Chapter 5. Managing users
This section describes how to configure authorization and authentication in Red Hat CodeReady Workspaces and how to administer user groups and users.
5.1. Configuring authorization
5.1.1. Authorization and user management
Red Hat CodeReady Workspaces uses RH-SSO to create, import, manage, delete, and authenticate users. RH-SSO uses built-in authentication mechanisms and user storage. It can use third-party identity management systems to create and authenticate users. Red Hat CodeReady Workspaces requires a RH-SSO token when you request access to CodeReady Workspaces resources.
Local users and imported federation users must have an email address in their profile.
The default RH-SSO credentials are admin:admin
. You can use the admin:admin
credentials when logging into Red Hat CodeReady Workspaces for the first time. It has system privileges.
Procedure
To find your RH-SSO URL:
- Go to the OpenShift web console and navigate to the RH-SSO namespace.
5.1.2. Configuring CodeReady Workspaces to work with RH-SSO
The deployment script configures RH-SSO. It creates a che-public
client with the following fields:
- Valid Redirect URIs: Use this URL to access CodeReady Workspaces.
- Web Origins
The following are common errors when configuring CodeReady Workspaces to work with RH-SSO:
Invalid redirectURI
error: occurs when you access CodeReady Workspaces at myhost
, which is an alias, and your original CODEREADY_HOST
is 1.1.1.1
. If this error occurs, go to the RH-SSO administration console and ensure that the valid redirect URIs are configured.
CORS error: occurs when you have an invalid web origin
5.1.3. Configuring RH-SSO tokens
A user token expires after 30 minutes by default.
You can change the following RH-SSO token settings:
5.1.4. Setting up user federation
RH-SSO federates external user databases and supports LDAP and Active Directory. You can test the connection and authenticate users before choosing a storage provider.
See the User storage federation page in RH-SSO documentation to learn how to add a provider.
See the LDAP and Active Directory page in RH-SSO documentation to specify multiple LDAP servers.
5.1.5. Enabling authentication with social accounts and brokering
RH-SSO provides built-in support for GitHub, OpenShift, and most common social networks such as Facebook and Twitter.
See Instructions to enable Login with GitHub.
You can also enable the SSH key and upload it to the CodeReady Workspaces users’ GitHub accounts.
To enable this feature when you register a GitHub identity provider:
-
Set scope to
repo,user,write:public_key
. Set store tokens and stored tokens readable to ON.
Add a default read-token role.
This is the default delegated
OAuth service mode for multiuser CodeReady Workspaces. You can configure the OAuth service mode with the property che.oauth.service_mode
.
5.1.6. Using protocol-based providers
RH-SSO supports SAML v2.0 and OpenID Connect v1.0 protocols. You can connect your identity provider systems if they support these protocols.
5.1.7. Managing users using RH-SSO
You can add, delete, and edit users in the user interface. See: RH-SSO User Management for more information.
5.1.8. Configuring SMTP and email notifications
Red Hat CodeReady Workspaces does not provide any pre-configured MTP servers.
To enable SMTP servers in RH-SSO:
-
Go to
che realm settings > Email
. - Specify the host, port, username, and password.
Red Hat CodeReady Workspaces uses the default theme for email templates for registration, email confirmation, password recovery, and failed login.
5.2. Using organizations
5.2.1. Organizations in Red Hat CodeReady Workspaces
Organizations allow administrators to group Red Hat CodeReady Workspaces users and allocate resources. The system administrator controls and allocates resources and permissions within the administrator dashboard.
5.2.2. Roles in an organization
A user can have the following roles in an organization:
- Members
- Create workspaces, manage their own workspaces, and use any workspaces they have permissions for.
- Administrators
- Manage the organization, members, resources, and sub-organization, and can edit settings.
- System Administrators
- Create root organizations, manages resources, members and sub-organizations. System administrators have more permissions than the administrators and members.
5.2.3. Root organizations and sub-organizations
The top-level organizations are called root organizations. Multiple root organizations can be created. Any organization can have zero to a set number of sub-organizations. Only the system administrator can create root organizations and manage the resources of the root organization.
5.2.4. Creating an organization
Only the system administrator can create root organizations. An administrator can create sub-organizations.
To create an organization:
- Click the menu in the left sidebar. A new page displays all the organizations in your system.
- Click on the upper-left button to create a new organization.
5.2.5. Displaying the list of organizations
The Organization page displays a list of all the organizations. The list contains the following information for each organization: number of members, total RAM, available RAM, and number of sub-organizations.
5.2.6. Adding members to organizations
To add members to an organization:
- Click the Add button to add a member. A new pop-up window displays. You can change the role of a member or remove them from the organization at any time.
- Enter the new member name.
Users with the green checkmark beside their name already have an Red Hat CodeReady Workspaces account and can be added to the organization. Users without a checkmark do not have an account and cannot be added into the organization.
5.2.7. Workspaces in organizations
A workspace is created inside of an organization and uses the resources of the organization. The workspace creator chooses the organization on the Workspace Creation page.
5.2.8. Creating sub-organizations
Procedure
To create a sub-organization:
- On the Organization Details page, select the Sub-Organizations tab.
- Click the Add Sub-Organization button.
The steps to create a sub-organization are the same as that for creating an organization. Use them to create the organization.
5.2.9. Adding members to sub-organizations
You can only add members of the parent organization as members of the sub-organization.
5.2.10. Organization and sub-organization administration
The settings of the organization are visible to all members of the organization. Only the Red Hat CodeReady Workspaces system administrator can modify the settings.
5.2.11. Renaming an organization or sub-organization
Only an Red Hat CodeReady Workspaces system administrator and administrator of the organization can rename an organization or sub-organization.
Procedure
To rename an organization:
- Click the Name field to edit the name of the organization. The save mode appears.
- Click the Save button to update the name.
The name of the organization or sub-organization must follow these rules:
- Only alphanumeric characters and a single dash (-) can be used.
- Spaces cannot be used.
- Each organization name must be unique within the Red Hat CodeReady Workspaces installation.
- Each sub-organization name must be unique within an organization.
5.2.12. Leaving an organization or sub-organization
To leave an organization, members need to contact the administrator of the organization or the system administrator of Red Hat CodeReady Workspaces.
5.2.13. Deleting an organization or sub-organization
- Only system administrators or administrators of the organization can delete an organization or sub-organization.
- This action cannot be reverted, and all workspaces created under the organization will be deleted.
- All members of the organization will receive an email notification to inform them about the deletion of the organization.
Procedure
To delete an organization or a sub-organization:
- Click the Delete button.
5.2.14. Allocating resources for organizations
Workspaces use the resources of the organization that are allocated by the system administrator. The resources for sub-organizations are taken from the parent organization. Administrators control the portion of resources, of the parent organization, that are available to the sub-organization.
5.2.15. Managing limits
Managing limits is restricted to the Red Hat CodeReady Workspaces system administrator and administrator of the organization.
The system configuration defines the default limits. The CodeReady Workspaces instance inherit from the limits configured on the underlying platform. The administrator of the organization manages only the limits of its sub-organizations. No resource limits apply to the organization by default. The following are the limits defined by the system administrator:
- Workspace Cap: The maximum number of workspaces that can exist in the organization.
-
Running Workspace Cap: The maximum number of workspaces that can run simultaneously in the organization.
- Workspace RAM Cap: The maximum amount of RAM that a workspace can use in GB.
5.2.16. Updating organization and sub-organization member roles
Updating the members of an organization or sub-organization is restricted to the Red Hat CodeReady Workspaces system administrator and administrator of the organization.
Procedure
To edit the role of an organization member:
- Click the Edit button in the Actions column. Update the role of the selected member in the pop-up window.
- Click Save to confirm the update.
5.2.17. Removing members from an organization and sub-organization
Removing the members of an organization or sub-organization is restricted to the Red Hat CodeReady Workspaces system administrator and administrator of the organization.
Procedure
To remove a member:
- Click the Delete button in the Actions column. In the confirmation pop-up window, confirm the deletion.
To remove multiple members:
- Select the check boxes to select multiple members from the organization.
- Click the Delete button that appears in the header of the table. The members that are removed from the organization will receive an email notification.
5.3. Removing user data
5.3.1. GDPR
In case user data needs to be deleted, the following API should be used with the user
or the admin
authorization token:
curl -X DELETE `http(s)://{che-host}/api/user/{id}`
All the user’s workspaces should be stopped beforehand. Otherwise, the API request will fail with 500
Error.
To remove the data of all the users, follow instructions for Uninstalling Red Hat CodeReady Workspaces.