Chapter 5. Understand Roles and Authentication
By default, when installed for the first time, there are no roles or user accounts created in OSE, so you need to create them. You have the option to either create new roles or define a policy that allows anyone to log in (to start you off).
Before you do anything else, log in at least one time with the default system:admin user, on the master:
$ oc login -u system:admin
All commands from now on should be executed on the master, unless otherwise indicated.
By logging in at least one time with this account, you will create the system:admin user’s configuration file, which will allow you to log in subsequently.
There is no password for this system account.
5.1. Change Log In Identity Provider
The default behavior of a freshly installed OSE instance is to deny any user from logging in. To change the authentication method to HTPasswd:
- Open the /etc/origin/master/master-config.yaml file in editing mode.
-
Find the
identityProviderssection. -
Change
DenyAllPasswordIdentityProvidertoHTPasswdPasswordIdentityProviderprovider. Change the value of the name label to
htpasswd_authand add a new linefile: /etc/origin/openshift-passwdin the provider section.An example
identityProviderssection withHTPasswdPasswordIdentityProviderwould look like this:identityProviders: - challenge: true login: true name: htpasswd_auth provider: apiVersion: v1 file: /etc/origin/openshift-passwd kind: HTPasswdPasswordIdentityProvider- Save the file.
5.2. Create User Accounts
Now that you are using the HTPasswdPasswordIdentityProvider provider, you need to generate these user accounts.
You can use the httpd-tools package to obtain the htpasswd binary that can generate these accounts.
yum -y install httpd-tools
Create a user account:
touch /etc/origin/openshift-passwd htpasswd -b /etc/origin/openshift-passwd admin redhat
Note that you have created a user with the username of
adminand password ofredhat.Restart OpenShift before going forward.
systemctl restart atomic-openshift-master
Give this user account
cluster-adminprivileges (which allows it to do everything):oadm policy add-cluster-role-to-user cluster-admin admin
Now, you can use this username/password combination to log in via the web console or the command line. To test this:
oc login -u admin
Before going forward, change to the default project.
oc project default
If you need more details on roles and authentication, see the corresponding sections in the OpenShift docs.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.