-
Notifications
You must be signed in to change notification settings - Fork 140
/
opsman-users.html.md.erb
219 lines (158 loc) · 10.8 KB
/
opsman-users.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
---
title: Creating and Managing Ops Manager User and Client Accounts
---
This topic describes how to add and remove Ops Manager users. It also describes how you can
use an admin Ops Manager account to create client accounts that you can use for Ops
Manager automation.
## <a id="about-om-users"></a> Overview
<%= vars.platform_name %> supports multiple user accounts in Ops Manager. A User Account and Authentication (UAA) module co-located on the Ops Manager VM manages access permissions to Ops Manager.
When Ops Manager boots for the first time, you create an admin user. However, you do not create additional users through the Ops Manager web interface. If you want to create additional users who can log into Ops Manager, you must use the UAA API, either through `curl` or the UAA Command Line Client (UAAC).
Users are not the only type of account you can create for Ops Manager. You can also create client accounts, which connect automation tools and scripts to Ops Manager. <%= vars.company_name %> recommends using clients to handle automated tasks.
Client accounts are not bound to the same authentication protocols as user accounts. A user account that controls automated components can cause those components to fail if the account experiences inconsistent availability due to permission or authentication issues.
You can create client accounts after deploying Ops Manager, or during configuration for an initial deployment. For more information about adding clients during initial configuration or after deployment, see [Add Pre-Created Client](#pre-created-clients).
## <a id='add-user'></a>Add Ops Manager Users
This section describes how to add or remove users with UAAC. If you do not already have the UAAC installed, run `gem install cf-uaac` on the command line.
<p class="note"><strong>Note:</strong> You can only manage users on the Ops Manager UAA module if you chose to use Internal Authentication instead of an external Identity Provider when configuring Ops Manager.</p>
To add Ops Manager users, do the following:
1. Target your Ops Manager UAA:
<pre>uaac target <span>https</span>://YOUR-OPSMANAGER-FQDN/uaa/</pre>
Where:
* `YOUR-OPSMANAGER-FQDN` is the fully qualified domain name of your Ops Manager installation.
1. Get your token:
<pre class='terminal'>uaac token owner get
Client ID: opsman
Client Secret:
Username: OPSMANAGER-ADMIN-USERNAME
Password: OPSMANAGER-ADMIN-PASSWORD
Successfully fetched token via client credentials grant.
Target <span>https</span>://YOUR-OPSMANAGER-FQDN/uaa/
</pre>
Where:
* `YOUR-OPSMANAGER-FQDN` is the fully qualified domain name of your Ops Manager installation.
* `OPSMANAGER-ADMIN-USERNAME` and `OPSMANAGER-ADMIN-PASSWORD` are the username and password for the Ops Manager admin user.
<p class="note"><strong>Note</strong>: The <code>Client Secret</code> field does not require a value.</p>
1. Add a user.
<pre>uaac user add USER-NAME -p USER-PASSWORD --emails USER-EMAIL<span>@</span>EXAMPLE.COM</pre>
Where:
* `USER-NAME` is the username of the user you are adding.
* `USER-PASSWORD` is the password with which this user authenticates.
* `USER-EMAIL` is the email address associated with this user.
1. (Optional) Set the Role-Based Access Control (RBAC) permissions for your user. For more information, see [Configuring Role-Based Access Control (RBAC) in Ops Manager](../opsguide/config-rbac.html).
## <a id='remove-user'></a>Remove Ops Manager Users
To remove Ops Manager users, do the following:
1. Target your Ops Manager UAA:
<pre> uaac target <span>https</span>://YOUR-OPSMANAGER-FQDN/uaa/</pre>
1. Get your token:
<pre class='terminal'>
uaac token owner get
Client ID: opsman
Client Secret:
Username: OPSMANAGER-ADMIN-USERNAME
Password: OPSMANAGER-ADMIN-PASSWORD
Successfully fetched token via client credentials grant.
Target <span>https</span>://YOUR-OPSMAN-FQDN/uaa/
</pre>
Where:
* `YOUR-OPSMANAGER-FQDN` is the fully qualified domain name of your Ops Manager installation.
* `OPSMANAGER-ADMIN-USERNAME` and `OPSMANAGER-ADMIN-PASSWORD` are the username and password for the Ops Manager admin user.
<p class="note"><strong>Note</strong>: The <code>Client Secret</code> field does not require a value.</p>
1. Delete a user:
<pre>uaac user delete USER-NAME</pre>
Where:
* `USER-NAME` is the username of the user you wish to delete.
## <a id="clients"></a> Add Ops Manager Client Accounts
The following sections describe how to create client accounts for Ops Manager automation using an admin account.
### <a name="authenticate"></a> Log in to UAAC as an Admin
In order to configure a client, you must first log in to UAAC as an admin.
Use one of the following two methods to authenticate to UAAC:
* [Authenticate Using SAML or SSO](#saml)
* [Authenticate Using LDAP](#ldap)
### <a name="saml"></a> Authenticate Using SAML or SSO
If you're using SAML or SSO, authenticate to UAAC as an admin before creating a client.
To authenticate to UAAC, do the following:
1. Target your UAA server.
<pre>uaac target http<span>s</span>://YOUR-OPSMANAGER-FQDN/uaa</pre>
Where:
* `YOUR-OPSMANAGER-FQDN` is the fully qualified domain name of your Ops Manager installation.
1. Log in as an admin.
<pre>uaac token sso get</pre>
1. When prompted, type the Client ID and passcode. Leave the client secret blank.
<pre class='terminal'>Client ID: opsman
Client secret:
Passcode (from <span>http</span>://YOUR-OPSMANAGER-FQDN/uaa/passcode): YOUR-UAA-PASSCODE</pre>
Where:
* `YOUR-OPSMANAGER-FQDN` is the fully qualified domain name of your Ops Manager installation.
* `YOUR-UAA-PASSCODE` is the passcode with which you authenticate to UAA.
### <a name="ldap"></a> Authenticate Using LDAP
If you're not using SAML or SSO, authenticate to UAAC as an admin before creating a client.
To authenticate to UAAC, do the following:
1. Target your UAA server.
<pre>uaac target http<span>s</span>://YOUR-OPSMANAGER-FQDN/uaa</pre>
Where:
* `YOUR-OPSMANAGER-FQDN` is the fully qualified domain name of your Ops Manager installation.
1. Log in as an admin.
<pre>uaac token owner get</pre>
1. When prompted, type the Client ID, your username, and your password. Leave the client secret blank.
<pre class='terminal'>Client ID: opsman
Client secret:
User name: admin
Password: *****
</pre>
1. A message appears confirming that UAAC has `Successfully fetched token`.
### <a name="client-create"></a> Create a Client
After you authenticate to UAAC, create a client to manage automated components and tasks.
To create a client, do the following:
1. Create a client with role-based permissions, an ID, and an authentication secret using UAAC:
<pre>uaac client add CLIENT-ID --authorized_grant_types client_credentials --authorities opsman.admin --secret CLIENT-SECRET</pre>
Where:
* `CLIENT-ID` is the name of your client.
* `CLIENT-SECRET` is the secret you use to authenticate to your client.
The `opsman.admin` authority referenced in the example above grant specific permissions to the client. You can choose which permissions you wish the client to have by assigning a different role.
For more information about Ops Manager roles and what they do, see [Understanding Roles in Ops Manager](../opsguide/config-rbac.html#about).
## <a id="pre-created-clients"></a>Add Pre-Created Client
You can add a pre-created client to Ops Manager using the Ops Manager API in either of the following ways:
* [Add a Pre-Created Client Before Initial Deployment](#pcc-initial-setup), or
* [Add or Modify a Pre-Created Client for an Existing Deployment ](#pcc-existing-deployment)
### <a id="pcc-initial-setup"></a>Add a Pre-Created Client Before Initial Deployment
This section describes how to add a pre-created client before you deploy Ops Manager for the first time.
If you do not already have the UAAC installed, run `gem install cf-uaac` on the command line.
To add a pre-created client before you deploy Ops Manager, do the following:
<ol>
<li>Authenticate to and access the Ops Manager API by following the steps in <a href="./ops-man-api.html">Using the Ops Manager API</a>.</li>
<li>Pass the following command:
<pre>POST /api/v0/setup</pre>
Include any configuration details your deployment requires. For more information about configuring Ops Manager with the API, see the <a href="http://docs.pivotal.io/pivotalcf/2-5/opsman-api/#setting-up-with-saml">Setting Up with SAML</a> in the Ops Manager API documentation.</li>
<li>In the configuration details, specify this parameter:
<pre>"precreated_client_secret": "YOUR-SECRET"</pre>
Where:
<ul>
<li><code>YOUR-SECRET</code> is the authentication secret you use to access the pre-created client.</li>
</ul>
<p class="note"><strong>Note</strong>: The authentication secret for the pre-created client must be between 1 and 255 ASCII characters.</p></li>
</ol>
When <code>precreated_client_secret</code> is passed, a UAA client is created called <code>precreated-client</code>. To use this client, see [Authenticate as the Pre-Created Client](#pcc-login).
### <a id="pcc-existing-deployment"></a>Add or Modify a Pre-Created Client for an Existing Deployment
This section describes how to add a pre-created client after you have already deployed Ops Manager. You may only have one pre-created client at a time. If you have an existing pre-created client, you may also use this procedure to change its authentication secret.
To add a pre-created client to an Ops Manager that has already been deployed, or change the secret of an existing pre-created client, do the following:
1. Authenticate to and access the Ops Manager API by following the steps in [Using the Ops Manager API](./ops-man-api.html).
1. Pass the following command:
<pre>PUT /api/v0/uaa/precreated_client
<br/>
"precreated_client_secret": "NEW-SECRET"</pre><br/>
Where:
* `NEW-SECRET` is the authentication secret you use to access the pre-created client. This secret must differ from the previous secret you used. The secret cannot be blank.
<p class="note"><strong>Note</strong>: The authentication secret for the pre-created client must be between one and 255 ASCII characters.</p>
To use this client, see [Authenticate as the Pre-Created Client](#pcc-login).
### <a id="pcc-login"></a> Authenticate as the Pre-Created Client
To authenticate to UAAC as the pre-created client, do the following:
1. Target your UAA server.
<pre>uaac target http<span>s</span>://YOUR-OPSMANAGER-FQDN/uaa</pre>
Where:
* `YOUR-OPSMANAGER-FQDN` is the fully qualified domain name of your Ops Manager installation.
1. Log in as a client.
<pre>uaac token client get precreated-client -s "PRECREATED-CLIENT-SECRET"</pre>
1. A message appears confirming that UAAC has `Successfully fetched token`.
You have authenticated to UAAC as the pre-created client. Use this client to perform any automation tasks you wish.
For more information about the Ops Manager API, see [Using the Ops Manaager API](./ops-man-api.html).