There are several OpenShift resources related to authentication and authorization. The following is a list of the primary resource types and their definitions:<\/p>\n
User and identity resources are usually not created in advance. They are usually created automatically by OpenShift after a successful interactive log in using OAuth.<\/p>\n
OpenShift OAuth server can be configured to use many identity providers. The following lists includes the more common ones:<\/span><\/p>\n The <\/p>\n Authenticating as a Cluster Administrator<\/span> To create additional users and grant them different access levels, you must configure an identity provider and assign roles to your users.<\/span> To use the <\/span> As an alternative, you can use the <\/span> <\/p>\n Deleting the Virtual User<\/span> If you delete the <\/span> Configuring the HTPasswd Identity Provider<\/span><\/p>\n The <\/p>\n Configuring the OAuth Custom Resource<\/span> To update the OAuth custom resource, use the Then, open the resulting file in a text editor and make the needed changes to the embedded identity provider settings. After completing modifications and saving the file, you must apply the new custom resource using <\/p>\n Managing Users with the HTPasswd Identity Provider<\/span> Use the Add or update credentials:<\/p>\n Delete credentials:<\/p>\n After updating the secret, the Test additions, changes, or deletions to the secret after the new pods finish deploying.<\/span><\/p>\n <\/p>\n Deleting Users and Identities<\/span> To delete the user from htpasswd, run the following command: Update the secret to remove all remnants of the user’s password: Remove the user resource with the following command: Identity resources include the name of the identity provider. To delete the identity resource for the <\/span>manager <\/span>user, find the resource and then delete it. <\/p>\n Assigning Administrative Privileges<\/span> <\/p>\n Excercise 1<\/span> In this exercise, you will configure the Add an entry for two htpasswd users, <\/span> Create an HTPasswd authentication file named <\/span>htpasswd <\/span>in the <\/span>\n
\n<\/span><\/li>\n
\n<\/span><\/li>\n
\n<\/span><\/li>\n
\n<\/span><\/li>\nOAuth<\/code> custom resource must be updated with your desired identity provider. You can define multiple identity providers, of the same or different kinds, on the same OAuth custom resource.<\/span><\/p>\n
\n<\/span>Before you can configure an identity provider and manage users, you must access your OpenShift cluster as a cluster administrator. A newly-installed OpenShift cluster provides two ways to authenticate API requests with cluster administrator privileges:
\n\u2022 Use the <\/span>kubeconfig <\/span><\/code>file, which embeds an X.509 client certificate that never expires.
\n\u2022 Authenticate as the <\/span>kubeadmin <\/span><\/code>virtual user. Successful authentication grants an OAuth access token.<\/span><\/p>\n
\n<\/span><\/p>\n\n
\n<\/span>The <\/span>kubeconfig <\/span><\/code>file contains specific details and parameters used by the CLI to connect a client to the correct API server, including an X.509 certificate.
\nThe installation logs provide the location of the <\/span>kubeconfig <\/span><\/code>file:
\n<\/span><\/li>\n<\/ul>\nINFO Run 'export KUBECONFIG=\/root\/auth\/kubeconfig' to manage the cluster with 'oc'.<\/pre>\n
kubeconfig <\/span><\/code>file to authenticate <\/span>oc <\/span><\/code>commands, you must copy the file to your workstation and set the absolute or relative path to the <\/span>KUBECONFIG <\/span><\/code>environment variable. Then, you can run any <\/span>oc <\/span><\/code>that requires cluster administrator privileges without logging in to OpenShift.
\n<\/span><\/p>\n[user@host ~]$ export KUBECONFIG=\/path\/to\/kubeconfig\r\n[user@host ~]$ oc get nodes<\/pre>\n
--kubeconfig <\/span><\/code>option of the <\/span>oc <\/span>command.
\n<\/span><\/p>\n[user@host ~]$ oc --kubeconfig \/path\/to\/kubeconfig get nodes<\/pre>\n
\n
\n<\/span>After installation completes, OpenShift creates the <\/span>kubeadmin <\/span><\/code>virtual user. The <\/span>kubeadmin <\/span><\/code>secret in the <\/span>kube-system <\/span>namespace contains the hashed password for the <\/span>kubeadmin <\/span><\/code>user. The <\/span>kubeadmin <\/span>user has cluster administrator privileges. The OpenShift installer dynamically generates a unique <\/span>kubeadmin <\/span>password for the cluster. The installation logs provide the <\/span>kubeadmin <\/span>credentials used to log in to the cluster. The cluster
\ninstallation logs also provide log in, password, and the URL for console access.
\n<\/span><\/li>\n<\/ul>\n...output omitted...\r\nINFO The cluster is ready when 'oc login -u kubeadmin -p shdU_trbi_6ucX_edbu_aqop'\r\n...output omitted...\r\nINFO Access the OpenShift web-console here:\r\nhttps:\/\/console-openshift-console.apps.ocp4.example.com\r\nINFO Login to the console with user: kubeadmin, password: shdU_trbi_6ucX_edbu_aqop<\/pre>\n
\n<\/span>After you define an identity provider, create a new user, and assign that user the <\/span>cluster-admin <\/span>role, you can remove the <\/span>kubeadmin <\/span><\/code>user credentials to improve cluster security.<\/span><\/p>\n[user@host ~]$ oc delete secret kubeadmin -n kube-system<\/pre>\n
kubeadmin <\/span><\/code>secret before you configure another user with cluster admin privileges, then the only way you can administer your cluster is using the <\/span>kubeconfig <\/span><\/code>file. If you do not have a copy of this file in a safe location, then you cannot recover administrative access to your cluster. The only alternative is destroying and reinstalling your cluster.
\n<\/span>
\n<\/span><\/p>\n HTPasswd<\/code> identity provider validates users against a secret that contains user names and passwords generated with the htpasswd<\/code> command from the Apache HTTP Server project. Only a cluster administrator can change the data inside the HTPasswd<\/code> secret. Regular users cannot change their own passwords. Most production environments require a more
\npowerful identity provider that integrates with the organization’s identity management system.<\/p>\n
\nTo use the HTPasswd<\/code> identity provider, the OAuth<\/code> custom resource must be edited to add an entry to the .spec.identityProviders<\/code> array:<\/p>\napiVersion: config.openshift.io\/v1\r\nkind: OAuth\r\nmetadata:\r\n name: cluster\r\nspec:\r\n identityProviders:\r\n - name: my_htpasswd_provider\r\n mappingMethod: claim\r\n type: HTPasswd\r\n htpasswd:\r\n fileData:\r\n name: htpasswd-secret<\/pre>\n
\n
name: my_htpasswd_provider<\/code> – This provider name is prefixed to provider user names to form an identity name.<\/li>\nmappingMethod: claim<\/code> – Controls how mappings are established between provider identities and user objects.<\/li>\nname: htpasswd-secret<\/code> – An existing secret containing data generated using the htpasswd<\/code> command.<\/li>\n<\/ul>\noc get<\/code> command to export the existing OAuth cluster resource to a file in YAML format.<\/p>\n[user@host ~]$ oc get oauth cluster -o yaml > oauth.yaml<\/code><\/p>\n
\nthe oc replace<\/code> command.<\/p>\n[user@host ~]$ oc replace -f oauth.yaml<\/pre>\n
\nManaging user credentials with the HTPasswd<\/code> Identity Provider requires creating a temporary htpasswd<\/code> file, making changes to the file, and applying these changes to the secret.<\/p>\n\n
\nThe httpd-tools package provides the htpasswd utility, it must be installed and available on your system. Create the htpasswd file.<\/li>\n<\/ul>\n[user@host ~]$ htpasswd -c -B -b \/tmp\/htpasswd student redhat123<\/pre>\n
-c<\/code> option only when creating a new file. The -c<\/code> option replaces all file content if the file already exists.<\/p>\n[user@host ~]$ htpasswd -b \/tmp\/htpasswd student redhat1234<\/pre>\n
[user@host ~]$ htpasswd -D \/tmp\/htpasswd student<\/pre>\n
\n
\nTo use the HTPasswd<\/code> provider, you must create a secret that contains the htpasswd<\/code> file data. The following example uses a secret named htpasswd-secret.<\/em><\/p>\n[user@host ~]$ oc create secret generic htpasswd-secret \\\r\n> --from-file htpasswd=\/tmp\/htpasswd -n openshift-config<\/pre>\n<\/li>\n
\nWhen adding or removing users, an administrator cannot assume the validity of a local htpasswd<\/code> file. Moreover, the administrator might not be on a system that has the htpasswd file. In a real world scenario, it would behoove the administrator to use the oc extract<\/code> command. By default, the oc extract<\/code> command saves each key within a configuration map or secret as a
\nseparate file. Alternatively, all data can then be redirected to a file or displayed as standard output. To extract data from the htpasswd-secret<\/code> secret to the \/tmp\/<\/code> directory, use the following command. The --confirm<\/code> option replaces the file if it already exists.<\/li>\n<\/ul>\n[user@host ~]$ oc extract secret\/htpasswd-secret -n openshift-config \\\r\n> --to \/tmp\/ --confirm \/tmp\/htpasswd<\/pre>\n
\n
\nThe secret must be updated after adding, changing, or deleting users. Use the oc set data secret command to update a secret.\u00a0 The following command updates the htpasswd-secret<\/code> secret\u00a0 using the content of the \/tmp\/htpasswd<\/code> file.<\/li>\n<\/ul>\n[user@host ~]$ oc set data secret\/htpasswd-secret \\\r\n> --from-file htpasswd=\/tmp\/htpasswd -n openshift-config<\/pre>\n
OAuth<\/code> operator redeploys pods in the openshiftauthentication namespace. Monitor the redeployment of the new OAuth pods by running:<\/p>\n[user@host ~]$ watch oc get pods -n openshift-authentication\r\nTest additions, changes, or deletions to the secret after the new pods finish deploying.<\/pre>\n
\n<\/span>When a scenario occurs that requires you to delete a user, it is not sufficient to delete the user from the identity provider. The user and identity resources must also be deleted. You must remove the password from the htpasswd secret, remove the user from the local htpasswd file, and then update the secret. <\/span><\/p>\n
\n<\/span><\/p>\n[user@host ~]$ htpasswd -D \/tmp\/htpasswd manager<\/pre>\n
\n<\/span><\/p>\n[user@host ~]$ oc set data secret\/htpasswd-secret \\\r\n> --from-file htpasswd=\/tmp\/htpasswd -n openshift-config<\/pre>\n
\n<\/span><\/p>\n[user@host ~]$ oc delete user manager\r\nuser.user.openshift.io \"manager\" deleted<\/pre>\n
\n<\/span><\/p>\n[user@host ~]$ oc get identities | grep manager\r\nmy_htpasswd_provider:manager my_htpasswd_provider manager manager ...\r\n\r\n[user@host ~]$ oc delete identity my_htpasswd_provider:manager\r\nidentity.user.openshift.io \"my_htpasswd_provider:manager\" deleted<\/pre>\n
\n<\/span>The cluster-wide <\/span>cluster-admin <\/span>role grants cluster administration privileges to users and groups. This role enables the user to perform any action on any resources within the cluster. The following example assigns the <\/span>cluster-admin <\/span>role to the <\/span>student <\/span>user.
\n<\/span><\/p>\n[user@host ~]$ oc adm policy add-cluster-role-to-user cluster-admin student<\/pre>\n
\n<\/strong><\/p>\nHTPasswd<\/code> identity provider and create users for cluster administrators.<\/span><\/p>\nadmin <\/span><\/code>and <\/span>developer<\/span><\/code>. Assign <\/span>admin <\/span><\/code>a password of <\/span>redhat <\/span><\/code>and <\/span>developer <\/span><\/code>a password of <\/span>developer<\/span><\/code>.<\/span><\/p>\n~\/ auth-provider\/ <\/span><\/code>