Bug 1326595, added Managing Users section #1906
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| = Managing Users | ||
| {product-author} | ||
| {product-version} | ||
| :data-uri: | ||
| :icons: | ||
| :experimental: | ||
| :toc: macro | ||
| :toc-title: | ||
|
|
||
| toc::[] | ||
|
|
||
| == Adding Users | ||
|
|
||
| Once new users log in to OpenShift, an account is created for that user and the | ||
| cluster administrator can | ||
| link:../admin_guide/manage_authorization_policy.html[manage the access level of | ||
| each user]. | ||
|
|
||
| == Deleting Users | ||
|
Contributor
There was a problem hiding this comment. It's nicer if we can avoid headings that just lead into a subheading. For example, if there's some intro or explanation we can add here before going into Improper Deletion. |
||
|
|
||
| === Improper Deletion | ||
|
|
||
| OpenShift user configuration is stored in several locations within OpenShift. | ||
| Regardless of the identity provider, OpenShift internally stores details like | ||
| role-based access control (RBAC) information and group membership. To completely | ||
| remove user information, this data must be removed in addition to the user | ||
| account. | ||
|
|
||
| If an account is improperly deleted, the following type of error can be seen, | ||
|
Contributor
There was a problem hiding this comment. Seen by who and when? I assume it's seen by the user/developer when attempting to authenticate or do anything? |
||
| even though the identification provider already shows the user *myuser* as | ||
| existing: | ||
|
|
||
| ==== | ||
| ---- | ||
| { | ||
| "MESSAGE": "E0412 06:07:48.142862 465 login.go:141] Unable to authenticate password: Error creating or updating mapping for: &api.DefaultUserIdentityInfo{ProviderName:\"htpasswd_auth\", ProviderUserName:\"myuser\", Extra:map[string]string{}} due to users \"myuser\" not found", | ||
| "PRIORITY": "6", | ||
|
Contributor
There was a problem hiding this comment. We can probably trim this error message to just the "MESSAGE" here? I.e., just line 36. |
||
| "SYSLOG_FACILITY": "3", | ||
| "SYSLOG_IDENTIFIER": "atomic-openshift-master", | ||
| "_BOOT_ID": "18e98783c33546b4a4346f6750ef84a5", | ||
| "_CAP_EFFECTIVE": "1fffffffff", | ||
| "_CMDLINE": "/usr/bin/openshift start master --config=/etc/origin/master/master-config.yaml --loglevel=2", | ||
| "_COMM": "openshift", | ||
| "_EXE": "/usr/bin/openshift", | ||
| "_GID": "0", | ||
| "_HOSTNAME": "master.example.com", | ||
| "_MACHINE_ID": "f9370ed252a14f73b014c1301a9b6d1b", | ||
| "_PID": "465", | ||
| "_SELINUX_CONTEXT": "system_u:system_r:init_t:s0", | ||
| "_SYSTEMD_CGROUP": "/system.slice/atomic-openshift-master.service", | ||
| "_SYSTEMD_SLICE": "system.slice", | ||
| "_SYSTEMD_UNIT": "atomic-openshift-master.service", | ||
| "_TRANSPORT": "stdout", | ||
| "_UID": "0", | ||
| } | ||
| ---- | ||
| ==== | ||
|
|
||
| This error is generated because OpenShift sees the user data in the internal | ||
| database that does not correspond to the external identity. | ||
|
|
||
| In OpenShift, two object types contain user data outside the identification | ||
| provider: type user and type identity. | ||
|
Contributor
There was a problem hiding this comment. We don't really refer to objects as "type " anywhere else, so this feels weird here. What about just: |
||
|
|
||
| Type user: | ||
|
Contributor
There was a problem hiding this comment. Maybe make these say what they're showing, e.g., "To get the current list of users:" (Same for "type identity" below) |
||
|
|
||
| ==== | ||
| ---- | ||
| $ oc get user ashley | ||
| NAME UID FULL NAME IDENTITIES | ||
| peter 75e4b80c-dbf1-11e5-8dc6-0e81e52cc949 htpasswd_auth:ashley | ||
| ---- | ||
| ==== | ||
|
|
||
| Type identity (from the user record): | ||
|
|
||
| ==== | ||
| ---- | ||
| oc get identity htpasswd_auth:ashley | ||
| NAME IDP NAME IDP USER NAME USER NAME USER UID | ||
| htpasswd_auth:ashley htpasswd_auth ashley ashley 75e4b80c-dbf1-11e5-8dc6-0e81e52cc949 | ||
| ---- | ||
| ==== | ||
|
|
||
| Note the matching UID between the two object types. If you attempt to change the | ||
| authentication provider after starting to use OpenShift, the user names that | ||
| overlap will not work because of the entries in the identity list, which will | ||
| still point to the old authentication method. | ||
|
|
||
| === Properly Deleting a User | ||
|
|
||
| To delete a user, all three sources of the user must be removed: | ||
|
|
||
| . Identification manager | ||
| . User record | ||
| . Identity record | ||
|
|
||
| Once you complete these steps, a new account will be created in OpenShift | ||
| when the user logs in again. | ||
|
|
||
| ==== Deleting the Identification Manager Entry | ||
|
Contributor
There was a problem hiding this comment. Can we make these a procedure w/ numbered steps instead of individual subheadings per step? |
||
|
|
||
| If you are using `htpasswd`, delete the entry in the *_htpasswd_* file that is | ||
| configured for OpenShift with the username and password. | ||
|
|
||
| For external identification management like Lightweight Directory Access | ||
| Protocol (LDAP) or Internet Download Manager (IDM), use the user management | ||
| tools to remove the user entry. | ||
|
|
||
| ==== Deleting the User Record | ||
|
|
||
| Delete the user record with `oc delete user`: | ||
|
|
||
| ==== | ||
| ---- | ||
| $ oc delete user ashley | ||
| user "ashley" deleted | ||
| ---- | ||
| ==== | ||
|
|
||
| ==== Deleting the User Identity | ||
|
|
||
| The identity of the user is related to the identification provider you use. Get | ||
| the provider name from the user record in `oc get user`. | ||
|
|
||
| In this example, the identity provider name is *htpasswd_auth*. The command is: | ||
|
|
||
| ==== | ||
| ---- | ||
| # oc delete identity htpasswd_auth:ashley | ||
| identity "htpasswd_auth:ashley" deleted | ||
| ---- | ||
| ==== | ||
|
|
||
| If you skip this step, the user will not be able to log in again. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remember to add manual, unique IDs for headings (for example, check to make sure there's not some other heading in the repo named "adding-users").