Bug 1248706 - Registry Install steps missing adding users
Registry Install steps missing adding users
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Thien-Thi Nguyen
Vikram Goyal
Vikram Goyal
Depends On:
  Show dependency treegraph
Reported: 2015-07-30 12:07 EDT by Ryan Howe
Modified: 2017-03-08 13 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-19 18:29:18 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ryan Howe 2015-07-30 12:07:10 EDT
Document URL: 


Section Number and Name: Accessing the Registry

Describe the issue: 

Missing information on how to create a user. To use when logging into your registry. Ansisble install has users set up to use HTPASSWD auth but no instructions on adding users after the install to use. 

Suggestions for improvement: 

a) instruct somewhere further up in the instructions to use htpassword /etc/openshift/openshift-htpasswd someusername

b) switch to AllowAll auth provider for that intial setup.

c) instruct how to get the added users permissions to view or edit the other projects, as users that were created will not be able to view the registry info with out logging out and back in as system:admin or adding new use to the policy in which information on that is further down in the documents.  

Additional information:
Comment 2 Brenton Leanhardt 2015-08-18 09:09:10 EDT
To me option "A" makes the most sense.  Admins need to be aware how to determine the type of authentication an environment is using and how to verify it's working.

We can't do "B" because we aren't going to make our default installation insecure.

From "C" I'm guessing an admin wants to be able to have full access to the registry instead of simply being a normal user that can only access their images.  Jordan, is there a way for the system:admin (the OSE default config is /etc/openshift/master/admin.kubeconfig) to get a token?
Comment 3 Jordan Liggitt 2015-08-18 10:13:35 EDT
The way registry auth is currently implemented, a token-based user is required (system:admin is certificate-based)
Comment 4 Alex Dellapenta 2015-08-18 17:59:07 EDT
+1 to a form of option A (making it clear we're just showing an example for if they're sticking with htpasswd). We have some instructions to that end here we could link to (and enhance if needed):


But also make the token requirement more clear in general. Currently adding similar info for image pruning in https://github.com/openshift/openshift-docs/pull/895.
Comment 5 Thien-Thi Nguyen 2015-10-04 08:43:30 EDT
(In reply to Alex Dellapenta from comment #4)

> [option A]


> [link to configuring_authentication.html]

Good idea.

> But also make the token requirement more clear in general. Currently adding
> similar info for image pruning in
> https://github.com/openshift/openshift-docs/pull/895.

You refer to the Note around line 152, right?
Comment 6 Thien-Thi Nguyen 2015-10-06 20:54:15 EDT
The change at:


is to mention htpasswd auth (plus example) immediately prior
to the "oc login" command in section "Accessing the Registry".

Moving status to MODIFIED.
Comment 7 Thien-Thi Nguyen 2015-10-12 15:01:19 EDT
Alas, some rework required:


I will go ahead w/ the proposed rework unless there are objections.
Comment 9 Thien-Thi Nguyen 2015-11-14 07:22:21 EST
PR merged.  Moving to RELEASE_PENDING.

Note You need to log in before you can comment on or make changes to this bug.