System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLI

After installing your first system administrator, with full privileges, test access to Linux, StarlingX and Kubernetes commands and resources.

Prerequisites

• You must have created your first system administrator;

• You need to perform this procedure using the first system administrator.

Procedure

1. Login to active controller as the first system administrator, joefulladmin in these examples.

   Use either local console or SSH.

   Note

   If this is the first time logging in with your Local LDAP account, the password configured is your username. You will be forced to update your password.

2. Test access to linux commands (admin and non-admin).

   # Creating user requires sudo
   
   $ sudo ldapusersetup -u johnsmith
   Successfully added user johnsmith to LDAP
   Successfully set password for user johnsmith
   Warning : password is reset, user will be asked to change password at login
   Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP
   Updating password expiry to 90 days
   Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP
   Updating password expiry to 2 days
   
   # Listing IP interfaces does not require admin privileges
   
   $ ip link show
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
      link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff
   3: enp0s8: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
      link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff
   ...
   

3. Test access to Kubernetes commands / resources.

   1. Use kubeconfig-setup to setup KUBECONFIG for local environment.

      $ kubeconfig-setup
      $ source ~/.profile
      

   2. Use oidc-auth to authenticate via OIDC/LDAP.

      $ oidc-auth
      Using "joefulladmin" as username.
      Password:
      Successful authentication.
      Updated /home/joefulladmin/.kube/config .
      

   3. Use kubectl to test access to kubernetes commands / resources (admin and non-admin).

      # Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges
      $ kubectl -n kube-system get secrets
      NAME                        TYPE                    DATA  AGE
      ceph-admin                  Opaque                  2     3d8h
      ceph-pool-kube-cephfs-data  kubernetes.io/cephfs    4     3d8h
      ceph-pool-kube-rbd          kubernetes.io/rbd       2     3d8h
      
      
      # Anyone can display resources in 'default' namespace
      $ kubectl -n default get all
      NAME                TYPE       CLUSTER-IP  EXTERNAL-IP  PORT(S)  AGE
      service/kubernetes  ClusterIP  10.96.0.1   <none>       443/TCP  3d9h
      

4. Test access to StarlingX commands / resources.

   1. Use local_starlingxrc to setup StarlingX environment variables and to setup your keystone user’s authentication credentials.

      $ source local_starlingxrc
      Enter the password to be used with Keystone user joefulladmin:
      Created file /home/joefulladmin/joefulladmin-openrc
      

   2. Test keystone commands (admin and non-admin).

      # Making changes to the system requires 'admin' role
      $ system modify -l Ottawa
      
      +----------------------+--------------------------------------+
      | Property             | Value                                |
      +----------------------+--------------------------------------+
      | contact              | None                                 |
      | created_at           | 2024-07-12T10:52:40.609006+00:00     |
      | description          | None                                 |
      | https_enabled        | True                                 |
      | latitude             | None                                 |
      | location             | Ottawa                               |
      | longitude            | None                                 |
      ...
      
      # Any member of 'admin' project  can display system parameters
      $ system host-if-list controller-0
      
      +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
      | uuid                                 | name   | class    | type     | vlan id | ports      | uses i/f | used by i/f | attributes |
      +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
      | 287eca5a-8721-4422-b73a-bf24805eac4c | enp0s3 | platform | ethernet | None    | ['enp0s3'] | []       | []          |  MTU=1500  |
      | 325c32b9-fe40-4900-a0ff-59062190ce80 | lo     | platform | virtual  | None    | []         | []       | []           | MTU=1500  |
      +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
      

Postrequisites

Continue to Create other System Administrators.