7.8.9. Configuring OpenShift Enterprise Authentication
With the remote user authentication plug-in, the broker service relies on the
httpd service to handle authentication and pass on the authenticated user, or "remote user". Therefore, it is necessary to configure authentication in httpd. In a production environment, you can configure httpd to use LDAP, Kerberos, or another industrial-strength technology. This example uses Apache Basic Authentication and a htpasswd file to configure authentication.
Procedure 7.15. To Configure Authentication for the OpenShift Enterprise Broker:
- Copy the example file to the correct location. This configures
httpdto use/etc/openshift/htpasswdfor its password file.# cp /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf.sample /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.confImportant
The/var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conffile must be readable by Apache for proper authentication. Red Hat recommends not making the file unreadable byhttpd. - Create the
htpasswdfile with an initial user "demo":# htpasswd -c /etc/openshift/htpasswd demoNew password: Re-type new password: Adding password for user demo
Note
If you use the kickstart or bash script, the
configure_httpd_auth function performs these steps. The script creates the demo user with a default password, which is set to changeme in OpenShift Enterprise 2.0 and prior releases. With OpenShift Enterprise 2.1 and later, the default password is randomized and displayed after the installation completes. The demo user is intended for testing an installation, and must not be enabled in a production installation.
