Newer documentation is now live.You are currently reading an older version.

Create initial users after a management cluster bootstrap

Once you bootstrap your management cluster, create Keycloak users for access to the MOSK management console.

Mirantis recommends creating at least two users, user and operator, that are required for a typical MOSK deployment.

Create a user for access to the MOSK management console

./container-cloud bootstrap user add \
    --username <userName> \
    --roles <roleName> \
    --kubeconfig <pathToMgmtKubeconfig>

Note

You will be asked for the user password interactively.

User creation parameters

Flag

Description

--username

Required. Name of the user to create.

--roles

Required. Comma-separated list of roles to assign to the user.

  • If you run the command without the --namespace flag, you can assign the following roles:

    • global-admin - read and write access for global role bindings

    • writer - read and write access

    • reader - view access

    • operator - create and manage access to the BareMetalHost and BareMetalHostInventory objects

    • management-admin - full access to the management cluster

  • If you run the command for a specific project using the --namespace flag, you can assign the following roles:

    • operator or writer - read and write access

    • user or reader - view access

    • member - read and write access (excluding IAM objects)

    • bm-pool-operator - create and manage access to the BareMetalHost and BareMetalHostInventory objects

--kubeconfig

Required. Path to the management cluster kubeconfig generated during the management cluster bootstrap.

--namespace

Optional. Name of the MOSK management project where the user will be created. If not set, a global user will be created for all MOSK management projects with the corresponding role access to view or manage all public objects.

--password-stdin

Optional. Flag to provide the user password through stdin:

echo '$PASSWORD' | ./container-cloud bootstrap user add \
    --username <userName> \
    --roles <roleName> \
    --kubeconfig <pathToMgmtKubeconfig> \
    --password-stdin

Add several roles to one user

To add several roles of one level to one user, use a comma. For example:

./container-cloud bootstrap user add --username test --roles reader,global-admin

The command above applies the m:kaas@reader and m:kaas@global-admin roles to the user.

If one of roles must be namespaced, for example, to create m:kaas:default@reader and m:kaas@global-admin, use the Keycloak Admin Console or IAM API directly by creating IAMRoleBinding or IAMGlobalRoleBinding. For more information, see:

Note

Adding several roles of different levels to one user is not supported during creation of initial users.

Delete a user

To delete a user, run the following command:

./container-cloud bootstrap user delete --username <userName> --kubeconfig <pathToMgmtKubeconfig>