Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

8.10.3. Configuring Authentication for the Administration Console

If you enable external access to the Administration Console by modifying the broker host httpd proxy configuration as described in Section 8.10.2, “Accessing the Administration Console”, you can also configure authentication for the Administration Console by implementing a <Location /admin-console> section in the same /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf file. For example, you can configure the Administration Console to authenticate based on user credentials or client IP. See the Apache HTTP Server documentation at http://httpd.apache.org/docs/2.2/howto/auth.html for more information on available authentication methods.
Because the Administration Console runs as a plug-in to the broker application, access to the Administration Console can be controlled using any of the Apache HTTP Server authentication methods described in Section 8.2, “Configuring User Authentication for the Broker”. However, while the broker application and Management Console both validate authorization, the Administration Console does not.
Example Authentication Configurations

The following examples show how you can configure authentication for the Administration Console using various methods. You can add one of the example <Location /admin-console> sections before the ProxyPass /admin-console entry inside the <VirtualHost *:443> section in the /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf file on each broker host. Note that the httpd service must be restarted to load any configuration changes.

Example 8.20. Authenticating by Host Name or IP Address

Using the mod_authz_host Apache module, you can configure authentication for the Administration Console based on the client host name or IP address.
The following section allows access for all hosts in the example.com domain and denies access for all other hosts: 
<Location /admin-console>
    Order Deny,Allow
    Deny from all
    Allow from example.com
</Location>
Copy to Clipboard Toggle word wrap
See the mod_authz_host documentation at http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html for more example usage.

Example 8.21. Authenticating Using LDAP

Using the mod_authnz_ldap Apache module, you can configure user authentication for the Administration Console to use an LDAP directory. This example assumes that an LDAP server already exists. See Section 8.2.2, “Authenticating Using LDAP” for details on how the mod_authnz_ldap module is used for broker user authentication.
The following section enables user authentication using an LDAP directory: 
<Location /admin-console>
    AuthName "OpenShift Administration Console"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://localhost:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)"
    require valid-user

    Order Deny,Allow
    Deny from all
    Satisfy any
</Location>
Copy to Clipboard Toggle word wrap
The above section specifies an example server and query that must be modified to suit the requirements of your LDAP service. The most important information required is the AuthLDAPURL setting. Ensure the LDAP server's firewall is configured to allow access by the broker hosts.
The require valid-user directive in the above section uses the mod_authz_user module and grants access to all successfully authenticated users. You can change this to instead only allow specific users or only members of a group. See the mod_authnz_ldap documentation at http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for more example usage.

Example 8.22. Authenticating Using Kerberos

Using the mod_auth_kerb Apache module, you can configure user authentication for the Administration Console to use a Kerberos service. This example assumes that a Kerberos server already exists. See Section 8.2.3, “Authenticating Using Kerberos” for details on how the mod_auth_kerb module is used for broker user authentication.
The following section enables user authentication using a Kerberos service: 
<Location /admin-console>
    AuthName "OpenShift Administration Console"
    AuthType Kerberos
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    # The KrbLocalUserMapping enables conversion to local users, using
    # auth_to_local rules in /etc/krb5.conf. By default it strips the
    # @REALM part. See krb5.conf(5) for details how to set up specific rules.
    KrbLocalUserMapping On
    KrbServiceName HTTP/www.example.com
    KrbAuthRealms EXAMPLE.COM
    Krb5KeyTab /var/www/openshift/broker/httpd/conf.d/http.keytab
    require valid-user

    Order Deny,Allow
    Deny from all
    Satisfy any
</Location>
Copy to Clipboard Toggle word wrap
Modify the KrbServiceName and KrbAuthRealms settings to suit the requirements of your Kerberos service. Ensure the Kerberos server's firewall is configured to allow access by the broker hosts.
The require valid-user directive in the above section uses the mod_authz_user module and grants access to all successfully authenticated users. You can change this to instead only allow specific users. See the mod_auth_kerb documentation at http://modauthkerb.sourceforge.net/configure.html for more example usage.

Example 8.23. Authenticating Using htpasswd

Using the mod_auth_basic Apache module, you can configure user authentication for the Administration Console to use a flat htpasswd file. This method is only intended for testing and demonstration purposes. See Section 8.2.1, “Authenticating Using htpasswd” for details on how the /etc/openshift/htpasswd file is used for broker user authentication by a basic installation of OpenShift Enterprise.
The following section enables user authentication using the /etc/openshift/htpasswd file: 
<Location /admin-console>
    AuthName "OpenShift Administration Console"
    AuthType Basic
    AuthUserFile /etc/openshift/htpasswd
    require valid-user

    Order Deny,Allow
    Deny from all
    Satisfy any
</Location>
Copy to Clipboard Toggle word wrap
The require valid-user directive in the above section uses the mod_authz_user module and grants access to all successfully authenticated users. You can change this to instead only allow specific users or only members of a group. See the mod_auth_basic documentation at http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html and http://httpd.apache.org/docs/2.2/howto/auth.html for more example usage.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat