Show Table of Contents
8.10.2. Accessing the Administration Console
The Administration Console configuration file does not provide access control, and there is no concept of an OpenShift Enterprise administrative role. The current iteration of the Administration Console is informational only, and you must log in to an OpenShift Enterprise host to perform all administrative actions.
When the broker application loads the Administration Console, the standard
httpd proxy configuration of the OpenShift Enterprise broker host blocks external access to the URI of the Administration Console. Refusing external access is a security feature to avoid exposing the Administration Console publicly by accident.
Note
The Administration Console's URI is
/admin-console by default, but is configurable in /etc/openshift/plugins.d/openshift-origin-admin-console.conf.
To access the Administration Console from a system other than the broker, you can either forward the port for local viewing or modify the proxy configuration. Choose one of the following procedures.
Procedure 8.23. To View the Administration Console Using Port Forwarding:
You can view the Administration Console without exposing it externally by forwarding its port to your local workstation.
- On your local workstation, replace user@broker.example.com in the following example with your relevant user name and broker host:
$
ssh -f user@broker.example.com -L 8080:localhost:8080 -NThis command uses a secure shell (SSH) to connect to user@broker.example.com and attaches the local workstation port8080(the first number) to the broker host's local port8080(the second number), where the broker application listens behind the host proxy. - Browse to
http://localhost:8080/admin-consoleusing a web browser to access the Administration Console.
Procedure 8.24. To Enable External Access to the Administration Console:
You can configure the broker host
httpd proxy to enable external access through the broker host.
- On each broker host, edit the
/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.confconfiguration file. Inside the<VirtualHost *:443>section, add additionalProxyPassentries for the Administration Console and its static assets after the existingProxyPassentry for the broker. The completed<VirtualHost *:443>section looks similar to the following:Example 8.19. Example
<VirtualHost *:443>sectionProxyPass /broker http://127.0.0.1:8080/broker ProxyPass /admin-console http://127.0.0.1:8080/admin-console ProxyPass /assets http://127.0.0.1:8080/assets ProxyPassReverse / http://127.0.0.1:8080/
- Optionally, you can add any
httpdaccess controls you deem necessary to prevent access to the Administration Console. See Section 8.10.3, “Configuring Authentication for the Administration Console” for examples. - Restart the
httpdservice to load the new configuration:#
service httpd restart
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.