Cloud-native API Administration with Red Hat 3scale API Management

Bookmark this page
P1234567
PreviousNext

Guided Exercise: Creating User Accounts for the 3Scale Admin Portal

In this exercise, you will configure different types of users for the Admin Portal.

Outcomes

You should be able to:

  • Create a member user with limited permissions.

  • Create a user with administrator privileges.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command ensures that:

  • Red Hat OpenShift Container Platform (RHOCP) is ready.

  • Red Hat 3scale API Management is ready.

  • An email interceptor to accept account invites is ready.

[student@workstation ~]$ lab start secure-accounts

Procedure 4.1. Instructions

  1. Send an invitation to create a member user by using the Admin Portal.

    Important

    Because the start function restarts some 3scale API Management pods to deploy the email server, the Admin Portal might be temporary unavailable. If the Admin Portal is not available, then try again in a few minutes.

    1. Log in to RHOCP:

      [student@workstation ~]$ oc login \
-u=admin -p=redhat --server=https://api.ocp4.example.com:6443
...output omitted...

    2. Retrieve the Admin Portal password.

      [student@workstation ~]$ oc get secret system-seed -n 3scale \
  -o json | jq -r .data.ADMIN_PASSWORD | base64 -d; echo
...output omitted...

    3. In a web browser, navigate to https://3scale-admin.apps.ocp4.example.com/. Log in to the Admin Portal with the following credentials:

      • Username: admin

      • Password: ADMIN_PASSWORD from the system-seed secret

    4. Click Account Settings on the top pane drop-down menu. Then navigate to Users > Invitations and invite a new user by clicking Invite a New Team Member.

      Fill the Invite a New Team Member form with the email for the invitation. Then submit the form.

      • Send invitation to: member_user@redhat.com

    5. Execute the /scripts/get-emails.sh script to receive the emails sent by 3scale API Management.

      [student@workstation ~]$ ~/DO240-apps/scripts/get-emails.sh
---------- MESSAGE FOLLOWS ----------
...output omitted...
From: no-reply@apps.ocp4.example.com
To: member_user@redhat.com
...output omitted...
You have been invited to join Provider Name on 3scale platform.

Please sign up by following this link: https://3scale-admin.apps.ocp4.example.com/p/signup/dbbfcd4fe317fae0e0bdc2187e70da6b

If you have any problems signing up or believe you received this email erroneously, please open a Support Case at https://access.redhat.com/support.

Thank you,

The 3scale API Team.
------------ END MESSAGE ------------

      The email provides a signup link. Copy the link.

    6. Log out of the Admin Portal by clicking the user icon and then clicking Sign Out.

    7. Navigate to the sign up form by using the link copied from the invitation email. Complete the sign up form according to the following data:

      • Username: member_user

      • Password: gls-password

      • Password confirmation: gls-password

      After submitting the form, the Admin Portal redirects the browser to the login form.

    8. Log in to the Admin Portal as member_user by using the credentials from the previous step. If you are presented with the welcome screen then close it by pressing X.

  2. Verify that member_user has restricted permission.

    New users are created with the member role, which by default has no permissions. Therefore, on the welcome page, you see a message telling you that you do not have access to any API in the default tenant, the Provider Name account.

    The new user neither has permissions to navigate to the Products or Backends pages.

  3. Log in to the Admin Portal as the admin user and give member_user permissions to query the analytics of all API products.

    1. Log out of the Admin Portal by clicking the user icon and then clicking Sign Out.

    2. Log in to the Admin Portal as the admin user.

    3. To edit member_user click Account Settings on the top pane drop-down menu. Then, click Users > Listing and select member_user.

    4. Give member_user access to the analytics section by clicking Access & query analytics of in the ADMINISTRATIVE section. Select All current and future existing API products to access analytics in all the products and submit the form.

      Figure 4.5: Member user permissions edit.

  4. Log in to the Admin Portal as member_user and verify that the user can access analytics for the API product.

    1. Log in to the Admin Portal as member_user.

    2. Verify that member_user has access to product analytics by clicking API in the Products section, from the welcome page.

      In the API product detail page, you can verify that only the Analytics menu is available in the sidebar.

  5. Create a new user, admin_user, and grant the user the admin role.

    1. Log in to the Admin Portal as the admin user and send the user an invitation to the user_admin@redhat.com address.

    2. Run the /scripts/get-emails.sh script in the DO240-apps like you did in the previous step to copy the invitation link from the email.

    3. Log out of the Admin Portal and use the previous invitation link to access the sign up form. Submit the form with the following values:

      • Username: admin_user

      • Password: gls-password

      • Password confirmation: gls-password

    4. Log in to the Admin Portal as admin and edit the admin_user by clicking Users > Listing and clicking admin_user in the Accounts Settings page. In the ADMINISTRATIVE section, select Admin (full access) and submit the form.

    5. Log in to the Admin Portal as the admin_user, and verify that you have unrestricted access to the Admin Portal.

Finish

On the workstation machine, use the lab command to complete this exercise. This is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish secure-accounts

This concludes the guided exercise.

PreviousNext
Revision: do240-2.11-40390f6