Disabling the default platform administrator

If you are using an enterprise-grade LDAP server for user management, you can further secure your Cloud Pak for Data system by disabling the default platform administrator, either admin or cpadmin.

Who needs to complete this task?
To complete this task, you must have one of the following roles:
  • Cluster administrator
  • Instance administrator
When do you need to complete this task?
Complete this task if you want to remove the default Cloud Pak for Data administrator.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

The default platform administrator (admin or cpadmin) must switch control of catalogs and categories to other users by performing the following tasks. If you don't complete these tasks, no one will be able to administer the catalogs or categories.

Action Required if... Instructions
Add at least one other collaborator with the Admin role to these catalogs:
  • The default catalog
  • The Platform assets catalog
  • Any other catalogs the admin user created
 This action is required if either of these services are installed:
  • Cloud Pak for Data common core services
  • Watson™ Knowledge Catalog
 Managing catalog collaborators
Add at least one collaborator with the Owner role to these categories:
  • The [uncategorized] category
  • Any other categories the admin user created
 This action is required only if Watson Knowledge Catalog is installed. Managing category collaborators

Procedure

To disable the default platform administrator:

  1. Log in to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete the task. 
    oc login ${OCP_URL}
  2. Disable the default administrator:
    The administrator name is admin 
    oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} \
$(oc get pod -n ${PROJECT_CPD_INST_OPERANDS} -l component=usermgmt | tail -1 | cut -f1 -d\ ) \
-- bash -c "/usr/src/server-src/scripts/manage-user.sh --disable-user admin"
    The administrator name is cpadmin 
    oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} \
$(oc get pod -n ${PROJECT_CPD_INST_OPERANDS} -l component=usermgmt | tail -1 | cut -f1 -d\ ) \
-- bash -c "/usr/src/server-src/scripts/manage-user.sh --disable-user cpadmin"

What to do next

If you encounter a problem and cannot log in to the web client with any of your LDAP user names, you can re-enable the admin user. For example, you might need to do this if there is a connectivity issue with your LDAP server or SAML IDP server.

To re-enable the default password administrator:

  1. Log in to Red Hat OpenShift Container Platform as a user with sufficient permissions to complete the task.
    oc login ${OCP_URL}
  2. Enable the default administrator:
    The administrator name is admin 
    oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} \
$(oc get pod -n ${PROJECT_CPD_INST_OPERANDS} -l component=usermgmt | tail -1 | cut -f1 -d\ ) \
-- bash -c "/usr/src/server-src/scripts/manage-user.sh --enable-user admin"
    The administrator name is cpadmin 
    oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} \
$(oc get pod -n ${PROJECT_CPD_INST_OPERANDS} -l component=usermgmt | tail -1 | cut -f1 -d\ ) \
-- bash -c "/usr/src/server-src/scripts/manage-user.sh --enable-user cpadmin"
  3. When prompted, specify a new password for the default platform administrator.