A user is an entity that interacts with the OpenShift Origin API. These can be a developer for developing applications or an administrator for managing the cluster. Users can be assigned to groups, which set the permissions applied to all the group’s members. For example, you can give API access to a group, which give all members of the group API access.

This topic describes the management of user accounts, including how new user accounts are created in OpenShift Origin and how they can be deleted.

Creating a User

The process for creating a user depends on the configured identity provider. By default, OpenShift Origin uses the DenyAll identity provider, which denies access for all user names and passwords.

The following process creates a new user, then adds a role to the user:

  1. Create the user account depending on your identity provider. This can depend on the mappingmethod used as part of the identity provider configuration. See the Mapping Identities to Users section for more information.

  2. Give the new user the desired role:

    # oc create clusterrolebinding <clusterrolebinding_name> /
      --clusterrole=<role> --user=<user>

    Where the --clusterrole option is the desired cluster role. For example, to give the new user cluster-admin privileges, which gives the user access to everything within a cluster:

    # oc create clusterrolebinding registry-controller /
      --clusterrole=cluster-admin --user=admin

    For an explanation and list of roles, see the Cluster Roles and Local Roles section of the Architecture Guide.

As a cluster administrator, you can also manage the access level of each user.

Depending on the identity provider, and on the defined group structure, some roles may be given to users automatically. See the Synching groups with LDAP section for more information.

Viewing User and Identity Lists

OpenShift Origin user configuration is stored in several locations within OpenShift Origin. Regardless of the identity provider, OpenShift Origin internally stores details like role-based access control (RBAC) information and group membership. To completely remove user information, this data must be removed in addition to the user account.

In OpenShift Origin, two object types contain user data outside the identification provider: user and identity.

To get the current list of users:

$ oc get user
NAME      UID                                    FULL NAME   IDENTITIES
demo     75e4b80c-dbf1-11e5-8dc6-0e81e52cc949               htpasswd_auth:demo

To get the current list of identities:

$ oc get identity
NAME                  IDP NAME        IDP USER NAME   USER NAME   USER UID
htpasswd_auth:demo    htpasswd_auth   demo            demo        75e4b80c-dbf1-11e5-8dc6-0e81e52cc949

Note the matching UID between the two object types. If you attempt to change the authentication provider after starting to use OpenShift Origin, the user names that overlap will not work because of the entries in the identity list, which will still point to the old authentication method.

Creating Groups

While a user is an entity making requests to OpenShift Origin, users can be organized into one or more groups made up from a set of users. Groups are useful for managing many users at one time, such as for authorization policies, or to grant permissions to multiple users at once.

If your organization is using LDAP, you can synchronize any LDAP records to OpenShift Origin so that you can configure groups on one place. This presumes that information about your users is in an MDAP server. See the Synching groups with LDAP section for more information. If you are not using LDAP, you can use the following procedure to manually create groups.

To create a new group:

# oc adm groups new <group_name> <user1> <user2>

For example, to create the west groups and in it place the john and betty users:

# oc adm groups new west john betty

To verify that the group has been created, and list the users associated with the group, run the following:

# oc get groups
west      john, betty

Next steps: * Managing role bindings

Managing User and Group Labels

To add a label to a user or group:

$ oc label user/<user_name> <label_name>

For example, if the user name is theuser and the label is level=gold:

$ oc label user/theuser level=gold

To remove the label:

$ oc label user/<user_name> <label_name>-

To show labels for a user or group:

$ oc describe user/<user_name>

Deleting a User

To delete a user:

  1. Delete the user record:

    $ oc delete user demo
    user "demo" deleted
  2. Delete the user identity.

    The identity of the user is related to the identification provider you use. Get the provider name from the user record in oc get user.

    In this example, the identity provider name is htpasswd_auth. The command is:

    # oc delete identity htpasswd_auth:demo
    identity "htpasswd_auth:demo" deleted

    If you skip this step, the user will not be able to log in again.

After you complete these steps, a new account will be created in OpenShift Origin when the user logs in again.

If your intention is to prevent the user from being able to log in again (for example, if an employee has left the company and you want to permanently delete the account), you can also remove the user from your authentication back end (like htpasswd, kerberos, or others) for the configured identity provider.

For example, if you are using htpasswd, delete the entry in the htpasswd file that is configured for OpenShift Origin with the user name and password.

For external identification management like Lightweight Directory Access Protocol (LDAP) or Red Hat Identity Management (IdM), use the user management tools to remove the user entry.