starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/create-first-system-administrator-1775e1b20941.rst

5.0 KiB
Raw Blame History

Create First System Administrator

After installing , you should create your first unique system administrator account.

In this example, a local user account and a local Keystone user account are created for the first system administrator user.

The first system administrator user must have full 'admin' privileges such that it can create subsequent system administrators and end users.

  • You must have the credentials for the 'sysadmin' local Linux user account used for the installation.

  1. Login to the active controller as the 'sysadmin' user.

    Use either a local console or .

  2. Apply source credentials for the 'admin' keystone user.

    $ source /etc/platform/openrc

  3. Create a directory for temporary files for setting up users and groups.

    $ mkdir /home/sysadmin/users

  4. Create a new local group for system administrators with full privileges.

    $ sudo ldapaddgroup Level1SystemAdmin

    1. Add full Linux authorization privileges to the Level1SystemAdmin group members.

      Enable pam_group.so in /etc/pam.d/common-auth, and update /etc/security/group.conf with group mappings.

      Note

      If it is controller configuration, add full Linux authorization privileges on both controllers.

      # Execute this line only once, on each host
$ sudo sed -i '1i auth required pam_group.so use_first_pass' /etc/pam.d/common-auth

# Execute this line for each LDAP group being mapped to 1 or more local Linux groups, on each host
$ sudo sed -i '$ a\*;*;%Level1SystemAdmin;Al0000-2400;sys_protected,root,sudo' /etc/security/group.conf

    2. Add full kubernetes authorization privileges to the Level1SystemAdmin group members.

      Add a kubernetes ClusterRoleBinding to bind the Level1SystemAdmin group to the cluster-admin role.

      $ cat << EOF > /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
   name: Level1SystemAdmin
subjects:
  - kind: Group
    name: Level1SystemAdmin
    apiGroup: rbac.authorization.k8s.io
roleRef:
   kind: ClusterRole
   name: cluster-admin
   apiGroup: rbac.authorization.k8s.io
EOF

$ kubectl apply -f /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml

  5. Create a new local user for the first system administrator.

    $ sudo ldapusersetup -u joefulladmin
Password:
Successfully added user joefulladmin to LDAP
Successfully set password for user joefulladmin
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days

  6. Add the first system administrator to the Level1SystemAdmin group.

    $ sudo ldapaddusertogroup joefulladmin Level1SystemAdmin

  7. Add a new local keystone user for the first system administrator using the same username.

    Create a keystone user in the 'admin' project. The infrastructure resources are all contained in the 'admin' project.

    $ USERNAME="joefulladmin"
$ USERPASSWORD="<password>"
$ PROJECTNAME="admin"
$ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'\`
$ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME}_member_

    1. Add full authorization privileges to the first system administrator's keystone user account.

      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin

  8. Logout as 'sysadmin'.

    $ exit

  • Login to the local console or with this new first system administrator, joefulladmin. See system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936
  • Continue to create-other-system-administrators-97b99bb94430