Red Hat Bugzilla – Bug 1248706
Registry Install steps missing adding users
Last modified: 2017-03-08 13:13 EST
Section Number and Name: Accessing the Registry
Describe the issue:
Missing information on how to create a user. To use when logging into your registry. Ansisble install has users set up to use HTPASSWD auth but no instructions on adding users after the install to use.
Suggestions for improvement:
a) instruct somewhere further up in the instructions to use htpassword /etc/openshift/openshift-htpasswd someusername
b) switch to AllowAll auth provider for that intial setup.
c) instruct how to get the added users permissions to view or edit the other projects, as users that were created will not be able to view the registry info with out logging out and back in as system:admin or adding new use to the policy in which information on that is further down in the documents.
To me option "A" makes the most sense. Admins need to be aware how to determine the type of authentication an environment is using and how to verify it's working.
We can't do "B" because we aren't going to make our default installation insecure.
From "C" I'm guessing an admin wants to be able to have full access to the registry instead of simply being a normal user that can only access their images. Jordan, is there a way for the system:admin (the OSE default config is /etc/openshift/master/admin.kubeconfig) to get a token?
The way registry auth is currently implemented, a token-based user is required (system:admin is certificate-based)
+1 to a form of option A (making it clear we're just showing an example for if they're sticking with htpasswd). We have some instructions to that end here we could link to (and enhance if needed):
But also make the token requirement more clear in general. Currently adding similar info for image pruning in https://github.com/openshift/openshift-docs/pull/895.
(In reply to Alex Dellapenta from comment #4)
> [option A]
> [link to configuring_authentication.html]
> But also make the token requirement more clear in general. Currently adding
> similar info for image pruning in
You refer to the Note around line 152, right?
The change at:
is to mention htpasswd auth (plus example) immediately prior
to the "oc login" command in section "Accessing the Registry".
Moving status to MODIFIED.
Alas, some rework required:
I will go ahead w/ the proposed rework unless there are objections.
PR updated: https://github.com/openshift/openshift-docs/pull/1050#issuecomment-151161169
PR merged. Moving to RELEASE_PENDING.