Adding viewer members to a domain using rhc
Let's suppose you are a system administrator of your organization, where your job is to make sure all the production applications are running smoothly. Ideally, you would not want all the developers in your organization to have access to the production environment. Giving everyone access to the production environment is waiting for the inevitable to happen. What you should remember is that you can have different domains for different environments. The domain corresponding to the production deployment will be controlled by system administrators rather than developers. OpenShift allows you to give different access levels to a different group of people. You, along with other system administrators, can enjoy admin access to the production domain, whereas developers can only have viewer access, if required. Developers will be added to the production domain in the read-only mode. They can view the information about it and its applications, but they cannot make any changes. They also can't use Git to clone the source code or deploy changes. Viewers are also not allowed to SSH into the application gear.
Getting ready
To complete this recipe, you will need to have rhc installed on your machine. Please refer to the Installing the OpenShift rhc command-line client recipe in Chapter 1, Getting Started with OpenShift, for instructions.
You will need two OpenShift accounts to work through this recipe. Please refer to the Creating an OpenShift Online account recipe in Chapter 1, Getting Started with OpenShift, for OpenShift account registration instructions.
How to do it…
Let's suppose we have two OpenShift users, openshift.cookbook@gmail.com and openshift.cookbook.test@gmail.com. You may want to add openshift.cookbook.test@gmail.com as a viewer to the prodosbook domain of openshift.cookbook@gmail.com. The prodosbook domain corresponds to the production environment of your application. To do this, execute the following command:
$ rhc add-member openshift.cookbook.test@gmail.com --namespace prodosbook --role view
How it works…
The add-member command allows you to add members to your domain. A user can be added to one of the three roles: view, edit, or admin. In this recipe, we may want to add openshift.cookbook.test@gmail.com as a viewer, so we use the --role option to give the user the view role.
The syntax of the rhc add-member command is shown as follows:
$ rhc add-member <login> --namespace <namespace> --role <role>
The breakup of the command is as follows:
login: This is the e-mail ID or short name of the OpenShift account you want to add as a membernamespace: This is the domain name in which you want to add a memberrole: This refers to the access level you want to give to a member
You can view the added user by viewing the domain details:
$ rhc show-domain Domain prodosbook (owned by openshift.cookbook@gmail.com) ----------------------------------------------------- Created: Jan 14 9:49 AM Allowed Gear Sizes: small Members: openshift.cookbook.test@gmail.com (view) blog @ http://blog-prodosbook.rhcloud.com/ (uuid: 52d681815973ca43d600009a) ----------------------------------------------------------------------- // app details .. removed for brevity You have 1 application in your domain.
If the openshift.cookbook.test@gmail.com user tries to clone the application to their local machine, they will receive the permission denied error shown as follows:
$ rhc git-clone blog -l openshift.cookbook.test@gmail.com Cloning into 'blog'... Permission denied (publickey,gssapi-keyex,gssapi-with-mic). fatal: The remote end hung up unexpectedly Unable to clone your repository. Called Git with: git clone ssh://52d681815973ca43d600009a@blog-prodosbook.rhcloud.com/~/git/blog.git/ "blog" You can also use the OpenShift account user id instead of the OpenShift login. $ rhc add-member --ids 52d6784e5004462a80000235 --namespace prodosbook --role view To get the id for an OpenShift account, you can use the rhc account command. $ rhc account Login openshift.cookbook.test@gmail.com on openshift.redhat.com --------------------------------------------------------------- ID: 52d6784e5004462a80000235 Plan: Free Gears Used: 0 Gears Allowed: 3 Domains Allowed: 1 Allowed Gear Sizes: small SSL Certificates: no
You can also add multiple members to your domain in one go, as shown:
$ rhc add-member openshift.cookbook.test@gmail.com shekhar.redhat@gmail.com --namespace prodosbook --role view
This also works for OpenShift account IDs as well by entering the following command:
$ rhc member-add --ids 52d6784e5004462a80000235 52d6784e5004462a80000236 --namespace prodosbook --role view
There's more…
The OpenShift web console also allows users to add members. You can do this by going to your account domain name. Then, click on the Add members… web link:
Enter the user login details and the role you want to give to the user before clicking on Save:
See also
- The Adding an editor member to a domain using rhc recipe
- The Adding an admin member to a domain using rhc recipe
- The Viewing all the members in a domain using rhc recipe