Skip to main content

Managing Users, Projects, and Roles

Hands-On Lab

 

Photo of

Training Architect

Length

01:00:00

Difficulty

Intermediate

The city of Arlen, Texas has decided to improve their infrastructure by migrating to OpenShift infrastructure. Your task as administrator is to create limited users for some of our favorite characters: - Hank - Peggy - Luanne - Buck Strickland - Buckley The group has not yet completed training, so for now they are NOT permitted to create their own projects. Make sure that each user has the correct permissions!

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Managing Users, Projects, and Roles

Introduction

Create the following users, adding password entries to /etc/origin/master/htpasswd with the default password propanerules without editing or removing any existing data.

  • Hank
  • Peggy
  • Luanne
  • Buckley
  • BuckStrickland

Next, create the following projects with the description, "Arlen, TX engineering project":

  • strickland-propane
  • arlen-high
  • megalomart

Grant Peggy admin privileges to arlen-high. grant Hank and BuckStrickland admin privileges to strickland-propane. Buckley should be able to edit most objects in the megalomart project, but should not be able to modify roles or bindings. All users should be able to see everything but roles or bindings in the arlen-high project. These users should NOT have the ability to create their own projects.

Solution

  • Log in to the OpenShift cluster using the credentials provided in the Credentials section of the hands-on lab page:

    ssh cloud_user@<IP_ADDRESS>
  • Become the root user:

    sudo -i
  • Check the health of your cluster:

    oc get nodes
  • Create users for Peggy, Hank, Luanne, Buckley, and BuckStrickland:

    for i in peggy hank luanne buckley buck.strickland
        do
        htpasswd -b /etc/origin/master/htpasswd $i propanerules
    done
  • Create a new group named arlentx:

    oc adm groups new arlentx hank peggy luanne buckley buck.strickland
  • Create the requested projects:

    for i in strickland-propane arlen-high megalomart
        do
        oc new-project $i --description="Arlen Tx Engineering project"
    done
  • Verify projects were created:

    oc get project
  • Grant peggy admin privileges to the arlen-high project:

    oc adm policy add-role-to-user admin peggy -n arlen-high
  • Grant admin privileges to hank and buck.strickland under the strickland-propane project:

    for i in hank buck.strickland
        do
        oc adm policy add-role-to-user admin $i -n strickland-propane
    done
  • Grant buckley permissions to edit most objects in the megalomart project:

    oc adm policy add-role-to-user edit buckley -n megalomart
  • Grant all users the ability to view items in the megalomart project by adding the role to the arlentx group:

    oc adm policy add-role-to-group view arlentx -n megalomart
  • Verify the roles within the project:

    oc describe rolebinding.rbac -n megalomart
  • Remove the ability to provision new projects from all users by removing the role from the arlentx group:

    oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth

    If you get an error, run the following command, then remove self-provisioner clusterrole:

    oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
  • Try to log in as a user and create a new project:

    oc login -u buck.strickland -p propanerules -n strickland-propane

    Try to create a new project:

    oc new-project propanegas

    You should recieve the following error:

    Error from server (Forbidden): You may not request a new project via this API.

Conclusion

Congratulations, you've completed this hands-on lab!