Authorizing an instance administrator to manage NetApp Trident Protect backups

If you want to enable a user other than the cluster administrator to debug issues with backups or to collect data about NetApp Trident Protect backups, you must give an instance administrator permissions on the projects where the backup and restore software is installed on your cluster.

Installation phase
  • You are not here. Setting up a client workstation
  • You are not here. Setting up a cluster
  • You are not here. Collecting required information
  • You are not here. Preparing to run installs in a restricted network
  • You are not here. Preparing to run installs from a private container registry
  • You are not here. Preparing the cluster for IBM Software Hub
  • You are here icon. Preparing to install an instance of IBM Software Hub
  • You are not here. Installing an instance of IBM Software Hub
  • You are not here. Setting up the control plane
  • You are not here. Installing solutions and services
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?
This task is required in some situations.
  • Skip this task if the cluster administrator will manage IBM Software Hub backups.
  • Complete this task only if a user other than the cluster administrator will manage IBM Software Hub.

    Repeat as needed If you have multiple instances of IBM Software Hub, repeat this task for each instance.

Before you begin

Ensure that the INSTANCE_ADMIN environment variable is set:
echo $INSTANCE_ADMIN
If the environment variable is not set, set it to the username of the Red Hat® OpenShift® Container Platform user that you want to give administration privileges to.
export INSTANCE_ADMIN=<user>

About this task

Give the instance administrator the following roles on the specified projects:

Role Projects Details
admin
  • OpenShift API for Data Protection (OADP) project
  • NetApp Trident Protect project
 The Red Hat OpenShift Container Platform admin role enables a user to view and modify any resource in the project except for the project quota.
trident-protect-tenant-cluster-role
  • NetApp Trident Protect project
  • Operators project
  • Operands project
  • Any tethered projects
 The trident-protect-tenant-cluster-role role is created by default when you install NetApp Trident Protect.
trident-protect-appvault-role-${INSTANCE_ADMIN}
  • NetApp Trident Protect project
 The trident-protect-appvault-role-${INSTANCE_ADMIN} role enables a user to get and list the NetApp Trident Protect AppVault objects in the NetApp Trident Protect project.

Procedure

  1. Give the instance administrator the admin role on the required projects: 
    oc create rolebinding ${OADP_PROJECT}-${INSTANCE_ADMIN}-admin \
--clusterrole=admin \
--user=${INSTANCE_ADMIN} \
-n ${OADP_PROJECT}

oc create rolebinding ${PROJECT_NETAPP_TRIDENT_PROTECT}-${INSTANCE_ADMIN}-admin \
--clusterrole=admin \
--user=${INSTANCE_ADMIN} \
-n ${PROJECT_NETAPP_TRIDENT_PROTECT}
  2. Give the instance administrator the trident-protect-tenant-cluster-role on the required projects: 
    oc create rolebinding ${PROJECT_NETAPP_TRIDENT_PROTECT}-${INSTANCE_ADMIN}-tenant-rb \
--clusterrole=trident-protect-tenant-cluster-role \
--user=${INSTANCE_ADMIN} \
-n ${PROJECT_NETAPP_TRIDENT_PROTECT}

oc create rolebinding ${PROJECT_NETAPP_TRIDENT_PROTECT}-${INSTANCE_ADMIN}-tenant-rb \
--clusterrole=trident-protect-tenant-cluster-role \
--user=${INSTANCE_ADMIN} \
-n ${PROJECT_CPD_INST_OPERATORS}

oc create rolebinding ${PROJECT_NETAPP_TRIDENT_PROTECT}-${INSTANCE_ADMIN}-tenant-rb \
--clusterrole=trident-protect-tenant-cluster-role \
--user=${INSTANCE_ADMIN} \
-n ${PROJECT_CPD_INST_OPERANDS}


if [ -n "${PROJECT_CPD_INSTANCE_TETHERED}" ]; then
    IFS=',' read -ra TETHERED_NS_LIST <<< "${PROJECT_CPD_INSTANCE_TETHERED}"
    
    for TETHERED_NS in "${TETHERED_NS_LIST[@]}"; do
      oc create rolebinding ${PROJECT_NETAPP_TRIDENT_PROTECT}-${INSTANCE_ADMIN}-tenant-rb \
        --clusterrole=trident-protect-tenant-cluster-role \
        --user=${INSTANCE_ADMIN} \
        -n ${TETHERED_NS}

    done
fi
  3. Create the trident-protect-appvault-role-${INSTANCE_ADMIN} role and give the instance administrator the role in the NetApp Trident Protect project: 
    oc create role trident-protect-appvault-role-${INSTANCE_ADMIN} \
--verb=get \
--verb=list \
--resource=appvaults.protect.trident.netapp.io \
-n ${PROJECT_NETAPP_TRIDENT_PROTECT}

oc create rolebinding trident-protect-appvault-rolebinding-${INSTANCE_ADMIN} \
--role=trident-protect-appvault-role-${INSTANCE_ADMIN} \
--user=${INSTANCE_ADMIN} \
-n ${PROJECT_NETAPP_TRIDENT_PROTECT}