STING Admin User Setup Guide

This guide covers how to create and manage admin users in STING.

Quick Setup

Step 1: Set Up Custom Domain (Optional but Recommended)

For a consistent development experience, set up a custom domain:

# Default setup with queen.hive domain
sudo ./setup_custom_domain.sh

# Or set up with your own domain
sudo CUSTOM_DOMAIN=mysting.local ./setup_custom_domain.sh

This will configure your system to access STING at:

Main App: https://queen.hive:8443 (or your custom domain)
Auth Service: https://auth.queen.hive:4433
API: https://api.queen.hive:5050

Step 2: Create First Admin User

Option 1: Automated First Admin Setup (Recommended)

# Run the setup script for first admin with temporary password
./setup_first_admin.sh

Option 2: Manual Admin Creation

# Create admin with temporary password
python3 create_admin.py --email admin@yourcompany.com --temp-password

# Create admin with custom password
python3 create_admin.py --email admin@yourcompany.com

Option 3: First User Auto-Promotion

Simply register the first user through the UI
They will automatically be promoted to super admin

Verification

Check Admin Status

# Check current admin users
python3 check_admin.py

Browser Console Debugging

Open browser developer tools and check console for role loading messages:

Loading user role...
User is super admin or User is admin

Admin Features

What Admins Can Access

LLM Settings Tab - Appears in Settings page for admins only
Model Management - Change, restart, and monitor LLM models
Progress Tracking - Real-time model loading with terminal output
User Management - Promote other users (super admin only)

LLM Settings Location

Path: Settings → LLM Settings tab
URL: https://localhost:8443/dashboard/settings
Features: Model selection, service restart, progress tracking

Security Features

Automatic Protections

First user is auto-promoted to super admin
Admin tabs only visible to admin users
API endpoints require admin authentication
Temporary passwords force change on first login

Manual Security Steps

Change temporary passwords immediately
Use strong passwords for admin accounts
Regularly review admin user list
Monitor admin activities in logs

Troubleshooting

Admin Tab Not Visible

Check user role in browser console:

// In browser console
localStorage.getItem('user-role') // Check stored role

Verify admin status:
```
python3 check_admin.py
```

Check backend user data:

# In browser console, check network tab for /api/users/me response

User Not Auto-Promoted

Ensure they’re the first user: python3 check_admin.py
Check Flask logs for promotion messages
Manually promote: python3 create_admin.py --email user@email.com

API Endpoints Not Working

Verify user is authenticated (check browser session)
Check Flask blueprint registration
Ensure user endpoints are enabled

Admin Management

Promote Existing User

# Via Python script (future enhancement)
from app.services.user_service import UserService
UserService.promote_user_to_admin(user_id, admin_user_id)

Demote Admin User

# Via database/Python (future enhancement)
user.demote_from_admin()

API Endpoints

User Role Endpoints

GET /api/users/me - Get current user info with admin flags
GET /api/users/stats - Admin user statistics
POST /api/users/<id>/promote - Promote user to admin

LLM Management (Admin Only)

POST /api/llm/load - Start model loading with progress tracking
GET /api/llm/progress/<id> - Get loading progress
POST /api/llm/restart - Restart LLM service

Files Created/Modified

New Scripts

create_admin.py - Programmatic admin creation
setup_first_admin.sh - Quick setup script
check_admin.py - Admin status verification

Enhanced Components

UserSettings.jsx - Added admin-only LLM Settings tab
RoleContext.jsx - Fixed for Kratos authentication
User model - Added admin promotion methods
user_routes.py - Added /api/users/me endpoint

Progress Tracking

BeeSettings.jsx - Enhanced with progress modal
ProgressBar.jsx - Visual progress component
TerminalOutput.jsx - Live terminal component
llm_routes.py - Async loading with progress

Custom Domain and Network Access

Default Development Domain

STING can be configured with a custom domain for consistent development experience. The recommended default is queen.hive:

# Set up default queen.hive domain
sudo ./setup_custom_domain.sh

# Access STING at:
# https://queen.hive:8443

Network Access from Other Devices

To allow access from other devices on your network:

Find your local IP address:

# macOS
ifconfig | grep 'inet ' | grep -v 127.0.0.1

# Linux
ip addr show | grep 'inet ' | grep -v 127.0.0.1

Configure STING for network access:

# Update config.yml to use your IP
sed -i 's/localhost/YOUR_LOCAL_IP/g' conf/config.yml

# Regenerate environment files
./manage_sting.sh regenerate-env

# Restart services
./manage_sting.sh restart

Share access URL:
- Share: https://YOUR_LOCAL_IP:8443
- Users must accept the self-signed certificate warning

Production Domain Setup

For production deployments:

Use a real domain with proper SSL certificates
Update conf/config.yml with production domain
Configure proper SSL certificates (not self-signed)
Set up reverse proxy (nginx/traefik) for clean URLs

Best Practices

Always use programmatic admin creation for production
Generate temporary passwords for initial admin setup
Force password changes on first login
Monitor admin activities through logs
Regularly audit admin user list
Use principle of least privilege - don’t give everyone admin
Use custom domains for consistent experience across environments

Example Workflow

Fresh Installation:

./install_sting.sh install
./setup_first_admin.sh  # Creates admin with temp password

Admin logs in and changes password
Admin accesses LLM settings:
- Go to Settings → LLM Settings
- Select different model
- Watch progress tracking
- Use terminal output for debugging

Admin creates additional admins:

python3 create_admin.py --email newadmin@company.com --temp-password

This provides a robust, secure admin system for your STING MVP.

Last updated: October 20, 2025