Menu Close

Chapter 7. Revoking access to a ROSA cluster

An identity provider (IDP) controls access to a Red Hat OpenShift Service on AWS (ROSA) cluster. To revoke access of a user to a cluster, you must configure that within the IDP that was set up for authentication.

7.1. Revoking administrator access using the rosa CLI

You can revoke the administrator access of users so that they can access the cluster without administrator privileges. To remove the administrator access for a user, you must revoke the dedicated-admin or cluster-admin privileges. You can revoke the administrator privileges using the rosa command-line utility or using OpenShift Cluster Manager console.

7.1.1. Revoking dedicated-admin access using the rosa CLI

You can revoke access for a dedicated-admin user if you are the user who created the cluster, the organization administrator user, or the super administrator user.

Prerequisites

  • You have added an Identity Provider (IDP) to your cluster.
  • You have the IDP user name for the user whose privileges you are revoking.
  • You are logged in to the cluster.

Procedure

  1. Enter the following command to revoke the dedicated-admin access of a user:

    $ rosa revoke user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>
  2. Enter the following command to verify that your user no longer has dedicated-admin access. The output does not list the revoked user.

    $ oc get groups dedicated-admins

7.1.2. Revoking cluster-admin access using the rosa CLI

Only the user who created the cluster can revoke access for cluster-admin users.

Prerequisites

  • You have added an Identity Provider (IDP) to your cluster.
  • You have the IDP user name for the user whose privileges you are revoking.
  • You are logged in to the cluster.

Procedure

  1. Enter the following command to revoke the cluster-admin access of a user:

    $ rosa revoke user cluster-admins --user=myusername --cluster=mycluster
  2. Enter the following command to verify that the user no longer has cluster-admin access. The output does not list the revoked user.

    $ oc get groups cluster-admins

7.2. Revoking administrator access using OpenShift Cluster Manager console

You can revoke the dedicated-admin or cluster-admin access of users through OpenShift Cluster Manager console. Users will be able to access the cluster without administrator privileges.

Prerequisites

  • You have added an Identity Provider (IDP) to your cluster.
  • You have the IDP user name for the user whose privileges you are revoking.
  • You are logged in to OpenShift Cluster Manager console using an OpenShift Cluster Manager account that you used to create the cluster, the organization administrator user, or the super administrator user.

Procedure

  1. On the Clusters tab of OpenShift Cluster Manager, select the name of your cluster to view the cluster details.
  2. Select Access control > Cluster Roles and Access.
  3. For the user that you want to remove, click the Options menu kebab to the right of the user and group combination and click Delete.