-
Language:
English
-
Language:
English
Adding users in Red Hat OpenShift API Management
Adding users in Red Hat OpenShift API Management.
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Adding users in OpenShift API Management
1.1. Roles in OpenShift API Management
OpenShift API Management includes administrator and developer roles. These roles determine the actions a user can perform.
All OpenShift API Management users belong to the rhoam-developers
group. Additionally, administrators are members of the dedicated-admins
group and are granted the dedicated-admin
role in OpenShift Dedicated. Administrators are managed using the dedicated-admins
group in the OpenShift Dedicated cluster and have elevated privileges in OpenShift API Management.
Administrator role
An administrator has rights to view and modify resources in OpenShift API Management and can assign cluster roles to control who has various access levels and permissions in OpenShift API Management, Red Hat 3scale API Management, and Red Hat Single Sign-On. Administrators in OpenShift API Management manage users, and the API gateway, APIcast, which is the interface that handles calls to an API. The onboarding process creates an administrator with the highest level of access in OpenShift API Management and with admin
privileges in 3scale.
As an administrator, you can perform the following tasks:
- Manage users and permissions in the master realm.
- Create realms.
- Administer user-created realms.
- Elevate permissions of developers to an administrator level.
- Edit routes.
- View pod logs in the 3scale namespace.
- Create a product in the 3scale console.
Developer role
Developers have access to the services in OpenShift API Management. With the developer role, you can use the Red Hat Single Sign-On instance to secure your applications and you have basic member access in 3scale. Developers, which are referred to as API providers in 3scale, make APIs accessible by adding them to OpenShift API Management, configuring their use, and publishing them.
As a developer, you can perform the following tasks:
- Access the console.
- Create realms.
- Access the 3scale Admin Portal.
- Access the 3scale Developer Portal.
An OpenShift API Management administrator can grant 3scale admin
privileges to developers.
1.2. Granting 3scale administrator privileges to developers
As an administrator in OpenShift API Management, you also have admin
privileges in 3scale. However, the developer role in OpenShift API Management only has member
privileges in 3scale and limited access to 3scale features.
An administrator must explicitly grant 3scale admin
permissions to OpenShift API Management developers.
Prerequisites
- You are an administrator in OpenShift API Management.
-
You have a developer you want to grant
admin
privileges to in 3scale.
Procedure
- Log in to the Red Hat 3scale API Management console Admin Portal.
- Click Dashboard.
- In the Dashboard drop-down menu, click Accounts Settings.
- In the menu, click Users > Listing. The Users page is displayed.
- Choose a user.
- Click Edit for the user whose permission you would like to modify. The Edit User page opens.
-
In the ADMINISTRATIVE section of the Edit User page, choose Admin (full access) to grant
admin
privileges to the selected user. - Click Update User.
Verification
- Navigate to the Users page. In the menu, click Users > Listing.
- On the Users page, find the user whose permissions you modified.
- In the Role column, ensure admin is displayed in the row of the chosen user.
Additional resources
1.3. Removing a user from OpenShift API Management from your cluster
To completely remove a user from Red Hat OpenShift API Management, you must remove them from the allowed group in your OpenShift identity provider (IDP)and then delete the user custom resource (CR).
Prerequisites
- You have added an identity provider (IDP) to your cluster.
- You have the IDP user name for the user whose privileges you are revoking.
- You are logged in to the OpenShift Cluster Manager console using the OpenShift Cluster Manager account that you used to create the cluster or the administrator user.
Procedure
You can enter the following command to identify all users:
oc get users
Enter the following command to delete a specific user.
oc delete user <username>
- Delete the desired user from the configured IDP.
- Delete the user CR.
- In OpenShift Cluster Manager, delete references to the user in the Access Control section. Ensure the user is removed from both the Cluster Roles and Access and the Roles and Access section.