[Devtools] CDK 3.x system:admin login

Wed Mar 29 14:35:21 UTC 2017

Well, you can't use it in console like that, because the "system:admin" is
authenticated using a client certificate and it is accessible only for 'oc'
binary, not for web console.

But regarding templates, you can still create them as an user in a specific
user project (namespace). It does not have to be necessary
cluster-wide-visible namespace to have a template accessible by a specific
user.
Ad. seeing default project, it is all about setting proper policy for the
project to be seen by a user developer.

To have admin-like experience OOTB for CDK, it would require additional
configuration on CDK side - set up user(s) with admin privileges.

On Wed, Mar 29, 2017 at 3:40 PM, Burr Sutter <bsutter at redhat.com> wrote:

> I am not sure why this is so hard....here is what our end-user sees
>
> https://screencast.com/t/YxEIldeXNa
>
>
>
> On Wed, Mar 29, 2017 at 1:02 AM, Praveen Kumar <prkumar at redhat.com> wrote:
>
>> On Wed, Mar 29, 2017 at 2:19 AM, Burr Sutter <bsutter at redhat.com> wrote:
>> >
>> >
>> > On Tue, Mar 28, 2017 at 4:47 PM, Hardy Ferentschik <hferents at redhat.com
>> >
>> > wrote:
>> >>
>> >> Hi,
>> >>
>> >> > OK, but when I login into the console as 'developer' and
>> 'developer', I
>> >> > do
>> >> > not see the OpenShift namespace/project like a "administrator" would.
>> >>
>> >> and you want to see this why?
>> >
>> >
>> > I am adding templates and image streams in order to use the FIS
>> capabilities
>> > we offer
>>
>> So achieve that I think you should login as 'system:admin' first and
>> add required template to defined namespace and make additional changes
>> (which might only can be done as administrator) or you can use
>> developer as sudo and use '--as system:admin' when adding the
>> templates to defined namespace which normal developer user doesn't
>> have access.
>>
>> >
>> >
>> >>
>> >>
>> >> > The ultimate goal is to let the human (end-user) log in to the
>> console
>> >> > as
>> >> > the Admin so he/she can see their work.
>> >>
>> >> This part I don't get. A user should not create application (their
>> work)
>> >> in the default/openshift namespace. They are reserved namespaces.
>> >> Your work is in 'myproject' or any other namespace you are going to
>> >> create.
>> >
>> >
>> > I said "see" not "create" :-)
>> >
>> >>
>> >>
>> >> > Right now, I would say our current approach of system:admin with no
>> >> > password is a bug
>> >>
>> >> AFAIU, there is even no other way then to use certificate based
>> >> authentication
>> >> for sytem:admin. This account is special. You literally cannot login
>> any
>> >> other way. This is different to the 'admin' user in CDK. In CDK we had
>> an
>> >> 'admin' user (on top of the openshift-dev user) which got assigned the
>> >> cluster admin role -
>> >> https://github.com/projectatomic/adb-utils/blob/master/
>> services/openshift/scripts/openshift_provision#L196
>> >>
>> >> So one can add the same role to the developer user in Minishift, either
>> >> per default or via an addon (something we are working on right now) or
>> >> one creates another admin user as per CDK. Addon might be the best way
>> to
>> >> go.
>> >
>> >
>> > I do not care if the user is "foomanchew" and the password is
>> "haveaniceday"
>> > but I do need access to web console as the "super user"/"cluster admin"
>> of
>> > the openshift instance.
>> >
>> > It is my personal openshift instance, why can't I be the administrator?
>>
>> You are the administrator of your instance it's just the way `oc
>> cluster up` setting up users doesn't create a separate user for admin
>> with password but have system:admin which can be used to gain
>> administrator privilege for your instance and then add any user as
>> admin with password. Now as per thread you need something similar
>> experience for user like we had for CDK-2.x and that something we can
>> do once addon features are in place which will be soon.
>>
>>
>> --
>> Praveen Kumar
>> https://fedoraproject.org/wiki/User:Kumarpraveen
>>
>
>
> _______________________________________________
> Devtools mailing list
> Devtools at redhat.com
> https://www.redhat.com/mailman/listinfo/devtools
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/devtools/attachments/20170329/7bd263ed/attachment.htm>