  Waiting for Pulsar Manager to start..."
  sleep 5
done

# Initialize Pulsar Manager
echo "Initializing Pulsar Manager..."
tg-init-pulsar-manager

if [ $? -eq 0 ]; then
  echo "✓ Pulsar Manager initialized successfully"
  echo "  You can access it at: http://localhost:7750/pulsar-manager/"
  echo "  Username: admin"
  echo "  Password: apachepulsar"
else
  echo "✗ Failed to initialize Pulsar Manager"
  exit 1
fi
```

## What It Does

The command performs the following operations:

1. **Retrieves CSRF Token**: Gets a CSRF token from Pulsar Manager for secure API access
2. **Creates Superuser**: Makes an authenticated API call to create the superuser account
3. **Sets Permissions**: Configures the user with administrative privileges

### HTTP Operations
```bash
# Equivalent manual operations:
CSRF_TOKEN=$(curl http://localhost:7750/pulsar-manager/csrf-token)

curl \
    -H "X-XSRF-TOKEN: $CSRF_TOKEN" \
    -H "Cookie: XSRF-TOKEN=$CSRF_TOKEN;" \
    -H 'Content-Type: application/json' \
    -X PUT \
    http://localhost:7750/pulsar-manager/users/superuser \
    -d '{"name": "admin", "password": "apachepulsar", "description": "test", "email": "username@test.org"}'
```

## Use Cases

### Initial Deployment
```bash
# Part of TrustGraph deployment sequence
deploy_trustgraph() {
  echo "Deploying TrustGraph..."
  
  # Start services
  docker-compose up -d pulsar pulsar-manager
  
  # Wait for services
  wait_for_service "http://localhost:7750/pulsar-manager/" "Pulsar Manager"
  wait_for_service "http://localhost:8080/admin/v2/clusters" "Pulsar"
  
  # Initialize Pulsar Manager
  echo "Initializing Pulsar Manager..."
  tg-init-pulsar-manager
  
  # Initialize TrustGraph
  echo "Initializing TrustGraph..."
  tg-init-trustgraph
  
  echo "Deployment complete!"
}
```

### Development Environment Setup
```bash
# Development setup script
setup_dev_environment() {
  echo "Setting up development environment..."
  
  # Start local services
  docker-compose -f docker-compose.dev.yml up -d
  
  # Wait for readiness
  echo "Waiting for services to start..."
  sleep 30
  
  # Initialize components
  tg-init-pulsar-manager
  tg-init-trustgraph
  
  echo "Development environment ready!"
  echo "Pulsar Manager: http://localhost:7750/pulsar-manager/"
  echo "Credentials: admin / apachepulsar"
}
```

### CI/CD Integration
```bash
# Integration testing setup
setup_test_environment() {
  local timeout=300  # 5 minutes
  local elapsed=0
  
  echo "Setting up test environment..."
  
  # Start services
  docker-compose up -d --wait
  
  # Wait for Pulsar Manager
  while ! curl -s http://localhost:7750/pulsar-manager/ > /dev/null; do
    if [ $elapsed -ge $timeout ]; then
      echo "Timeout waiting for Pulsar Manager"
      return 1
    fi
    sleep 5
    elapsed=$((elapsed + 5))
  done
  
  # Initialize
  if tg-init-pulsar-manager; then
    echo "✓ Test environment ready"
  else
    echo "✗ Failed to initialize test environment"
    return 1
  fi
}
```

## Docker Integration

### Docker Compose Setup
```yaml
# docker-compose.yml
version: '3.8'

services:
  pulsar:
    image: apachepulsar/pulsar:latest
    ports:
      - "6650:6650"
      - "8080:8080"
    command: bin/pulsar standalone
    
  pulsar-manager:
    image: apachepulsar/pulsar-manager:latest
    ports:
      - "7750:7750"
    depends_on:
      - pulsar
    environment:
      SPRING_CONFIGURATION_FILE: /pulsar-manager/pulsar-manager/application.properties

  trustgraph-init:
    image: trustgraph/cli:latest
    depends_on:
      - pulsar-manager
    command: >
      sh -c "
        sleep 30 &&
        tg-init-pulsar-manager &&
        tg-init-trustgraph
      "
```

### Kubernetes Setup
```yaml
# k8s-init-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: trustgraph-init
spec:
  template:
    spec:
      containers:
      - name: init
        image: trustgraph/cli:latest
        command:
        - sh
        - -c
        - |
          echo "Waiting for Pulsar Manager..."
          while ! curl -s http://pulsar-manager:7750/pulsar-manager/; do
            sleep 5
          done
          
          echo "Initializing Pulsar Manager..."
          tg-init-pulsar-manager
          
          echo "Initializing TrustGraph..."
          tg-init-trustgraph
        env:
        - name: PULSAR_MANAGER_URL
          value: "http://pulsar-manager:7750"
      restartPolicy: Never
```

## Error Handling

### Connection Refused
```bash
curl: (7) Failed to connect to localhost port 7750: Connection refused
```
**Solution**: Ensure Pulsar Manager is running and accessible on port 7750.

### CSRF Token Issues
```bash
curl: (22) The requested URL returned error: 403 Forbidden
```
**Solution**: The CSRF token mechanism may have changed. Check Pulsar Manager API documentation.

### User Already Exists
```bash
HTTP 409 Conflict - User already exists
```
**Solution**: This is expected on subsequent runs. The superuser is already created.

### Network Issues
```bash
curl: (28) Operation timed out
```
**Solution**: Check network connectivity and firewall settings.

## Security Considerations

### Default Credentials
The command uses default credentials that should be changed in production:

```bash
# After initialization, change the password via Pulsar Manager UI
# Or use the API to update credentials
change_admin_password() {
  local new_password="$1"
  
  # Login to get session
  session=$(curl -s -c cookies.txt \
    -d "username=admin&password=apachepulsar" \
    http://localhost:7750/pulsar-manager/login)
  
  # Update password
  curl -s -b cookies.txt \
    -H "Content-Type: application/json" \
    -X PUT \
    -d "{\"password\": \"$new_password\"}" \
    http://localhost:7750/pulsar-manager/users/admin
  
  rm cookies.txt
}
```

### Access Control
```bash
# Restrict access to Pulsar Manager in production
configure_security() {
  echo "Configuring Pulsar Manager security..."
  
  # Change default password
  change_admin_password "$(openssl rand -base64 32)"
  
  # Configure firewall rules (example)
  # iptables -A INPUT -p tcp --dport 7750 -s 10.0.0.0/8 -j ACCEPT
  # iptables -A INPUT -p tcp --dport 7750 -j DROP
  
  echo "Security configuration complete"
}
```

## Advanced Usage

### Custom Configuration
```bash
# Create custom initialization script
create_custom_init() {
  cat > custom-pulsar-manager-init.sh << 'EOF'
#!/bin/bash

PULSAR_MANAGER_URL=${PULSAR_MANAGER_URL:-http://localhost:7750}
ADMIN_USER=${ADMIN_USER:-admin}
ADMIN_PASS=${ADMIN_PASS:-$(openssl rand -base64 16)}
ADMIN_EMAIL=${ADMIN_EMAIL:-admin@example.com}

echo "Initializing Pulsar Manager at: $PULSAR_MANAGER_URL"

# Get CSRF token
CSRF_TOKEN=$(curl -s "$PULSAR_MANAGER_URL/pulsar-manager/csrf-token")

if [ -z "$CSRF_TOKEN" ]; then
  echo "Failed to get CSRF token"
  exit 1
fi

# Create superuser
response=$(curl -s -w "%{http_code}" \
  -H "X-XSRF-TOKEN: $CSRF_TOKEN" \
  -H "Cookie: XSRF-TOKEN=$CSRF_TOKEN;" \
  -H 'Content-Type: application/json' \
  -X PUT \
  "$PULSAR_MANAGER_URL/pulsar-manager/users/superuser" \
  -d "{\"name\": \"$ADMIN_USER\", \"password\": \"$ADMIN_PASS\", \"description\": \"Admin user\", \"email\": \"$ADMIN_EMAIL\"}")

http_code="${response: -3}"

if [ "$http_code" = "200" ] || [ "$http_code" = "409" ]; then
  echo "Pulsar Manager initialized successfully"
  echo "Username: $ADMIN_USER"
  echo "Password: $ADMIN_PASS"
else
  echo "Failed to initialize Pulsar Manager (HTTP $http_code)"
  exit 1
fi
EOF

  chmod +x custom-pulsar-manager-init.sh
}
```

### Health Checks
```bash
# Health check script
check_pulsar_manager() {
  local max_attempts=30
  local attempt=1
  
  echo "Checking Pulsar Manager health..."
  
  while [ $attempt -le $max_attempts ]; do
    if curl -s http://localhost:7750/pulsar-manager/ > /dev/null; then
      echo "✓ Pulsar Manager is healthy"
      return 0
    fi
    
    echo "Attempt $attempt/$max_attempts - Pulsar Manager not ready"
    sleep 5
    attempt=$((attempt + 1))
  done
  
  echo "✗ Pulsar Manager health check failed"
  return 1
}

# Use in deployment scripts
if check_pulsar_manager; then
  tg-init-pulsar-manager
else
  echo "Cannot initialize Pulsar Manager - service not healthy"
  exit 1
fi
```

## Related Commands

- [`tg-init-trustgraph`](tg-init-trustgraph.md) - Initialize TrustGraph with Pulsar configuration
- [`tg-show-config`](tg-show-config.md) - Display current TrustGraph configuration

## Integration Points

### Pulsar Manager UI
After initialization, access the web interface at:
- **URL**: `http://localhost:7750/pulsar-manager/`
- **Username**: `admin`
- **Password**: `apachepulsar`

### TrustGraph Integration
This command is typically run before `tg-init-trustgraph` as part of the complete TrustGraph setup process.

## Best Practices

1. **Run Once**: Only run during initial setup - subsequent runs are harmless but unnecessary
2. **Change Defaults**: Change default credentials in production environments
3. **Network Security**: Restrict access to Pulsar Manager in production
4. **Health Checks**: Always verify Pulsar Manager is running before initialization
5. **Automation**: Include in deployment automation scripts
6. **Documentation**: Document custom credentials for operations teams

## Troubleshooting

### Service Not Ready
```bash
# Check if Pulsar Manager is running
docker ps | grep pulsar-manager
netstat -tlnp | grep 7750
```

### Port Conflicts
```bash
# Check if port 7750 is in use
lsof -i :7750
```

### Docker Issues
```bash
# Check Pulsar Manager logs
docker logs pulsar-manager

# Restart if needed
docker restart pulsar-manager
```