Create First System Administrator¶
After installing StarlingX, you should create your first unique system administrator account.
In this example, a local LDAP user account and a local Keystone user account are created for the first system administrator user.
The first system administrator user must have full ‘admin’ privileges such that it can create subsequent system administrators and end users.
Prerequisites
You must have the credentials for the ‘sysadmin’ local Linux user account used for the installation.
Procedure
Login to the active controller as the ‘sysadmin’ user.
Use either a local console or SSH.
Apply source credentials for the ‘admin’ keystone user.
$ source /etc/platform/openrc
Create a directory for temporary files for setting up users and groups.
$ mkdir /home/sysadmin/users
Create a new local LDAP group for system administrators with full privileges.
$ sudo ldapaddgroup Level1SystemAdmin
Add full Linux authorization privileges to the
Level1SystemAdmin
LDAP group members.Enable
pam_group.so
in/etc/pam.d/common-auth
, and update/etc/security/group.conf
with LDAP group mappings.Note
If it is AIO-DX controller configuration, add full Linux authorization privileges on both controllers.
# Execute this line only once, on each host $ sudo sed -i '1i auth required pam_group.so use_first_pass' /etc/pam.d/common-auth # Execute this line for each LDAP group being mapped to 1 or more local Linux groups, on each host $ sudo sed -i '$ a\*;*;%Level1SystemAdmin;Al0000-2400;sys_protected,root,sudo' /etc/security/group.conf
Add full kubernetes authorization privileges to the
Level1SystemAdmin
LDAP group members.Add a kubernetes
ClusterRoleBinding
to bind theLevel1SystemAdmin
group to thecluster-admin
role.$ cat << EOF > /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: Level1SystemAdmin subjects: - kind: Group name: Level1SystemAdmin apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io EOF $ kubectl apply -f /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml
Create a new local LDAP user for the first system administrator.
$ sudo ldapusersetup -u joefulladmin Password: Successfully added user joefulladmin to LDAP Successfully set password for user joefulladmin Warning : password is reset, user will be asked to change password at login Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 90 days Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 2 days
Add the first system administrator to the
Level1SystemAdmin
group.$ sudo ldapaddusertogroup joefulladmin Level1SystemAdmin
Add a new local keystone user for the first system administrator using the same username.
Create a keystone user in the ‘admin’ project. The StarlingX infrastructure resources are all contained in the ‘admin’ project.
$ USERNAME="joefulladmin" $ USERPASSWORD="<password>" $ PROJECTNAME="admin" $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'\` $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}" $ openstack role add --project ${PROJECTNAME} --user ${USERNAME}_member_
Add full StarlingX authorization privileges to the first system administrator’s keystone user account.
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin
Logout as ‘sysadmin’.
$ exit
Postrequisites
Login to the local console or SSH with this new first system administrator,
joefulladmin
. See System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLIContinue to Create Other System Administrators