diff --git a/_build_cfg.yml b/_build_cfg.yml index a9ad955792b9..1e019d2f5af1 100644 --- a/_build_cfg.yml +++ b/_build_cfg.yml @@ -339,6 +339,8 @@ Distros: openshift-origin,openshift-enterprise,atomic-* Topics: - Name: Overview File: index + - Name: Managing Users + File: manage_users - Name: Managing Nodes File: manage_nodes Distros: openshift-origin,openshift-enterprise diff --git a/admin_guide/manage_users.adoc b/admin_guide/manage_users.adoc new file mode 100644 index 000000000000..bb5bbe2eecda --- /dev/null +++ b/admin_guide/manage_users.adoc @@ -0,0 +1,135 @@ += Managing Users +{product-author} +{product-version} +:data-uri: +:icons: +:experimental: +:toc: macro +:toc-title: + +toc::[] + +== Adding Users + +Once new users log in to OpenShift, an account is created for that user and the +cluster administrator can +link:../admin_guide/manage_authorization_policy.html[manage the access level of +each user]. + +== Deleting Users + +=== Improper Deletion + +OpenShift user configuration is stored in several locations within OpenShift. +Regardless of the identity provider, OpenShift internally stores details like +role-based access control (RBAC) information and group membership. To completely +remove user information, this data must be removed in addition to the user +account. + +If an account is improperly deleted, the following type of error can be seen, +even though the identification provider already shows the user *myuser* as +existing: + +==== +---- +{ + "MESSAGE": "E0412 06:07:48.142862 465 login.go:141] Unable to authenticate password: Error creating or updating mapping for: &api.DefaultUserIdentityInfo{ProviderName:\"htpasswd_auth\", ProviderUserName:\"myuser\", Extra:map[string]string{}} due to users \"myuser\" not found", + "PRIORITY": "6", + "SYSLOG_FACILITY": "3", + "SYSLOG_IDENTIFIER": "atomic-openshift-master", + "_BOOT_ID": "18e98783c33546b4a4346f6750ef84a5", + "_CAP_EFFECTIVE": "1fffffffff", + "_CMDLINE": "/usr/bin/openshift start master --config=/etc/origin/master/master-config.yaml --loglevel=2", + "_COMM": "openshift", + "_EXE": "/usr/bin/openshift", + "_GID": "0", + "_HOSTNAME": "master.example.com", + "_MACHINE_ID": "f9370ed252a14f73b014c1301a9b6d1b", + "_PID": "465", + "_SELINUX_CONTEXT": "system_u:system_r:init_t:s0", + "_SYSTEMD_CGROUP": "/system.slice/atomic-openshift-master.service", + "_SYSTEMD_SLICE": "system.slice", + "_SYSTEMD_UNIT": "atomic-openshift-master.service", + "_TRANSPORT": "stdout", + "_UID": "0", +} +---- +==== + +This error is generated because OpenShift sees the user data in the internal +database that does not correspond to the external identity. + +In OpenShift, two object types contain user data outside the identification +provider: type user and type identity. + +Type user: + +==== +---- +$ oc get user ashley +NAME UID FULL NAME IDENTITIES +peter 75e4b80c-dbf1-11e5-8dc6-0e81e52cc949 htpasswd_auth:ashley +---- +==== + +Type identity (from the user record): + +==== +---- +oc get identity htpasswd_auth:ashley +NAME IDP NAME IDP USER NAME USER NAME USER UID +htpasswd_auth:ashley htpasswd_auth ashley ashley 75e4b80c-dbf1-11e5-8dc6-0e81e52cc949 +---- +==== + +Note the matching UID between the two object types. If you attempt to change the +authentication provider after starting to use OpenShift, the user names that +overlap will not work because of the entries in the identity list, which will +still point to the old authentication method. + +=== Properly Deleting a User + +To delete a user, all three sources of the user must be removed: + +. Identification manager +. User record +. Identity record + +Once you complete these steps, a new account will be created in OpenShift +when the user logs in again. + +==== Deleting the Identification Manager Entry + +If you are using `htpasswd`, delete the entry in the *_htpasswd_* file that is +configured for OpenShift with the username and password. + +For external identification management like Lightweight Directory Access +Protocol (LDAP) or Internet Download Manager (IDM), use the user management +tools to remove the user entry. + +==== Deleting the User Record + +Delete the user record with `oc delete user`: + +==== +---- +$ oc delete user ashley +user "ashley" deleted +---- +==== + +==== Deleting the User Identity + +The identity of the user is related to the identification provider you use. Get +the provider name from the user record in `oc get user`. + +In this example, the identity provider name is *htpasswd_auth*. The command is: + +==== +---- +# oc delete identity htpasswd_auth:ashley +identity "htpasswd_auth:ashley" deleted +---- +==== + +If you skip this step, the user will not be able to log in again.