Chapter 5. Understand Roles and Authentication
By default, when installed for the first time, there are no roles or user accounts created in OSE, so you need to create them. You have the option to either create new roles or define a policy that allows anyone to log in (to start you off).
Before you do anything else, log in at least one time with the default system:admin user, on the master:
$ oc login -u system:admin
All commands from now on should be executed on the master, unless otherwise indicated.
By logging in at least one time with this account, you will create the system:admin user’s configuration file, which will allow you to log in subsequently.
There is no password for this system account.
5.1. Change Log In Identity Provider
The default behavior of a freshly installed OSE instance is to deny any user from logging in. To change the authentication method to HTPasswd:
- Open the /etc/origin/master/master-config.yaml file in editing mode.
Change the value of the name label to
htpasswd_authand add a new line
file: /etc/origin/openshift-passwdin the provider section.
HTPasswdPasswordIdentityProviderwould look like this:
identityProviders: - challenge: true login: true name: htpasswd_auth provider: apiVersion: v1 file: /etc/origin/openshift-passwd kind: HTPasswdPasswordIdentityProvider
- Save the file.
5.2. Create User Accounts
Now that you are using the
HTPasswdPasswordIdentityProvider provider, you need to generate these user accounts.
You can use the httpd-tools package to obtain the htpasswd binary that can generate these accounts.
yum -y install httpd-tools
Create a user account:
touch /etc/origin/openshift-passwd htpasswd -b /etc/origin/openshift-passwd admin redhat
Note that you have created a user with the username of
adminand password of
Restart OpenShift before going forward.
systemctl restart atomic-openshift-master
Give this user account
cluster-adminprivileges (which allows it to do everything):
oadm policy add-cluster-role-to-user cluster-admin admin
Now, you can use this username/password combination to log in via the web console or the command line. To test this:
oc login -u admin
Before going forward, change to the
oc project default