[Devtools] CDK 3.x system:admin login

Burr Sutter bsutter at redhat.com
Wed Mar 29 14:48:49 UTC 2017 

On Wed, Mar 29, 2017 at 10:35 AM, Marian Labuda <mlabuda at redhat.com> wrote:

> Well, you can't use it in console like that, because the "system:admin" is
> authenticated using a client certificate and it is accessible only for 'oc'
> binary, not for web console.
>

> But regarding templates, you can still create them as an user in a
> specific user project (namespace). It does not have to be necessary
> cluster-wide-visible namespace to have a template accessible by a specific
> user.
> Ad. seeing default project, it is all about setting proper policy for the
> project to be seen by a user developer.
>
> To have admin-like experience OOTB for CDK, it would require additional
> configuration on CDK side - set up user(s) with admin privileges.
>


Exactly my point!!!

I need an OOTB solution :-)


> In the old CDK we had an admin user
==> default: Configured users are (<username>/<password>):
==> default: openshift-dev/devel
==> default: admin/admin

>
> On Wed, Mar 29, 2017 at 3:40 PM, Burr Sutter <bsutter at redhat.com> wrote:
>
>> I am not sure why this is so hard....here is what our end-user sees
>>
>> https://screencast.com/t/YxEIldeXNa
>>
>>
>>
>> On Wed, Mar 29, 2017 at 1:02 AM, Praveen Kumar <prkumar at redhat.com>
>> wrote:
>>
>>> On Wed, Mar 29, 2017 at 2:19 AM, Burr Sutter <bsutter at redhat.com> wrote:
>>> >
>>> >
>>> > On Tue, Mar 28, 2017 at 4:47 PM, Hardy Ferentschik <
>>> hferents at redhat.com>
>>> > wrote:
>>> >>
>>> >> Hi,
>>> >>
>>> >> > OK, but when I login into the console as 'developer' and
>>> 'developer', I
>>> >> > do
>>> >> > not see the OpenShift namespace/project like a "administrator"
>>> would.
>>> >>
>>> >> and you want to see this why?
>>> >
>>> >
>>> > I am adding templates and image streams in order to use the FIS
>>> capabilities
>>> > we offer
>>>
>>> So achieve that I think you should login as 'system:admin' first and
>>> add required template to defined namespace and make additional changes
>>> (which might only can be done as administrator) or you can use
>>> developer as sudo and use '--as system:admin' when adding the
>>> templates to defined namespace which normal developer user doesn't
>>> have access.
>>>
>>> >
>>> >
>>> >>
>>> >>
>>> >> > The ultimate goal is to let the human (end-user) log in to the
>>> console
>>> >> > as
>>> >> > the Admin so he/she can see their work.
>>> >>
>>> >> This part I don't get. A user should not create application (their
>>> work)
>>> >> in the default/openshift namespace. They are reserved namespaces.
>>> >> Your work is in 'myproject' or any other namespace you are going to
>>> >> create.
>>> >
>>> >
>>> > I said "see" not "create" :-)
>>> >
>>> >>
>>> >>
>>> >> > Right now, I would say our current approach of system:admin with no
>>> >> > password is a bug
>>> >>
>>> >> AFAIU, there is even no other way then to use certificate based
>>> >> authentication
>>> >> for sytem:admin. This account is special. You literally cannot login
>>> any
>>> >> other way. This is different to the 'admin' user in CDK. In CDK we
>>> had an
>>> >> 'admin' user (on top of the openshift-dev user) which got assigned the
>>> >> cluster admin role -
>>> >> https://github.com/projectatomic/adb-utils/blob/master/servi
>>> ces/openshift/scripts/openshift_provision#L196
>>> >>
>>> >> So one can add the same role to the developer user in Minishift,
>>> either
>>> >> per default or via an addon (something we are working on right now) or
>>> >> one creates another admin user as per CDK. Addon might be the best
>>> way to
>>> >> go.
>>> >
>>> >
>>> > I do not care if the user is "foomanchew" and the password is
>>> "haveaniceday"
>>> > but I do need access to web console as the "super user"/"cluster
>>> admin" of
>>> > the openshift instance.
>>> >
>>> > It is my personal openshift instance, why can't I be the administrator?
>>>
>>> You are the administrator of your instance it's just the way `oc
>>> cluster up` setting up users doesn't create a separate user for admin
>>> with password but have system:admin which can be used to gain
>>> administrator privilege for your instance and then add any user as
>>> admin with password. Now as per thread you need something similar
>>> experience for user like we had for CDK-2.x and that something we can
>>> do once addon features are in place which will be soon.
>>>
>>>
>>> --
>>> Praveen Kumar
>>> https://fedoraproject.org/wiki/User:Kumarpraveen
>>>
>>
>>
>> _______________________________________________
>> Devtools mailing list
>> Devtools at redhat.com
>> https://www.redhat.com/mailman/listinfo/devtools
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/devtools/attachments/20170329/0faa4d6e/attachment.htm>

More information about the Devtools mailing list