Chapter 5. Understand Roles and Authentication

By default, when installed for the first time, there are no roles or user accounts created in OSE, so you need to create them. You have the option to either create new roles or define a policy that allows anyone to log in (to start you off).

Before you do anything else, log in at least one time with the default system:admin user, on the master:

$ oc login -u system:admin
Note

All commands from now on should be executed on the master, unless otherwise indicated.

By logging in at least one time with this account, you will create the system:admin user’s configuration file, which will allow you to log in subsequently.

There is no password for this system account.

5.1. Change Log In Identity Provider

The default behavior of a freshly installed OSE instance is to deny any user from logging in. To change the authentication method to HTPasswd:

  1. Open the /etc/origin/master/master-config.yaml file in editing mode.
  2. Find the identityProviders section.
  3. Change DenyAllPasswordIdentityProvider to HTPasswdPasswordIdentityProvider provider.
  4. Change the value of the name label to htpasswd_auth and add a new line file: /etc/origin/openshift-passwd in the provider section.

    An example identityProviders section with HTPasswdPasswordIdentityProvider would look like this:

    identityProviders:
    - challenge: true
      login: true
      name: htpasswd_auth
      provider:
        apiVersion: v1
        file: /etc/origin/openshift-passwd
        kind: HTPasswdPasswordIdentityProvider
  5. Save the file.

5.2. Create User Accounts

Now that you are using the HTPasswdPasswordIdentityProvider provider, you need to generate these user accounts.

  1. You can use the httpd-tools package to obtain the htpasswd binary that can generate these accounts.

    yum -y install httpd-tools
  2. Create a user account:

    touch /etc/origin/openshift-passwd
    htpasswd -b /etc/origin/openshift-passwd admin redhat

    Note that you have created a user with the username of admin and password of redhat.

  3. Restart OpenShift before going forward.

    systemctl restart atomic-openshift-master
  4. Give this user account cluster-admin privileges (which allows it to do everything):

    oadm policy add-cluster-role-to-user cluster-admin admin
  5. Now, you can use this username/password combination to log in via the web console or the command line. To test this:

    oc login -u admin

Before going forward, change to the default project.

oc project default

If you need more details on roles and authentication, see the corresponding sections in the OpenShift docs.