This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Deployment, Administration, and User Guides › SUSE Cloud Application Platform Administration › Creating Admin Users
ContentsContents
Deployment, Administration, and User Guides
  1. About This Guide
  2. I Overview of SUSE Cloud Application Platform
    1. 1 About SUSE Cloud Application Platform
    2. 2 Other Kubernetes Systems
  3. II Deploying SUSE Cloud Application Platform
    1. 3 Deployment and Administration Notes
    2. 4 Deploying SUSE Cloud Application Platform on SUSE CaaS Platform
    3. 5 Deploying SUSE Cloud Application Platform on Microsoft Azure Kubernetes Service (AKS)
    4. 6 Deploying SUSE Cloud Application Platform on Amazon Elastic Kubernetes Service (EKS)
    5. 7 Deploying SUSE Cloud Application Platform on Google Kubernetes Engine (GKE)
    6. 8 Installing the Stratos Web Console
    7. 9 Eirini
    8. 10 Deploying SUSE Cloud Application Platform Using Terraform
    9. 11 Setting Up a Registry for an Air Gapped Environment
    10. 12 SUSE Private Registry
  4. III SUSE Cloud Application Platform Administration
    1. 13 Upgrading SUSE Cloud Application Platform
    2. 14 Configuration Changes
    3. 15 Creating Admin Users
    4. 16 Managing Passwords
    5. 17 Accessing the UAA User Interface
    6. 18 Container Memory Limits and Requests
    7. 19 Cloud Controller Database Secret Rotation
    8. 20 Rotating Automatically Generated Secrets
    9. 21 Backup and Restore
    10. 22 Service Brokers
    11. 23 App-AutoScaler
    12. 24 Integrating CredHub with SUSE Cloud Application Platform
    13. 25 Buildpacks
  5. IV SUSE Cloud Application Platform User Guide
    1. 26 Deploying and Managing Applications with the Cloud Foundry Client
  6. V Troubleshooting
    1. 27 Troubleshooting
  7. A Appendix
  8. B GNU Licenses
Navigation
Deployment, Administration, and User Guides › SUSE Cloud Application Platform Administration › Creating Admin Users
Top
Applies to SUSE Cloud Application Platform 2.1.1

15 Creating Admin Users

  • File Name: cap_admin_create_admin.xml
  • ID: no ID found
15.1 Prerequisites
15.2 Creating an Example Cloud Application Platform Cluster Administrator

This chapter provides an overview on how to create additional administrators for your Cloud Application Platform cluster.

15.1 Prerequisites

  • File Name: cap_admin_create_admin.xml
  • ID: sec-cap-create-admin-prereqs

The following prerequisites are required in order to create additional Cloud Application Platform cluster administrators:

  • cf, the Cloud Foundry command line interface. For more information, see https://docs.cloudfoundry.org/cf-cli/.

    For SUSE Linux Enterprise and openSUSE systems, install using zypper. 

    tux > sudo zypper install cf-cli

    For SLE, ensure the SUSE Cloud Application Platform Tools Module has been added. Add the module using YaST or SUSEConnect. 

    tux > SUSEConnect --product sle-module-cap-tools/15.1/x86_64

    For other systems, follow the instructions at https://docs.cloudfoundry.org/cf-cli/install-go-cli.html.

  • uaac, the Cloud Foundry uaa command line client (UAAC). See https://docs.cloudfoundry.org/uaa/uaa-user-management.html for more information and installation instructions.

    On SUSE Linux Enterprise systems, ensure the ruby-devel and gcc-c++ packages have been installed before installing the cf-uaac gem. 

    tux > sudo zypper install ruby-devel gcc-c++

15.2 Creating an Example Cloud Application Platform Cluster Administrator

  • File Name: cap_admin_create_admin.xml
  • ID: sec-cap-create-admin-procedure

The following example demonstrates the steps required to create a new administrator user for your Cloud Application Platform cluster. Note that creating administrator accounts must be done using the UAAC and cannot be done using the cf CLI.

  1. Use UAAC to target your uaa server. 

    tux > uaac target --skip-ssl-validation https://uaa.example.com

  2. Authenticate to the uaa server as admin using the uaa_admin_client_secret set in your kubecf-config-values.yaml file. 

    tux > uaac token client get admin --secret PASSWORD

  3. Create a new user: 

    tux > uaac user add NEW_ADMIN --password PASSWORD --emails new-admin@example.com --zone kubecf

  4. Add the new user to the following groups to grant administrator privileges to the cluster (see https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes for information on privileges provided by each group): 

    tux > uaac member add scim.write NEW_ADMIN --zone kubecf

tux > uaac member add scim.read NEW_ADMIN --zone kubecf

tux > uaac member add cloud_controller.admin NEW_ADMIN --zone kubecf

tux > uaac member add clients.read NEW_ADMIN --zone kubecf

tux > uaac member add clients.write NEW_ADMIN --zone kubecf

tux > uaac member add doppler.firehose NEW_ADMIN --zone kubecf

tux > uaac member add routing.router_groups.read NEW_ADMIN --zone kubecf

tux > uaac member add routing.router_groups.write NEW_ADMIN --zone kubecf

  5. Log into your Cloud Application Platform deployment as the newly created administrator: 

    tux > cf api --skip-ssl-validation https://api.example.com

tux > cf login -u NEW_ADMIN

  6. The following commands can be used to verify the new administrator account has sufficient permissions: 

    tux > cf create-shared-domain TEST_DOMAIN.COM

tux > cf set-org-role NEW_ADMIN org OrgManager

tux > cf create-buildpack TEST_BUILDPACK /tmp/ruby_buildpack-cached-sle15-v1.7.30.1.zip 1

    If the account has sufficient permissions, you should not receive any authorization message similar to the following: 

    FAILED
Server error, status code: 403, error code: 10003, message: You are not authorized to perform the requested action

    See https://docs.cloudfoundry.org/cf-cli/cf-help.html for other administrator-specific commands that can be run to confirm sufficient permissions are provided.

Chapter 16 Managing PasswordsChapter 14 Configuration Changes
Print this page

© 2022 SUSE