Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Cloud Application Platform 2.0.1

12 Creating Admin Users

This chapter provides an overview on how to create additional administrators for your Cloud Application Platform cluster.

12.1 Prerequisites

The following prerequisites are required in order to create additional Cloud Application Platform cluster administrators:

  • cf, the Cloud Foundry command line interface. For more information, see https://docs.cloudfoundry.org/cf-cli/.

    For SUSE Linux Enterprise and openSUSE systems, install using zypper.

    tux > sudo zypper install cf-cli

    For SLE, ensure the SUSE Cloud Application Platform Tools Module has been added. Add the module using YaST or SUSEConnect.

    tux > SUSEConnect --product sle-module-cap-tools/15.1/x86_64

    For other systems, follow the instructions at https://docs.cloudfoundry.org/cf-cli/install-go-cli.html.

  • uaac, the Cloud Foundry uaa command line client (UAAC). See https://docs.cloudfoundry.org/uaa/uaa-user-management.html for more information and installation instructions.

    On SUSE Linux Enterprise systems, ensure the ruby-devel and gcc-c++ packages have been installed before installing the cf-uaac gem.

    tux > sudo zypper install ruby-devel gcc-c++

12.2 Creating an Example Cloud Application Platform Cluster Administrator

The following example demonstrates the steps required to create a new administrator user for your Cloud Application Platform cluster. Note that creating administrator accounts must be done using the UAAC and cannot be done using the cf CLI.

  1. Use UAAC to target your uaa server.

    tux > uaac target --skip-ssl-validation https://uaa.example.com:2793
  2. Authenticate to the uaa server as admin using the UAA_ADMIN_CLIENT_SECRET set in your kubecf-config-values.yaml file.

    tux > uaac token client get admin --secret password
  3. Create a new user:

    tux > uaac user add new-admin --password password --emails new-admin@example.com --zone kubecf
  4. Add the new user to the following groups to grant administrator privileges to the cluster (see https://docs.cloudfoundry.org/concepts/architecture/uaa.html#uaa-scopes for information on privileges provided by each group):

    tux > uaac member add scim.write new-admin --zone kubecf
    tux > uaac member add scim.read new-admin --zone kubecf
    tux > uaac member add cloud_controller.admin new-admin --zone kubecf
    tux > uaac member add clients.read new-admin --zone kubecf
    tux > uaac member add clients.write new-admin --zone kubecf
    tux > uaac member add doppler.firehose new-admin --zone kubecf
    tux > uaac member add routing.router_groups.read new-admin --zone kubecf
    tux > uaac member add routing.router_groups.write new-admin --zone kubecf
  5. Log into your Cloud Application Platform deployment as the newly created administrator:

    tux > cf api --skip-ssl-validation https://api.example.com
    tux > cf login -u new-admin
  6. The following commands can be used to verify the new administrator account has sufficient permissions:

    tux > cf create-shared-domain test-domain.com
    tux > cf set-org-role new-admin org OrgManager
    tux > cf create-buildpack test_buildpack /tmp/ruby_buildpack-cached-sle15-v1.7.30.1.zip 1

    If the account has sufficient permissions, you should not receive any authorization message similar to the following:

    Server error, status code: 403, error code: 10003, message: You are not authorized to perform the requested action

    See https://docs.cloudfoundry.org/cf-cli/cf-help.html for other administrator-specific commands that can be run to confirm sufficient permissions are provided.

Print this page