When you integrate IBM Cloud Pak for Data
with the IBM Cloud Pak foundational services
Identity Management Service, the name of the default
administrator is cpadmin
.
- Who needs to complete this task?
-
Instance administrator An instance administrator
can complete this task.
- When do you need to complete this task?
- Complete this task if either of the following statements is true:
- You enabled the Identity Management Service on the
instance after you installed services on top of the Cloud Pak for Data control plane.
- You enabled the Identity Management Service after you
upgraded the instance to Cloud Pak for Data Version 4.7.
You can skip this task if you enabled the Identity Management Service on the instance before you installed any
services.
The follow table indicates which environments can use the cpadmin
user and which environments require the admin
user.
Your environment |
Install or upgrade services before the Identity Management Service is enabled |
Install or upgrade services after the Identity Management Service is enabled |
Installing Cloud Pak for Data Version 4.7 |
admin |
cpadmin |
Upgrading to Cloud Pak for Data Version 4.7 |
admin |
admin |
Before you begin
Best practice: You can run the commands in
this task exactly as written if you set up environment variables. For instructions, see
Setting up installation environment variables.
Ensure that you source the environment variables
before you run the commands in this task.
The workstation from which you run the commands must be set up as a client workstation with the
following command-line tools:
About this task
Several Cloud Pak for Data services use the default
administrator to create objects on the platform. By default, Cloud Pak for Data creates a user called admin
.
However, when you enable the Identity Management Service,
the user is called cpadmin
.
If you enable the Identity Management Service after the
services are installed, you must convert the cpadmin
user to the
admin
user to enable the services to access and manage the objects that they
created.
Procedure
- Log in to Red Hat® OpenShift Container Platform as a user with sufficient permissions to
complete the
task.
- Get the password of the
cpadmin
user:
oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.data.admin_password}' | base64 --decode;
- Change to the project where the Cloud Pak for Data control plane is installed:
oc project ${PROJECT_CPD_INST_OPERANDS}
- Set the following environment variables:
- Set the
ADMIN_USERNAME
environment variable to the current username
in the ibm-iam-bindinfo-platform-auth-idp-credentials
secret:
ADMIN_USERNAME=$(oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials -o json | jq -r '.data.admin_username' | base64 -d)
- Set the
ADMIN_PASSWORD
environment variable to the current password
in the ibm-iam-bindinfo-platform-auth-idp-credentials
secret:
ADMIN_PASSWORD=$(oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials -o json | jq -r '.data.admin_password' | base64 -d)
- Set the
CP_CONSOLE_ROUTE
environment variable to the route of the
IBM Cloud Pak foundational services console:
CP_CONSOLE_ROUTE=$(oc get route cp-console | tr -s ' ' | grep cp-console | cut -d' ' -f2)
- Set the
CLIENT_ID
environment variable to the OICD ID that is used
for this instance of Cloud Pak for Data:
CLIENT_ID=$(oc get secret cpd-oidcclient-secret -o json | jq -r '.data.CLIENT_ID' | base64 -d)
- Set the
CLIENT_SECRET
environment variable to the OIDC client secret
that is used for this instance of Cloud Pak for Data:
CLIENT_SECRET=$(oc get secret cpd-oidcclient-secret -o json | jq -r '.data.CLIENT_SECRET' | base64 -d)
- Set the
ACCESS_TOKEN
environment variable to the access token for the
ADMIN_USER
:
ACCESS_TOKEN=$(curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
-d "grant_type=password&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&username=${ADMIN_USERNAME}&password=${ADMIN_PASSWORD}&scope=openid" \
https://${CP_CONSOLE_ROUTE}/idprovider/v1/auth/identitytoken \
--insecure 2> /dev/null | jq -r '.access_token')
- Replace the
cpadmin
user with the admin
user:
curl "https://${CP_CONSOLE_ROUTE}/idmgmt/identity/api/v1/users/defaultAdmin" \
-X PUT \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header "Authorization: Bearer ${ACCESS_TOKEN}" \
--data "{\"username\": \"admin\"}" \
--insecure
- Restart the following pods:
- Restart the
platform-auth-service
pods:
oc delete pods -n=${PROJECT_CPD_INST_OPERANDS} -l=component=platform-auth-service
- Restart the
platform-identity-management
pods:
oc delete pods -n=${PROJECT_CPD_INST_OPERANDS} -l=component=platform-identity-management
- Restart the
platform-identity-provider
pods:
oc delete pods -n=${PROJECT_CPD_INST_OPERANDS} -l=component=platform-identity-provider
- Verify that you can log in to the Cloud Pak for Data web client as the
admin
user.
Use the password that you obtained in step 2.