Home
Prodotti
OpenShift Container Platform
4.19
Authentication and authorization
Chapter 6. Understanding identity provider configuration

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Understanding identity provider configuration

The OpenShift Container Platform master includes a built-in OAuth server. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API.

As an administrator, you can configure OAuth to specify an identity provider after you install your cluster.

6.1. About identity providers in OpenShift Container Platform
Copia collegamento

By default, only a kubeadmin user exists on your cluster. To specify an identity provider, you must create a custom resource (CR) that describes that identity provider and add it to the cluster.

Note

OpenShift Container Platform user names containing /, :, and % are not supported.

6.2. Supported identity providers
Copia collegamento

You can configure the following types of identity providers:

Expand

Identity provider	Description
htpasswd	Configure the `htpasswd` identity provider to validate user names and passwords against a flat file generated using `htpasswd`.
Keystone	Configure the `keystone` identity provider to integrate your OpenShift Container Platform cluster with Keystone to enable shared authentication with an OpenStack Keystone v3 server configured to store users in an internal database.
LDAP	Configure the `ldap` identity provider to validate user names and passwords against an LDAPv3 server, using simple bind authentication.
Basic authentication	Configure a `basic-authentication` identity provider for users to log in to OpenShift Container Platform with credentials validated against a remote identity provider. Basic authentication is a generic backend integration mechanism.
Request header	Configure a `request-header` identity provider to identify users from request header values, such as `X-Remote-User`. It is typically used in combination with an authenticating proxy, which sets the request header value.
GitHub or GitHub Enterprise	Configure a `github` identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server.
GitLab	Configure a `gitlab` identity provider to use GitLab.com or any other GitLab instance as an identity provider.
Google	Configure a `google` identity provider using Google’s OpenID Connect integration.
OpenID Connect	Configure an `oidc` identity provider to integrate with an OpenID Connect identity provider using an Authorization Code Flow.

Once an identity provider has been defined, you can use RBAC to define and apply permissions.

6.3. Removing the kubeadmin user
Copia collegamento

After you define an identity provider and create a new cluster-admin user, you can remove the kubeadmin to improve cluster security.

Warning

If you follow this procedure before another user is a cluster-admin, then OpenShift Container Platform must be reinstalled. It is not possible to undo this command.

Prerequisites

You must have configured at least one identity provider.
You must have added the cluster-admin role to a user.
You must be logged in as an administrator.

Procedure

Remove the kubeadmin secrets:

oc delete secrets kubeadmin -n kube-system

$ oc delete secrets kubeadmin -n kube-system

Copy to Clipboard

Toggle word wrap

6.4. Identity provider parameters
Copia collegamento

The following parameters are common to all identity providers:

Expand

Parameter Description

Parameter	Description
`name`	The provider name is prefixed to provider user names to form an identity name.
`mappingMethod`	Defines how new identities are mapped to users when they log in. Enter one of the following values: claim The default value. Provisions a user with the identity’s preferred user name. Fails if a user with that user name is already mapped to another identity. lookup Looks up an existing identity, user identity mapping, and user, but does not automatically provision users or identities. This allows cluster administrators to set up identities and users manually, or using an external process. Using this method requires you to manually provision users. add Provisions a user with the identity’s preferred user name. If a user with that user name already exists, the identity is mapped to the existing user, adding to any existing identity mappings for the user. Required when multiple identity providers are configured that identify the same set of users and map to the same user names.

name

The provider name is prefixed to provider user names to form an identity name.

mappingMethod

Defines how new identities are mapped to users when they log in. Enter one of the following values:

claim: The default value. Provisions a user with the identity’s preferred user name. Fails if a user with that user name is already mapped to another identity.
lookup: Looks up an existing identity, user identity mapping, and user, but does not automatically provision users or identities. This allows cluster administrators to set up identities and users manually, or using an external process. Using this method requires you to manually provision users.
add: Provisions a user with the identity’s preferred user name. If a user with that user name already exists, the identity is mapped to the existing user, adding to any existing identity mappings for the user. Required when multiple identity providers are configured that identify the same set of users and map to the same user names.

Note

When adding or changing identity providers, you can map identities from the new provider to existing users by setting the mappingMethod parameter to add.

6.5. Sample identity provider CR
Copia collegamento

The following custom resource (CR) shows the parameters and default values that you use to configure an identity provider. This example uses the htpasswd identity provider.

Sample identity provider CR

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_identity_provider 
    mappingMethod: claim 
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_identity_provider


    mappingMethod: claim


    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to provider user names to form an identity name.
2: Controls how mappings are established between this provider’s identities and User objects.
3: An existing secret containing a file generated using htpasswd.

6.6. Manually provisioning a user when using the lookup mapping method
Copia collegamento

Typically, identities are automatically mapped to users during login. The lookup mapping method disables this automatic mapping, which requires you to provision users manually. If you are using the lookup mapping method, use the following procedure for each user after configuring the identity provider.

Prerequisites

You have installed the OpenShift CLI (oc).

Procedure

Create an OpenShift Container Platform user:
```
oc create user <username>
```
```
$ oc create user <username>
```
Copy to Clipboard Toggle word wrap
Create an OpenShift Container Platform identity:
```
oc create identity <identity_provider>:<identity_provider_user_id>
```
```
$ oc create identity <identity_provider>:<identity_provider_user_id>
```
Copy to Clipboard Toggle word wrap
Where <identity_provider_user_id> is a name that uniquely represents the user in the identity provider.

Create a user identity mapping for the created user and identity:

oc create useridentitymapping <identity_provider>:<identity_provider_user_id> <username>

$ oc create useridentitymapping <identity_provider>:<identity_provider_user_id> <username>

Copy to Clipboard

Toggle word wrap

Torna in cima

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Understanding identity provider configuration

6.1. About identity providers in OpenShift Container Platform
Copia collegamento

6.2. Supported identity providers
Copia collegamento

6.3. Removing the kubeadmin user
Copia collegamento

6.4. Identity provider parameters
Copia collegamento

6.5. Sample identity provider CR
Copia collegamento

6.6. Manually provisioning a user when using the lookup mapping method
Copia collegamento

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Rendiamo l’open source più inclusivo

Informazioni su Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Understanding identity provider configuration

6.1. About identity providers in OpenShift Container PlatformCopia collegamentoCollegamento copiato negli appunti!

6.2. Supported identity providersCopia collegamentoCollegamento copiato negli appunti!

6.3. Removing the kubeadmin userCopia collegamentoCollegamento copiato negli appunti!

6.4. Identity provider parametersCopia collegamentoCollegamento copiato negli appunti!

6.5. Sample identity provider CRCopia collegamentoCollegamento copiato negli appunti!

6.6. Manually provisioning a user when using the lookup mapping methodCopia collegamentoCollegamento copiato negli appunti!

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Rendiamo l’open source più inclusivo

Informazioni su Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

6.1. About identity providers in OpenShift Container Platform
Copia collegamento

6.2. Supported identity providers
Copia collegamento

6.3. Removing the kubeadmin user
Copia collegamento

6.4. Identity provider parameters
Copia collegamento

6.5. Sample identity provider CR
Copia collegamento

6.6. Manually provisioning a user when using the lookup mapping method
Copia collegamento