Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 5. Managing users

This section describes how to configure authorization and authentication in Red Hat CodeReady Workspaces and how to administer user groups and users.

5.1. Configuring authorization
Link kopieren

5.1.1. Authorization and user management
Link kopieren

Red Hat CodeReady Workspaces uses RH-SSO to create, import, manage, delete, and authenticate users. RH-SSO uses built-in authentication mechanisms and user storage. It can use third-party identity management systems to create and authenticate users. Red Hat CodeReady Workspaces requires a RH-SSO token when you request access to CodeReady Workspaces resources.

Local users and imported federation users must have an email address in their profile.

The default RH-SSO credentials are admin:admin. You can use the admin:admin credentials when logging into Red Hat CodeReady Workspaces for the first time. It has system privileges.

Procedure

To find your RH-SSO URL:

  • Go to the OpenShift web console and navigate to the RH-SSO project.

5.1.2. Configuring CodeReady Workspaces to work with RH-SSO
Link kopieren

The deployment script configures RH-SSO. It creates a che-public client with the following fields:

  • Valid Redirect URIs: Use this URL to access CodeReady Workspaces.
  • Web Origins

The following are common errors when configuring CodeReady Workspaces to work with RH-SSO:

Invalid redirectURI error: occurs when you access CodeReady Workspaces at myhost, which is an alias, and your original CODEREADY_HOST is 1.1.1.1. If this error occurs, go to the RH-SSO administration console and ensure that the valid redirect URIs are configured.

CORS error: occurs when you have an invalid web origin

5.1.3. Configuring RH-SSO tokens
Link kopieren

A user token expires after 30 minutes by default.

You can change the following RH-SSO token settings:

keycloak realm
View larger image
keycloak realm

5.1.4. Setting up user federation
Link kopieren

RH-SSO federates external user databases and supports LDAP and Active Directory. You can test the connection and authenticate users before choosing a storage provider.

See the User storage federation page in RH-SSO documentation to learn how to add a provider.

See the LDAP and Active Directory page in RH-SSO documentation to specify multiple LDAP servers.

5.1.5. Enabling authentication with social accounts and brokering
Link kopieren

RH-SSO provides built-in support for GitHub, OpenShift, and most common social networks such as Facebook and Twitter.

See Instructions to enable Login with GitHub.

You can also enable the SSH key and upload it to the CodeReady Workspaces users’ GitHub accounts.

To enable this feature when you register a GitHub identity provider:

  1. Set scope to repo,user,write:public_key.

  2. Set store tokens and stored tokens readable to ON.

    kc provider
    View larger image
    kc provider

  3. Add a default read-token role.

    kc roles
    View larger image
    kc roles

This is the default delegated OAuth service mode for multiuser CodeReady Workspaces. You can configure the OAuth service mode with the property che.oauth.service_mode.

5.1.6. Using protocol-based providers
Link kopieren

RH-SSO supports SAML v2.0 and OpenID Connect v1.0 protocols. You can connect your identity provider systems if they support these protocols.

5.1.7. Managing users using RH-SSO
Link kopieren

You can add, delete, and edit users in the user interface. See: RH-SSO User Management for more information.

By default, CodeReady Workspaces installation in multiuser mode includes the deployment of a dedicated RH-SSO instance. However, using an external RH-SSO is also possible. This option is useful when a user has an existing RH-SSO instance with already-defined users, for example, a company-wide RH-SSO server used by several applications.

This procedure uses the following placeholders:

Expand
Table 5.1. Placeholders used in examples

<provider-realm-name>

Identity provider realm name intended for use by CodeReady Workspaces

<oidc-client-name>

Name of oidc client defined in <provider-realm-name>

<auth-base-url>

Base URL of your external RH-SSO server

Prerequisites

  • In the administration console of the RH-SSO external installation, define a realm that will contain the users intended to connect to CodeReady Workspaces.

    external keycloak realm
    View larger image
    external keycloak realm

  • In this realm, define an OIDC client that CodeReady Workspaces will use to authenticate the users. Here is an example of such a client with the correct settings:

    external keycloak public client
    View larger image
    external keycloak public client
Important
  • CodeReady Workspaces only supports public OIDC clients. Therefore, selecting the openid-connect Client Protocol option and the public Access Type option is highly recommended.
  • The list of Valid Redirect URIs must contain at least 2 URIs related to the CodeReady Workspaces server, one using the http protocol and the other https. These URIs must contain the base URL of the CodeReady Workspaces server, followed by /* wildcards.

  • The list of Web Origins must contain at least 2 URIs related to the CodeReady Workspaces server, one using the http protocol and the other https. These URIs must contain the base URL of the CodeReady Workspaces server, without any path after the host.

    The number of URIs depends on the number of installed product tools.

  • If CodeReady Workspaces is installed and uses the default OpenShift OAuth support, user authentication relies on the integration of RH-SSO with OpenShift OAuth. This allows users to log in to CodeReady Workspaces with their OpenShift login and have their workspaces created under personal OpenShift projects.

    This requires setting up an OpenShift identity provider inside RH-SSO. When using an external RH-SSO, set up the identity provider manually. For instructions, see the appropriate RH-SSO documentations for either link:OpenShift 3[OpenShift 3] or link:OpenShift 4[OpenShift 4].

  • The configured identity provider has the options Store Tokens and Stored Tokens Readable enabled.

Procedure

  1. Set the following properties in the CheCluster Custom Resource (CR): 

    spec:
  auth:
    externalIdentityProvider: true
    identityProviderURL: <auth-base-url>
    identityProviderRealm: <provider-realm-name>
    identityProviderClientId: <oidc-client-name>
    Copy to Clipboard Toggle word wrap

  2. If installing CodeReady Workspaces with OpenShift OAuth support enabled, set the following properties in the CheCluster Custom Resource (CR): 

    spec:
  auth:
    openShiftoAuth: true
# Note: only if the OpenShift identity provider alias is different from 'openshift-v3' or 'openshift-v4'
server:
  customCheProperties:
    CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER: <OpenShift identity provider alias>
    Copy to Clipboard Toggle word wrap

By default, CodeReady Workspaces installation includes the deployment of a dedicated RH-SSO instance. However, using an external RH-SSO is also possible. This option is useful when a user has an existing RH-SSO instance with already-defined users, for example, a company-wide RH-SSO server used by several applications.

Expand
Table 5.2. Placeholders used in examples

<provider-realm-name>

Identity provider realm name intended for use by CodeReady Workspaces

<oidc-client-name>

Name of the oidc client defined in <provider-realm-name>

<auth-base-url>

Base URL of the external RH-SSO server

Prerequisites

  • In the administration console of the external installation of RH-SSO, define a realm containing the users intended to connect to CodeReady Workspaces:

    external keycloak realm
    View larger image
    external keycloak realm

  • In this realm, define an OIDC client that CodeReady Workspaces will use to authenticate the users. This is an example of such a client with the correct settings:

    external keycloak public client
    View larger image
    external keycloak public client
    Note
    • CodeReady Workspaces only supports public OIDC clients. Therefore, selecting the openid-connect Client Protocol option and the public Access Type option is recommended.
    • The list of Valid Redirect URIs must contain at least two URIs related to the CodeReady Workspaces server, one using the http protocol and the other https. These URIs must contain the base URL of the CodeReady Workspaces server, followed by /* wildcards.

    • The list of Web Origins must contain at least two URIs related to the CodeReady Workspaces server, one using the http protocol and the other https. These URIs must contain the base URL of the CodeReady Workspaces server, without any path after the host.

      The number of URIs depends on the number of installed product tools.

  • With CodeReady Workspaces that uses the default OpenShift OAuth support, user authentication relies on the integration of RH-SSO with OpenShift OAuth. This allows users to log in to CodeReady Workspaces with their OpenShift login and have their workspaces created under personal OpenShift projects.

    This requires setting up an OpenShift identity provider ins RH-SSO. When using an external RH-SSO, set up the identity provider manually. For instructions, see the appropriate RH-SSO documentations for either link:OpenShift 3[OpenShift 3] or link:OpenShift 4[OpenShift 4].

  • The configured identity provider has the options Store Tokens and Stored Tokens Readable enabled.

Procedure

  1. Set the following properties in the CheCluster Custom Resource (CR): 

    spec:
  auth:
    externalIdentityProvider: true
    identityProviderURL: <auth-base-url>
    identityProviderRealm: <provider-realm-name>
    identityProviderClientId: <oidc-client-name>
    Copy to Clipboard Toggle word wrap

  2. When installing CodeReady Workspaces with OpenShift OAuth support enabled, set the following properties in the CheCluster Custom Resource (CR): 

    spec:
  auth:
    openShiftoAuth: true
# Note: only if the OpenShift identity provider alias is different from 'openshift-v3' or 'openshift-v4'
server:
  customCheProperties:
    CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER: <OpenShift identity provider alias>
    Copy to Clipboard Toggle word wrap

5.1.10. Configuring SMTP and email notifications
Link kopieren

Red Hat CodeReady Workspaces does not provide any pre-configured MTP servers.

To enable SMTP servers in RH-SSO:

  1. Go to che realm settings > Email.
  2. Specify the host, port, username, and password.

Red Hat CodeReady Workspaces uses the default theme for email templates for registration, email confirmation, password recovery, and failed login.

5.2. Removing user data
Link kopieren

5.2.1. GDPR
Link kopieren

In case user data needs to be deleted, the following API should be used with the user or the admin authorization token: 

curl -X DELETE `http(s)://{che-host}/api/user/{id}`
Copy to Clipboard Toggle word wrap
Note

All the user’s workspaces should be stopped beforehand. Otherwise, the API request will fail with 500 Error.

To remove the data of all the users, follow instructions for Uninstalling Red Hat CodeReady Workspaces.

Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat