Changing the Cloud Pak administrator access credentials
You can update the Cloud Pak administrator username and password.
Before you begin
-
Install the OpenShift client.
-
Install Platform UI (ibm-zen-operator) service.
-
Ensure that you must have Cluster administrator access to update the Cloud Pak administrator username and password.
-
If you are using multiple foundational services instances in your cluster, replace
ibm-common-services
with the namespace where you want to update the secretplatform-auth-idp-credentials
.
Changing the Cloud Pak administrator username
Complete the following steps to rename a default admin user in Platform UI:
-
Review the current admin and password.
oc -n ibm-common-services get secret platform-auth-idp-credentials -o yaml | grep admin |xargs -l bash -c 'echo -n "$0 " ; echo "$1" | base64 -d && echo'
The sample output:
admin_password: IRXkjnsZg8nUUK8S2BBVFJeIOW0wVrhD admin_username: admin
-
Run the
cloudctl
login command from any server that has access to your cluster whereoc
andcloudctl
clients are installed.cloudctl login -a https://`oc get routes |grep -i cp-console | awk '{print $2}'` -u <username> -p <password> --skip-ssl-validation -n ibm-common-services
Note: If you are unable to use the
admin
as a user due to LDAP conflicts, you can use the cluster admin users, for example,kubeadmin
. -
Use
cloudctl
password management (pm) command to change your username and to restart deployments. For example:cloudctl pm update-secret ibm-common-services platform-auth-idp-credentials -d admin_username=<username>
-
Update the
clusterrolebinding
role-based access control (RBAC) object with the new username.oc edit clusterrolebinding oidc-admin-binding
Following is a sample
clusterrolebinding
RBAC object:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: 2019-02-04T18:44:34Z name: oidc-admin-binding resourceVersion: "3162" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/oidc-admin-binding uid: eab9c9c9-28ac-11e9-aca2-0050569a1e29 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: https://127.0.0.1:443/oidc/endpoint/OP#admin <=========== - apiGroup: rbac.authorization.k8s.io kind: User name: admin <===========
Note:
- Replace the admin name in
https://127.0.0.1:443/oidc/endpoint/OP#admin
with the new name. - Change
OP#admin
toOP#
. - Replace the admin name in
name: admin
with the new name. -
Change
name: admin
toname: <new admin user name>
. For example, updating tocpadmin
.subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: https://127.0.0.1:443/oidc/endpoint/OP#cpadmin <=========== - apiGroup: rbac.authorization.k8s.io kind: User name: cpadmin <===========
- Replace the admin name in
-
Save the file.
-
Wait for few minutes for the
auth-idp
pod containers to start and validate the new user name.-
cloudctl
login using the new user name. In the following code, NewUsername specifies the new user name and password specifies the admin password.cloudctl login -a https://`oc get routes -n ibm-common-services |grep -i cp-console | awk '{print $2}'` -u <NewUsername> -p <password> --skip-ssl-validation -n ibm-common-services
-
Test using the browser to login to the cp-console.
oc get routes -n ibm-common-services |grep -i cp-console
-
Adding Platform UI user by using the Platform UI token
To add users to the Plaqtform UI, see Managing console acces.
Administration panel with the zen-cpp-operator
extension installed.
-
Get the Cloud Pak Platform route for accessing the common landing page by running the following command:
oc get route -n ibm-common-services cpd -o jsonpath='{.spec.host}' && echo
The response is your https://<cluster_address.
is the Cloud Pak Platform route. Sample output:
cpd.apps.mycluster.mydomain.com
Use this URL for Zen-url in the command of Step 3.
-
Run
cloudctl
tokens to get IAM access token.cloudctl tokens
Note: When you use
cloudctl tokens
, you see the generated tokens. Keep a copy of the tokens. Do not runcloudctl logout
command as it revokes the token. -
Use the following command to get platform UI token (Zen_TOKEN) by using IAM token.
curl -k X GET '<Zen-url>/v1/preauth/validateAuth' \ -H "username: admin" \ -H "iam-token: <iam-token>"
It is valid only when Platform UI (ibm-zen-operator) service is installed. Use the token for ZEN_TOKEN in the command of Step 4.
-
Use the following command to add new user to Platform UI.
curl --location --request POST 'https://ZEN_URL/usermgmt/v1/user'
--header 'Authorization: Bearer ZEN_TOKEN'
--header 'Content-Type: application/json'
--data-raw '{
"username": "newuser",
"displayName": "UserFirstName UserLastName",
"email": "user@in.ibm.com",
"user_roles": [
"zen_administrator_role",
"zen_user_role"
]
}
Disable the default admin after you add new user to Platform UI. For more information, see Disabling the default admin user.
Note: If you cannot login Platform UI with new username, see Cannot login Platform UI with CloudPak administrator username.
Changing the Cloud Pak administrator password
The Cloud Pak administrator password is stored in a Kubernetes Secret. cloudctl has a command to change the password and restart services that use the password.
To change your password run the following command:
cloudctl pm update-secret <namespace> platform-auth-idp-credentials -d admin_password
Replace the namespace where the secret platform-auth-idp-credentials resides. For example:
cloudctl pm update-secret ibm-common-services platform-auth-idp-credentials -d admin_password
Password rules
The password must follow the defined password rules. Password rules are optional, regular expressions (regex) that are used to set and validate managed password values within a namespace. The update-secret
command checks password rules
before changing the values in the secret. It validates if rules exist on the namespace that the secret is in, and that the secret data element name change contains pass
or pwd
in any case combination.
Note: You can use the following regex expressions from the command line. Ensure that you wrap the expressions in single quotation marks:
Rule | Regex |
---|---|
Min length 10 | ^.{10,} |
Max length 10 | ^.{0,10}$ |
Length range | ^.{10,20}$ |
Require lower | .*[a-z].* |
Require upper | .*[A-Z].* |
Require num | .*[0-9].* |
Require spec | .*[!@#\$%\^&\*].* |
To list the password rules, run the following command:
cloudctl pm password-rules <namespace>
The rules are listed similar to the following example,
cloudctl pm password-rules default
Name Description Regex
min10 minimum length 10 ^.{10,}
OK
If you want to change the password rules, you can run the following command:
cloudctl pm password-rule-set <namespace> <rule_name> <rule_regex> <rule_desc>
For example,
cloudctl pm password-rule-set default min_10 '^.{10,}' "minimum length of 10"
If you need to remove the password rule, run the following command:
cloudctl pm password-rule-rm <namespace> <rule_name>
For example,
cloudctl pm password-rule-rm default min_10
OK