Skip to content

Reflecting FAS/ACO user email change

Reflecting FAS/ACO user email change

Openshift was initially configured to use IdP/Oauth but creating user with preferred_email as main login ID. That means that when a user updates/changes its email address at FAS/ACO side, he loses his rights in openshift and deployed applications.

We have a plan to discuss massively reflect a change to get back to user instead of email and process all groups/projects but for the time being, if someone in such situation is creating a ticket, here is a simple way to fix it directly in openshift.

Let's assume that user is foo and his previous email foo@bar.com but he has a new email address now in FAS (which you can query https://fasjson.fedoraproject.org to find).

Basically we have to :

  • remove user from openshift
  • delete cached openshift identify for that user

Login on the node that is in the ocp-ci-management ansible group , become ocpadm user and run the following (cli and eventually ansible playbook to come later) :

user="foo"
email="foo@bar.com"

[ocpadm@<node> ~]$ oc get identities | grep "${email}"
CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f   CentOS_and_Fedora_account   f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f 

# Now that we have identity, just delete it
[ocpadm@<node> ~]$ oc delete identity CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f
identity.user.openshift.io "CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f" deleted

# Let's now delete user
[ocpadm@<node> ~]$ oc delete user ${user}

We can now ask the user to login again and his new user will be created and linked with FAS/ACO. Don't forget to reflect his new email address for his projects and update projecs (like you'd do to create it, so push to git and oc apply)