Enabling administrator authentication on IBM Cloud
Set up authentication for an admin user so they can log into Red Hat OpenShift with their IBMid.
Before you begin
You must meet these prerequisites:
The IBMid of the user that is being enabled for authentication in OpenShift must be a valid member of the IBM Cloud account.
The user that is being enabled must log in to this IBM Cloud Account at least once with their IBMid before you use this procedure.
You have the OpenShift Contain Platform command-line interface (CLI) installed. To download the CLI, use the link that is provided by the Cluster Manager website and add the files to your PATH. These files are accessible directly over the internet, and do not require a Red Hat ID to download.
Initial setup
Log in to the cluster from the CLI:
oc login <openshift_url> -u <username> -p <password> -n <namespace>
To verify the list of users that can be authenticated in OpenShift, run:
oc get users | awk '{print $1}'
Check the list for email IDs containing the prefix
IAM#
. These users can be authenticated in OpenShift using their w3id.Verify that the IBM Cloud Pak® foundational services
OperandConfig
is available:oc get OperandConfig -n ibm-common-services common-service
This should return something similar to:
NAME AGE PHASE CREATED AT
common-service 84m Running 2021-06-18T12:44:37Z
If the OperandConfig
is not available, you should follow the instructions Deploying IBM Cloud Pak for Integration using the OpenShift console first.
Update platform-auth-idp
configmap and restart pods
To edit the
platform-auth-idp
configmap, run:oc edit cm platform-auth-idp -n ibm-common-services
In the
data
section, the "BOOTSTRAP_USERID" is set to eitherkubeadmin
or an empty string ('') by default, for example:kind: ConfigMap apiVersion: v1 metadata: name: platform-auth-idp namespace: ibm-common-services ... data: ... BOOTSTRAP_USERID: '' ...
Change this value to the name or email address of the OpenShift user who will be the Cloud Pak administrator.
Note: Do not use theIAM#
prefix with this value.Restart the relevant pods:
for pod in auth-pdp auth-idp common-web-ui oidcclient-watcher do oc get pod -n ibm-common-services --no-headers | grep $pod | awk '{print $1}' | xargs oc delete pod -n ibm-common-services done
In the Platform UI, set the user as an Administrator and Automation Administrator
In your web browser, log into the IBM Cloud Pak Platform UI using your OpenShift cluster admin credentials. For details on accessing the Platform UI, see Deploying IBM Cloud Pak for Integration using the OpenShift console, "Logging into the Platform UI" section.
Click Manage users.
On the Access control page, click the Add users button.
In the Add user dialog, make sure Profile information is selected, and enter the value you set for
BOOTSTRAP_USERID
in the previous section (Step 2). This should locate the correct email address. Once you get it, click Next.On the Platform access page, click Assign roles directly, then click Next.
On the Roles page, select Administrator and Automation Administrator, then click Next.
On the Summary page, confirm that the account and roles are correct, then click Add.
The listed user should now be able to use their w3id credentials to log into the Platform UI using OpenShift authentication.