From 4166e679190d107506415359d0c6bb59812f1b3e Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Dec 07 2021 13:29:04 +0000 Subject: SoP to reflect FAS/ACO user email change in openshift/ocp.ci #537 Signed-off-by: Fabian Arrotin --- diff --git a/docs/operations/ci/user_email_change.md b/docs/operations/ci/user_email_change.md new file mode 100644 index 0000000..d9acf4f --- /dev/null +++ b/docs/operations/ci/user_email_change.md @@ -0,0 +1,35 @@ +# Reflecting FAS/ACO user email change + +Openshift was initially configured to use IdP/Oauth but creating user with `preferred_email` as main login ID. +That means that when a user updates/changes its email address at FAS/ACO side, he loses his rights in openshift and deployed applications. + +We have a plan to discuss massively reflect a change to get back to `user` instead of `email` and process all groups/projects but for the time being, if someone in such situation is creating a ticket, here is a simple way to fix it directly in openshift. + +Let's assume that user is `foo` and his previous email `foo@bar.com` but he has a new email address now in FAS (which you can query https://fasjson.fedoraproject.org to find). + +Basically we have to : + + * remove user from openshift + * delete cached openshift identify for that user + +Login on the node that is in the `ocp-ci-management` ansible group , become `ocpadm` user and run the following (cli and eventually ansible playbook to come later) : + + +``` +user="foo" +email="foo@bar.com" + +[ocpadm@ ~]$ oc get identities | grep "${email}" +CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f CentOS_and_Fedora_account f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f + +# Now that we have identity, just delete it +[ocpadm@ ~]$ oc delete identity CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f +identity.user.openshift.io "CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f" deleted + +# Let's now delete user +[ocpadm@ ~]$ oc delete user ${user} + +``` + +We can now ask the user to login again and his new user will be created and linked with FAS/ACO. +Don't forget to reflect his new email address for his projects and update projecs (like you'd do to create it, so push to git and `oc apply`) diff --git a/mkdocs.yml b/mkdocs.yml index c7bb0ec..452d6a0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -47,6 +47,7 @@ nav: - Onboarding sysadmins: operations/ci/onboarding_sysadmin.md - Outage Preparation: operations/ci/outage_preparation.md - Replacing Certs: operations/ci/replacing_certs.md + - operations/ci/user_email_change.md - Upgrades: - operations/ci/upgrades/upgrade-notification-template.md - operations/ci/upgrades/upgrade-jenkins.md