forked from pivotal-cf/docs-pks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gcp-configure-pks-users.html.md.erb
93 lines (59 loc) · 4.33 KB
/
gcp-configure-pks-users.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
---
title: Setting Up Enterprise PKS Admin Users on GCP
owner: PKS
iaas: GCP
---
This topic describes how to create admin users in <%= vars.product_full %> with User Account and Authentication (UAA).
Creating at least one admin user is a necessary step during the initial set up of <%= vars.product_short %>.
## <a id='overview'></a> Overview
UAA is the identity management service for Pivotal Cloud Foundry.
<%= vars.product_short %> includes a UAA server, which is hosted on the PKS control plane VM.
To interact with the UAA server, you can use the UAA Command Line Interface (UAAC).
You can either run UAAC commands from the Ops Manager VM or install UAAC on your local workstation.
## <a id='prerequisites'></a> Prerequisites
Before setting up admin users for <%= vars.product_short %>, you must have one of the following:
* SSH access to the Ops Manager VM
* A machine that can connect to your PKS control plane VM
## <a id='connect'></a>Step 1: Connect to the PKS Control Plane VM
You can connect to the PKS control plane VM from the Ops Manager VM or from a different machine such as your local workstation.
### <a name='ssh-gcp'></a>Option 1: Connect through the Ops Manager VM
You can connect to the PKS control plane VM by logging in to the Ops Manager VM through SSH.
To SSH into the Ops Manager VM on GCP, do the following:
1. Confirm that you have installed the gcloud Command Line Interface (CLI). For more information, see [Downloading gcloud](https://cloud.google.com/sdk/gcloud/#downloading_gcloud) in the Google Cloud Platform (GCP) documentation.
1. From the GCP console, click **Compute Engine**.
1. Locate the Ops Manager VM in the **VM Instances** list.
1. Click the **SSH** menu button.
1. Copy the SSH command that appears in the pop-up window.
1. SSH into the Ops Manager VM by pasting the command into your terminal. For example:
<pre class="terminal">
$ gcloud compute ssh om-pcf-1a --zone us-central1-b
</pre>
1. Switch to the `ubuntu` user by running the `sudo su - ubuntu` command.
1. Proceed to the [Log In as a UAA Admin](#uaa-admin-login) section to manage users with UAAC.
### <a name='local-workstation'></a>Option 2: Connect through a Non-Ops Manager Machine
To connect to the PKS control plane VM and run UAA commands, do the following:
1. Install UAAC on your machine. For example:
```
gem install cf-uaac
```
1. Download a copy of your Ops Manager root CA certificate to the machine. To download the certificate, do the following:
1. In a web browser, navigate to the FQDN of Ops Manager and log in.
1. In Ops Manager, navigate to **Settings** in the drop-down menu under your username.
1. Click **Advanced Options**.
1. On the **Advanced Options** configuration page, click **Download Root CA Cert**.
1. Move the certificate to a secure location on your machine and record the path.
1. Proceed to the [Log In as a UAA Admin](#uaa-admin-login) section to create admin users with UAAC.
##<a id='uaa-admin-login'></a>Step 2: Log In as a UAA Admin
<%= partial 'uaa-admin-login' %>
##<a id='pks-access'></a>Step 3: Assign <%= vars.product_short %> Cluster Scopes
<%= partial 'pks-uaa-scopes' %>
Based on the needs of your deployment, perform one or more of the following procedures:
* To assign PKS cluster scopes to an individual user, see
[Grant <%= vars.product_short %> Access to an Individual User](manage-users.html#uaa-user).
Follow this procedure if you selected **Internal UAA** when you configured **UAA** in the <%= vars.product_short %> tile. For more information, see [Installing <%= vars.product_short %> on GCP](installing-pks-gcp.html#uaa).
* To assign PKS cluster scopes to an LDAP group, see [Grant <%= vars.product_short %> Access to an External LDAP Group](manage-users.html#external-group). Follow this procedure if you selected **LDAP Server** when you configured **UAA** in the <%= vars.product_short %> tile. For more information, see [Installing <%= vars.product_short %> PKS on GCP](installing-pks-gcp.html#uaa).
* To assign PKS cluster scopes to a client, see [Grant <%= vars.product_short %> Access to a Client](manage-users.html#uaa-client).
##<a id="next-steps"></a> Next Step
After you create admin users in <%= vars.product_short %>, the admin users can create and manage
Kubernetes clusters in <%= vars.product_short %>.
For more information, see [Managing Clusters](managing-clusters.html).