8.10.2. Accessing the Administration Console

The Administration Console configuration file does not provide access control, and there is no concept of an OpenShift Enterprise administrative role. The current iteration of the Administration Console is informational only, and you must log in to an OpenShift Enterprise host to perform all administrative actions.
When the broker application loads the Administration Console, the standard httpd proxy configuration of the OpenShift Enterprise broker host blocks external access to the URI of the Administration Console. Refusing external access is a security feature to avoid exposing the Administration Console publicly by accident.

Note

The Administration Console's URI is /admin-console by default, but is configurable in /etc/openshift/plugins.d/openshift-origin-admin-console.conf.
To access the Administration Console from a system other than the broker, you can either forward the port for local viewing or modify the proxy configuration. Choose one of the following procedures.

Procedure 8.23. To View the Administration Console Using Port Forwarding:

You can view the Administration Console without exposing it externally by forwarding its port to your local workstation.
  1. On your local workstation, replace user@broker.example.com in the following example with your relevant user name and broker host: 
    $ ssh -f user@broker.example.com -L 8080:localhost:8080 -N
    This command uses a secure shell (SSH) to connect to user@broker.example.com and attaches the local workstation port 8080 (the first number) to the broker host's local port 8080 (the second number), where the broker application listens behind the host proxy.
  2. Browse to http://localhost:8080/admin-console using a web browser to access the Administration Console.

Procedure 8.24. To Enable External Access to the Administration Console:

You can configure the broker host httpd proxy to enable external access through the broker host.
  1. On each broker host, edit the /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf configuration file. Inside the <VirtualHost *:443> section, add additional ProxyPass entries for the Administration Console and its static assets after the existing ProxyPass entry for the broker. The completed <VirtualHost *:443> section looks similar to the following:

    Example 8.19. Example <VirtualHost *:443> section

    ProxyPass /broker http://127.0.0.1:8080/broker
ProxyPass /admin-console http://127.0.0.1:8080/admin-console
ProxyPass /assets http://127.0.0.1:8080/assets
ProxyPassReverse / http://127.0.0.1:8080/
  2. Optionally, you can add any httpd access controls you deem necessary to prevent access to the Administration Console. See Section 8.10.3, “Configuring Authentication for the Administration Console” for examples.
  3. Restart the httpd service to load the new configuration: 
    # service httpd restart