Changing the cpadmin user to admin

When you integrate IBM Cloud Pak for Data with the IBM Cloud Pak foundational services Identity Management Service, the name of the default administrator is cpadmin.

Who needs to complete this task?

Instance administrator An instance administrator can complete this task.

When do you need to complete this task?
Complete this task if either of the following statements is true:
  • You enabled the Identity Management Service on the instance after you installed services on top of the Cloud Pak for Data control plane.
  • You enabled the Identity Management Service after you upgraded the instance to Cloud Pak for Data Version 4.7.

You can skip this task if you enabled the Identity Management Service on the instance before you installed any services.

The follow table indicates which environments can use the cpadmin user and which environments require the admin user.

Your environment Install or upgrade services before the Identity Management Service is enabled Install or upgrade services after the Identity Management Service is enabled
Installing Cloud Pak for Data Version 4.7 admin cpadmin
Upgrading to Cloud Pak for Data Version 4.7 admin admin

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

The workstation from which you run the commands must be set up as a client workstation with the following command-line tools:
  • OpenShift® CLI (oc)
  • jq

About this task

Several Cloud Pak for Data services use the default administrator to create objects on the platform. By default, Cloud Pak for Data creates a user called admin. However, when you enable the Identity Management Service, the user is called cpadmin.

If you enable the Identity Management Service after the services are installed, you must convert the cpadmin user to the admin user to enable the services to access and manage the objects that they created.

Procedure

  1. Log in to Red Hat® OpenShift Container Platform as a user with sufficient permissions to complete the task. 
    oc login ${OCP_URL}
  2. Get the password of the cpadmin user: 
    oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.data.admin_password}' | base64 --decode;
  3. Change to the project where the Cloud Pak for Data control plane is installed: 
    oc project ${PROJECT_CPD_INST_OPERANDS}
  4. Set the following environment variables:
    1. Set the ADMIN_USERNAME environment variable to the current username in the ibm-iam-bindinfo-platform-auth-idp-credentials secret: 
      ADMIN_USERNAME=$(oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials -o json | jq -r '.data.admin_username' | base64 -d)
    2. Set the ADMIN_PASSWORD environment variable to the current password in the ibm-iam-bindinfo-platform-auth-idp-credentials secret: 
      ADMIN_PASSWORD=$(oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials -o json | jq -r '.data.admin_password' | base64 -d)
    3. Set the CP_CONSOLE_ROUTE environment variable to the route of the IBM Cloud Pak foundational services console: 
      CP_CONSOLE_ROUTE=$(oc get route cp-console | tr -s ' ' | grep cp-console | cut -d' ' -f2)
    4. Set the CLIENT_ID environment variable to the OICD ID that is used for this instance of Cloud Pak for Data: 
      CLIENT_ID=$(oc get secret cpd-oidcclient-secret -o json | jq -r '.data.CLIENT_ID' | base64 -d)
    5. Set the CLIENT_SECRET environment variable to the OIDC client secret that is used for this instance of Cloud Pak for Data: 
      CLIENT_SECRET=$(oc get secret cpd-oidcclient-secret -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
    6. Set the ACCESS_TOKEN environment variable to the access token for the ADMIN_USER: 
      ACCESS_TOKEN=$(curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
-d "grant_type=password&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&username=${ADMIN_USERNAME}&password=${ADMIN_PASSWORD}&scope=openid" \
https://${CP_CONSOLE_ROUTE}/idprovider/v1/auth/identitytoken \
--insecure 2> /dev/null | jq -r '.access_token')
  5. Replace the cpadmin user with the admin user: 
    curl "https://${CP_CONSOLE_ROUTE}/idmgmt/identity/api/v1/users/defaultAdmin" \
-X PUT \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header "Authorization: Bearer ${ACCESS_TOKEN}" \
--data "{\"username\": \"admin\"}" \
--insecure
  6. Restart the following pods:
    1. Restart the platform-auth-service pods: 
      oc delete pods -n=${PROJECT_CPD_INST_OPERANDS} -l=component=platform-auth-service
    2. Restart the platform-identity-management pods: 
      oc delete pods -n=${PROJECT_CPD_INST_OPERANDS} -l=component=platform-identity-management
    3. Restart the platform-identity-provider pods: 
      oc delete pods -n=${PROJECT_CPD_INST_OPERANDS} -l=component=platform-identity-provider
  7. Verify that you can log in to the Cloud Pak for Data web client as the admin user. Use the password that you obtained in step 2.