Create First System Administrator

After installing StarlingX, you should create your first unique system administrator account.

In this example, a local LDAP user account and a local Keystone user account are created for the first system administrator user.

The first system administrator user must have full ‘admin’ privileges such that it can create subsequent system administrators and end users.

Prerequisites

  • You must have the credentials for the ‘sysadmin’ local Linux user account used for the installation.

Procedure

  1. Login to the active controller as the ‘sysadmin’ user.

    Use either a local console or SSH.

  2. Apply source credentials for the ‘admin’ keystone user.

    $ source /etc/platform/openrc
    
  3. Create a directory for temporary files for setting up users and groups.

    $ mkdir /home/sysadmin/users
    
  4. Create a new local LDAP group for system administrators with full privileges.

    $ sudo ldapaddgroup Level1SystemAdmin
    
    1. Add full Linux authorization privileges to the Level1SystemAdmin LDAP group members.

      Enable pam_group.so in /etc/pam.d/common-auth, and update /etc/security/group.conf with LDAP group mappings.

      Note

      If it is AIO-DX controller configuration, add full Linux authorization privileges on both controllers.

      # Execute this line only once, on each host
      $ sudo sed -i '1i auth required pam_group.so use_first_pass' /etc/pam.d/common-auth
      
      # Execute this line for each LDAP group being mapped to 1 or more local Linux groups, on each host
      $ sudo sed -i '$ a\*;*;%Level1SystemAdmin;Al0000-2400;sys_protected,root,sudo' /etc/security/group.conf
      
    2. Add full kubernetes authorization privileges to the Level1SystemAdmin LDAP group members.

      Add a kubernetes ClusterRoleBinding to bind the Level1SystemAdmin group to the cluster-admin role.

      $ cat << EOF > /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
         name: Level1SystemAdmin
      subjects:
        - kind: Group
          name: Level1SystemAdmin
          apiGroup: rbac.authorization.k8s.io
      roleRef:
         kind: ClusterRole
         name: cluster-admin
         apiGroup: rbac.authorization.k8s.io
      EOF
      
      $ kubectl apply -f /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml
      
  5. Create a new local LDAP user for the first system administrator.

    $ sudo ldapusersetup -u joefulladmin
    Password:
    Successfully added user joefulladmin to LDAP
    Successfully set password for user joefulladmin
    Warning : password is reset, user will be asked to change password at login
    Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP
    Updating password expiry to 90 days
    Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP
    Updating password expiry to 2 days
    
  6. Add the first system administrator to the Level1SystemAdmin group.

    $ sudo ldapaddusertogroup joefulladmin Level1SystemAdmin
    
  7. Add a new local keystone user for the first system administrator using the same username.

    Create a keystone user in the ‘admin’ project. The StarlingX infrastructure resources are all contained in the ‘admin’ project.

    $ USERNAME="joefulladmin"
    $ USERPASSWORD="<password>"
    $ PROJECTNAME="admin"
    $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'\`
    $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
    $ openstack role add --project ${PROJECTNAME} --user ${USERNAME}_member_
    
    1. Add full StarlingX authorization privileges to the first system administrator’s keystone user account.

      $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin
      
  8. Logout as ‘sysadmin’.

    $ exit
    

Postrequisites