Skip to content

operational_tasks.rst

Latest commit

 

History

History
96 lines (62 loc) · 2.7 KB

operational_tasks.rst

File metadata and controls

96 lines (62 loc) · 2.7 KB
title:Operational tasks
description:Common operational tasks for your Deis cluster.

Operational tasks

Below are some common operational tasks for managing the Deis platform.

Managing users

There are two classes of Deis users: normal users and administrators.

  • Users can use most of the features of Deis - creating and deploying applications, adding/removing domains, etc.
  • Administrators can perform all the actions that users can, but they also have owner access to all applications.

The first user created on a Deis installation is automatically an administrator.

Promoting users to administrators

You can use the deis perms command to promote a user to an administrator:

$ deis perms:create john --admin

Disabling user registration

You can disable user registration for everybody except admins:

$ deisctl config controller set registrationMode="admin_only"

If you want to entirely disable user registration:

$ deisctl config controller set registrationMode="disabled"

Re-issuing User Authentication Tokens

The controller API uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients. Each user of the platform is issued a token the first time that they sign up on the platform. If this token is compromised, you'll need to manually intervene to re-issue a new authentication token for the user. To do this, SSH into the node running the controller and drop into a Django shell:

$ fleetctl ssh deis-controller
$ docker exec -it deis-controller python manage.py shell
>>>

At this point, let's re-issue an auth token for this user. Let's assume that the name for the user is Bob (poor Bob):

>>> from django.contrib.auth.models import User
>>> from rest_framework.authtoken.models import Token
>>> bob = User.objects.get(username='bob')
>>> token = Token.objects.get(user=bob)
>>> token.delete()
>>> exit()

At this point, Bob will no longer be able to authenticate against the controller with his auth token:

$ deis apps
401 UNAUTHORIZED
Detail:
Invalid token

For Bob to be able to use the API again, he will have to authenticate against the controller to be re-issued a new token:

$ deis login http://deis.example.com
username: bob
password:
Logged in as bob
$ deis apps
=== Apps