Changing the Cloud Pak administrator access credentials

You can update the Cloud Pak administrator username and password.

Before you begin

Install the IBM Cloud CLI (cloudctl).
Install the OpenShift client.
Install Platform UI (ibm-zen-operator) service.
Ensure that you must have Cluster administrator access to update the Cloud Pak administrator username and password.

Supported languages

You can change the default administrator username admin to a custom username. The username can be in the following languages:

Table 1. Supported languages
Language	Language code
Brazilian Portuguese	pt_br
English	en
French	fr
German	de
Italian	it
Japanese	ja
Korean	ko
Chinese Simplified	zh_CN
Chinese Traditional	zh_TW
Spanish	es

Changing the Cloud Pak administrator username

Complete the following steps to rename a default admin user in Platform UI:

Review the current admin and password.

oc -n ibm-common-services get secret platform-auth-idp-credentials -o yaml | grep admin |xargs -l  bash -c 'echo -n "$0  " ; echo "$1" | base64 -d && echo'

The sample output:

admin_password:  IRXkjnsZg8nUUK8S2BBVFJeIOW0wVrhD
admin_username:  admin

Run the cloudctl login command from any server that has access to your cluster where oc and cloudctl clients are installed.
```
cloudctl login -a https://`oc get routes |grep -i cp-console | awk '{print $2}'` -u <username> -p <password> --skip-ssl-validation -n ibm-common-services
```
Note: If you are unable to use the admin as a user due to LDAP conflicts, you can use the cluster admin users, for example, kubeadmin.
Use cloudctl password management (pm) command to change your username and to restart deployments. For example:
```
cloudctl pm update-secret ibm-common-services platform-auth-idp-credentials -d admin_username=<username>
```

Update the clusterrolebinding role-based access control (RBAC) object with the new username.

oc edit clusterrolebinding oidc-admin-binding

Following is a sample clusterrolebinding RBAC object:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: 2019-02-04T18:44:34Z
  name: oidc-admin-binding
  resourceVersion: "3162"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/oidc-admin-binding
  uid: eab9c9c9-28ac-11e9-aca2-0050569a1e29
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: https://127.0.0.1:443/oidc/endpoint/OP#admin        <===========
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: admin                                                    <===========

Note:

Replace the admin name in https://127.0.0.1:443/oidc/endpoint/OP#admin with the new name.
Change OP#admin to OP#.
Replace the admin name in name: admin with the new name.

Change name: admin to name: <new admin user name>. For example, updating to cpadmin.

 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: https://127.0.0.1:443/oidc/endpoint/OP#cpadmin        <===========
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: cpadmin                                                    <===========

Save the file.
Wait for few minutes for the auth-idp pod containers to start. Check the pod status.
```
oc get pods -n ibm-common-services
```
If the pod status shows as Running, then proceed with the next step.
If you see an error similar to the following error, then log in to your cluster again and reverify the pod status. The status might show as Running.
```
 Error from server (Forbidden): pods is forbidden: User "admin" cannot list resource "pods" in API group "" in the namespace "ibm-common-services"
```

Validate the new user name.

cloudctl login using the new user name. In the following code, NewUsername specifies the new user name and password specifies the admin password.

cloudctl login -a https://`oc get routes -n ibm-common-services   |grep -i cp-console | awk '{print $2}'` -u <NewUsername> -p <password> --skip-ssl-validation -n ibm-common-services

Test using the browser to login to the cp-console.

oc get routes -n ibm-common-services |grep -i cp-console

Adding Platform UI user by using the Platform UI token

To add users to the Platform UI, see Managing console access.

Administration panel with the zen-cpp-operator extension installed.

Get the Cloud Pak Platform route for accessing the common landing page by running the following command:
```
oc get route -n <your cpd namespace> cpd -o jsonpath='{.spec.host}' && echo
```
Note: Replace <your cpd namespace> with the namespace where you deployed the IBM Cloud Pak for Data.

The response is your https://<cluster_address. is the Cloud Pak Platform route.

Sample output:
```
cpd.apps.mycluster.mydomain.com
```
Use this URL for Zen-url in the command of Step 3.
Run cloudctl tokens to get an IAM access token. If cloudctl is not available, see Install the IBM Cloud CLI (cloudctl) to install the cloudctl.
```
cloudctl tokens
```
Note: When you use cloudctl tokens, you see the generated tokens. Keep a copy of the tokens. Do not run cloudctl logout command as it revokes the token.
Use the following command to get the platform UI token (Zen_TOKEN) by using IAM token.
```
curl -k X GET '<Zen-url>/v1/preauth/validateAuth' \
-H "username: admin" \
-H "iam-token: <iam-token>"
```
It is valid only when Platform UI (ibm-zen-operator) service is installed. The above command returns two access token and use the second access token for ZEN_TOKEN in the command of Step 4.
```
export ZEN-TOKEN=<second accessToken from the above command>
```

Use the following command to add a new user to Platform UI.

curl --location --request POST 'https://ZEN_URL/usermgmt/v1/user' \
--header 'Authorization: Bearer ZEN_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"username": "newuser",
"displayName": "UserFirstName UserLastName",
"email": "user@in.ibm.com",
"user_roles": [
"zen_administrator_role",
"zen_user_role"
]
}'

Disable the default admin after you add a new user to Platform UI. For more information, see Disabling the default admin user.

Note: If you cannot login Platform UI with new username, see Cannot login Platform UI with CloudPak administrator username.

Changing the Cloud Pak administrator password

The Cloud Pak administrator password is stored in a Kubernetes Secret. cloudctl has a command to change the password and restart services that use the password.

To change your password run the following command:

cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_password

The password must follow the defined password rules.

Password rules

Password rules are optional, regular expressions (regex) that are used to set and validate managed password values within a namespace. The update-secret command checks password rules before you change the values in the secret. It validates if rules exist on the namespace that the secret is in, and that the secret data element name change contains pass or pwd in any case combination.

Note: You can use the following regex expressions from the command line. Ensure that you wrap the expressions in single quotation marks:

Table 2. List of rules for Regex expressions
Rule	Regex
Min length 10	`^.{10,}`
Max length 10	`^.{0,10}$`
Length range	`^.{10,20}$`
Require lower	`.[a-z].`
Require upper	`.[A-Z].`
Require num	`.[0-9].`
Require spec	`.[!@#\$%\^&\].*`

To list the password rules, run the following command:

cloudctl pm password-rules <namespace>

The rules are listed similar to the following example,

cloudctl pm password-rules default

Name   Description        Regex
min10  minimum length 10  ^.{10,}
OK

If you want to change the password rules, you can run the following command:

cloudctl pm password-rule-set <namespace> <rule_name> <rule_regex> <rule_desc>

For example,

cloudctl pm password-rule-set default min_10 '^.{10,}' "minimum length of 10"

If you need to remove the password rule, run the following command:

cloudctl pm password-rule-rm <namespace> <rule_name>

For example,

cloudctl pm password-rule-rm default min_10
OK