홈
제품
OpenShift Container Platform
3.6
Installation and Configuration
Chapter 12. Configuring authentication and user agent

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 12. Configuring authentication and user agent

12.1. Overview
링크 복사

The OpenShift Container Platform master includes a built-in OAuth server. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API.

As an administrator, you can configure OAuth using the master configuration file to specify an identity provider. It is a best practice to configure your identity provider during advanced installation, but you can configure it after installation.

Note

OpenShift Container Platform user names containing /, :, and % are not supported.

If you installed OpenShift Container Platform using the Quick Installation or Advanced Installation method, the Deny All identity provider is used by default, which denies access for all user names and passwords. To allow access, you must choose a different identity provider and configure the master configuration file appropriately (located at /etc/origin/master/master-config.yaml by default).

When you run a master without a configuration file, the Allow All identity provider is used by default, which allows any non-empty user name and password to log in. This is useful for testing purposes. To use other identity providers, or to modify any token, grant, or session options, you must run the master from a configuration file.

Note

Roles need to be assigned to administer the setup with an external user.

Note

After making changes to an identity provider, you must restart the master services for the changes to take effect:

systemctl restart atomic-openshift-master-api atomic-openshift-master-controllers

# systemctl restart atomic-openshift-master-api atomic-openshift-master-controllers

Copy to Clipboard

Toggle word wrap

12.2. Identity provider parameters
링크 복사

There are four parameters common to all identity providers:

Expand

Parameter	Description
`name`	The provider name is prefixed to provider user names to form an identity name.
`challenge`	When true, unauthenticated token requests from non-web clients (like the CLI) are sent a `WWW-Authenticate` challenge header. Not supported by all identity providers. To prevent cross-site request forgery (CSRF) attacks against browser clients Basic authentication challenges are only sent if a `X-CSRF-Token` header is present on the request. Clients that expect to receive Basic `WWW-Authenticate` challenges should set this header to a non-empty value.
`login`	When true, unauthenticated token requests from web clients (like the web console) are redirected to a login page backed by this provider. Not supported by all identity providers. If you want users to be sent to a branded page before being redirected to the identity provider’s login, then set `oauthConfig alwaysShowProviderSelection: true` in the master configuration file. This provider selection page can be customized.
`mappingMethod`	Defines how new identities are mapped to users when they log in. Enter one of the following values: claim The default value. Provisions a user with the identity’s preferred user name. Fails if a user with that user name is already mapped to another identity. lookup Looks up an existing identity, user identity mapping, and user, but does not automatically provision users or identities. This allows cluster administrators to set up identities and users manually, or using an external process. Using this method requires you to manually provision users. See Manually Provisioning a User When Using the Lookup Mapping Method. generate Provisions a user with the identity’s preferred user name. If a user with the preferred user name is already mapped to an existing identity, a unique user name is generated. For example, myuser2. This method should not be used in combination with external processes that require exact matches between OpenShift Container Platform user names and identity provider user names, such as LDAP group sync. add Provisions a user with the identity’s preferred user name. If a user with that user name already exists, the identity is mapped to the existing user, adding to any existing identity mappings for the user. Required when multiple identity providers are configured that identify the same set of users and map to the same user names.

Note

When adding or changing identity providers, you can map identities from the new provider to existing users by setting the mappingMethod parameter to add.

12.3. Configuring identity providers
링크 복사

OpenShift Container Platform supports configuring only a single identity provider. However, you can extend the basic authentication for more complex configurations such as LDAP failover.

You can use these parameters to define the identity provider during installation or after installation.

12.3.1. Configuring identity providers with Ansible
링크 복사

For initial advanced installations, the Deny All identity provider is configured by default, though it can be overridden during installation using the openshift_master_identity_providers parameter, which is configurable in the inventory file. Session options in the OAuth configuration are also configurable in the inventory file.

Example 12.1. Example identity provider configuration with Ansible

htpasswd auth
Defining htpasswd users
or
Allow all auth
LDAP auth
Configuring the ldap ca certificate
or
Available variables for configuring certificates for other identity providers:

# htpasswd auth
openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
# Defining htpasswd users
#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'}
# or
#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file>

# Allow all auth
#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]

# LDAP auth
#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
# Configuring the ldap ca certificate


#openshift_master_ldap_ca=<ca text>
# or
#openshift_master_ldap_ca_file=<path to local ca file to use>

# Available variables for configuring certificates for other identity providers:
#openshift_master_openid_ca
#openshift_master_openid_ca_file
#openshift_master_request_header_ca
#openshift_master_request_header_ca_file

Copy to Clipboard

Toggle word wrap

1: If you specify your CA certificate location in the openshift_master_identity_providers parameter, do not specify a certificate value in the openshift_master_ldap_ca parameter or path in the openshift_master_ldap_ca_file parameter.

12.3.2. Configuring identity providers in the master configuration file
링크 복사

You can configure the master host for authentication using your desired identity provider by modifying the master configuration file.

Example 12.2. Example identity provider configuration in the master configuration file

...
oauthConfig:
  identityProviders:
  - name: htpasswd_auth
    challenge: true
    login: true
    mappingMethod: "claim"
...

...
oauthConfig:
  identityProviders:
  - name: htpasswd_auth
    challenge: true
    login: true
    mappingMethod: "claim"
...

Copy to Clipboard

Toggle word wrap

When set to the default claim value, OAuth will fail if the identity is mapped to a previously-existing user name.

12.3.3. Configuring an identity provider or method
링크 복사

12.3.3.1. Manually provisioning a user when using the lookup mapping method
링크 복사

When using the lookup mapping method, user provisioning is done by an external system, via the API. Typically, identities are automatically mapped to users during login. The 'lookup' mapping method automatically disables this automatic mapping, which requires you to provision users manually.

For more information on identity objects, see the Identity user API obejct.

If you are using the lookup mapping method, use the following steps for each user after configuring the identity provider:

Create an OpenShift Container Platform User, if not created already:
```
oc create user <username>
```
```
$ oc create user <username>
```
Copy to Clipboard Toggle word wrap
For example, the following command creates a OpenShift Container Platform User bob:
```
oc create user bob
```
```
$ oc create user bob
```
Copy to Clipboard Toggle word wrap
Create an OpenShift Container Platform Identity, if not created already. Use the name of the identity provider and the name that uniquely represents this identity in the scope of the identity provider:
```
oc create identity <identity-provider>:<user-id-from-identity-provider>
```
```
$ oc create identity <identity-provider>:<user-id-from-identity-provider>
```
Copy to Clipboard Toggle word wrap
The <identity-provider> is the name of the identity provider in the master configuration, as shown in the appropriate identity provider section below.
For example, the following commands creates an Identity with identity provider ldap_provider and the identity provider user name bob_s.
```
oc create identity ldap_provider:bob_s
```
```
$ oc create identity ldap_provider:bob_s
```
Copy to Clipboard Toggle word wrap

Create a user/identity mapping for the created user and identity:

oc create useridentitymapping <identity-provider>:<user-id-from-identity-provider> <username>

$ oc create useridentitymapping <identity-provider>:<user-id-from-identity-provider> <username>

Copy to Clipboard

Toggle word wrap

For example, the following command maps the identity to the user:

oc create useridentitymapping ldap_provider:bob_s bob

$ oc create useridentitymapping ldap_provider:bob_s bob

Copy to Clipboard

Toggle word wrap

12.3.4. Allow all
링크 복사

Set AllowAllPasswordIdentityProvider in the identityProviders stanza to allow any non-empty user name and password to log in.

Example 12.3. Master Configuration Using AllowAllPasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_allow_provider 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: AllowAllPasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_allow_provider


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: AllowAllPasswordIdentityProvider

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to provider user names to form an identity name.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to a login page backed by this provider.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.

12.3.5. Deny all
링크 복사

Set DenyAllPasswordIdentityProvider in the identityProviders stanza to deny access for all user names and passwords.

Example 12.4. Master Configuration Using DenyAllPasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_deny_provider 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: DenyAllPasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_deny_provider


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: DenyAllPasswordIdentityProvider

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to provider user names to form an identity name.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to a login page backed by this provider.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.

12.3.6. HTPasswd
링크 복사

Set HTPasswdPasswordIdentityProvider in the identityProviders stanza to validate user names and passwords against a flat file generated using htpasswd.

Note

The htpasswd utility is in the httpd-tools package:

yum install httpd-tools

# yum install httpd-tools

Copy to Clipboard

Toggle word wrap

OpenShift Container Platform supports the Bcrypt, SHA-1, and MD5 cryptographic hash functions, and MD5 is the default for htpasswd. Plaintext, encrypted text, and other hash functions are not currently supported.

The flat file is reread if its modification time changes, without requiring a server restart.

To use the htpasswd command:

To create a flat file with a user name and hashed password, run:
```
htpasswd -c </path/to/users.htpasswd> <user_name>
```
```
$ htpasswd -c </path/to/users.htpasswd> <user_name>
```
Copy to Clipboard Toggle word wrap
Then, enter and confirm a clear-text password for the user. The command generates a hashed version of the password.
For example:
```
htpasswd -c users.htpasswd user1
New password:
Re-type new password:
Adding password for user user1
```
```
htpasswd -c users.htpasswd user1
New password:
Re-type new password:
Adding password for user user1
```
Copy to Clipboard Toggle word wrap
Note
You can include the -b option to supply the password on the command line:
$ htpasswd -c -b <user_name> <password>
Copy to Clipboard Toggle word wrap
For example:
$ htpasswd -c -b file user1 MyPassword! Adding password for user user1
Copy to Clipboard Toggle word wrap

To add or update a login to the file, run:
```
htpasswd </path/to/users.htpasswd> <user_name>
```
```
$ htpasswd </path/to/users.htpasswd> <user_name>
```
Copy to Clipboard Toggle word wrap

To remove a login from the file, run:

htpasswd -D </path/to/users.htpasswd> <user_name>

$ htpasswd -D </path/to/users.htpasswd> <user_name>

Copy to Clipboard

Toggle word wrap

Example 12.5. Master Configuration Using HTPasswdPasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_htpasswd_provider 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: HTPasswdPasswordIdentityProvider
      file: /path/to/users.htpasswd

oauthConfig:
  ...
  identityProviders:
  - name: my_htpasswd_provider


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: HTPasswdPasswordIdentityProvider
      file: /path/to/users.htpasswd

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to provider user names to form an identity name.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to a login page backed by this provider.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: File generated using htpasswd.

12.3.7. Keystone
링크 복사

Set KeystonePasswordIdentityProvider in the identityProviders stanza to validate user names and passwords against an OpenStack Keystone v3 server. This enables shared authentication with an OpenStack server configured to store users in an internal Keystone database.

Example 12.6. Master Configuration Using KeystonePasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_keystone_provider 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: KeystonePasswordIdentityProvider
      domainName: default 
      url: http://keystone.example.com:5000 
      ca: ca.pem 
      certFile: keystone.pem 
      keyFile: keystonekey.pem

oauthConfig:
  ...
  identityProviders:
  - name: my_keystone_provider


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: KeystonePasswordIdentityProvider
      domainName: default


      url: http://keystone.example.com:5000


      ca: ca.pem


      certFile: keystone.pem


      keyFile: keystonekey.pem

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to provider user names to form an identity name.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to a login page backed by this provider.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: Keystone domain name. In Keystone, usernames are domain-specific. Only a single domain is supported.
6: The URL to use to connect to the Keystone server (required).
7: Optional: Certificate bundle to use to validate server certificates for the configured URL.
8: Optional: Client certificate to present when making requests to the configured URL.
9: Key for the client certificate. Required if certFile is specified.

12.3.8. LDAP authentication
링크 복사

Set LDAPPasswordIdentityProvider in the identityProviders stanza to validate user names and passwords against an LDAPv3 server, using simple bind authentication.

Note

If you require failover for your LDAP server, instead of following these steps, extend the basic authentication method by configuring SSSD for LDAP failover.

During authentication, the LDAP directory is searched for an entry that matches the provided user name. If a single unique match is found, a simple bind is attempted using the distinguished name (DN) of the entry plus the provided password.

These are the steps taken:

Generate a search filter by combining the attribute and filter in the configured url with the user-provided user name.
Search the directory using the generated filter. If the search does not return exactly one entry, deny access.
Attempt to bind to the LDAP server using the DN of the entry retrieved from the search, and the user-provided password.
If the bind is unsuccessful, deny access.
If the bind is successful, build an identity using the configured attributes as the identity, email address, display name, and preferred user name.

The configured url is an RFC 2255 URL, which specifies the LDAP host and search parameters to use. The syntax of the URL is:

ldap://host:port/basedn?attribute?scope?filter

ldap://host:port/basedn?attribute?scope?filter

Copy to Clipboard

Toggle word wrap

For the above example:

Expand

URL Component	Description
`ldap`	For regular LDAP, use the string `ldap`. For secure LDAP (LDAPS), use `ldaps` instead.
`host:port`	The name and port of the LDAP server. Defaults to `localhost:389` for ldap and `localhost:636` for LDAPS.
`basedn`	The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but it could also specify a subtree in the directory.
`attribute`	The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to use `uid`. It is recommended to choose an attribute that will be unique across all entries in the subtree you will be using.
`scope`	The scope of the search. Can be either either `one` or `sub`. If the scope is not provided, the default is to use a scope of `sub`.
`filter`	A valid LDAP search filter. If not provided, defaults to `(objectClass=*)`

When doing searches, the attribute, filter, and provided user name are combined to create a search filter that looks like:

(&(<filter>)(<attribute>=<username>))

(&(<filter>)(<attribute>=<username>))

Copy to Clipboard

Toggle word wrap

For example, consider a URL of:

ldap://ldap.example.com/o=Acme?cn?sub?(enabled=true)

ldap://ldap.example.com/o=Acme?cn?sub?(enabled=true)

Copy to Clipboard

Toggle word wrap

When a client attempts to connect using a user name of bob, the resulting search filter will be (&(enabled=true)(cn=bob)).

If the LDAP directory requires authentication to search, specify a bindDN and bindPassword to use to perform the entry search.

Master Configuration Using LDAPPasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: "my_ldap_provider" 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
      attributes:
        id: 
        - dn
        email: 
        - mail
        name: 
        - cn
        preferredUsername: 
        - uid
      bindDN: "" 
      bindPassword: "" 
      ca: my-ldap-ca-bundle.crt 
      insecure: false 
      url: "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid"

oauthConfig:
  ...
  identityProviders:
  - name: "my_ldap_provider"


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
      attributes:
        id:


        - dn
        email:


        - mail
        name:


        - cn
        preferredUsername:


        - uid
      bindDN: ""


      bindPassword: ""


      ca: my-ldap-ca-bundle.crt


      insecure: false


      url: "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid"

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to the returned user ID to form an identity name.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to a login page backed by this provider.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: List of attributes to use as the identity. First non-empty attribute is used. At least one attribute is required. If none of the listed attribute have a value, authentication fails.
6: List of attributes to use as the email address. First non-empty attribute is used.
7: List of attributes to use as the display name. First non-empty attribute is used.
8: List of attributes to use as the preferred user name when provisioning a user for this identity. First non-empty attribute is used.
9: Optional DN to use to bind during the search phase.
10: Optional password to use to bind during the search phase. This value may also be provided in an environment variable, external file, or encrypted file.
11: Certificate bundle to use to validate server certificates for the configured URL. If empty, system trusted roots are used. Only applies if insecure: false.
12: When true, no TLS connection is made to the server. When false, ldaps:// URLs connect using TLS, and ldap:// URLs are upgraded to TLS.
13: An RFC 2255 URL which specifies the LDAP host and search parameters to use, as described above.

Note

To whitelist users for an LDAP integration, use the lookup mapping method. Before a login from LDAP would be allowed, a cluster administrator must create an identity and user object for each LDAP user.

12.3.9. Basic authentication (remote)
링크 복사

Basic Authentication is a generic backend integration mechanism that allows users to log in to OpenShift Container Platform with credentials validated against a remote identity provider.

Because basic authentication is generic, you can use this identity provider for advanced authentication configurations. You can configure LDAP failover or use the containerized basic authentication repository as a starting point for another advanced remote basic authentication configuration.

Important

Basic authentication must use an HTTPS connection to the remote server to prevent potential snooping of the user ID and password and man-in-the-middle attacks.

With BasicAuthPasswordIdentityProvider configured, users send their user name and password to OpenShift Container Platform, which then validates those credentials against a remote server by making a server-to-server request, passing the credentials as a Basic Auth header. This requires users to send their credentials to OpenShift Container Platform during login.

Set BasicAuthPasswordIdentityProvider in the identityProviders stanza to validate user names and passwords against a remote server using a server-to-server Basic authentication request. User names and passwords are validated against a remote URL that is protected by Basic authentication and returns JSON.

A 401 response indicates failed authentication.

A non-200 status, or the presence of a non-empty "error" key, indicates an error:

{"error":"Error message"}

{"error":"Error message"}

Copy to Clipboard

Toggle word wrap

A 200 status with a sub (subject) key indicates success:

{"sub":"userid"}

{"sub":"userid"}

Copy to Clipboard

Toggle word wrap

1: The subject must be unique to the authenticated user and must not be able to be modified.

A successful response may optionally provide additional data, such as:

A display name using the name key. For example:
```
{"sub":"userid", "name": "User Name", ...}
```
```
{"sub":"userid", "name": "User Name", ...}
```
Copy to Clipboard Toggle word wrap
An email address using the email key. For example:
```
{"sub":"userid", "email":"user@example.com", ...}
```
```
{"sub":"userid", "email":"user@example.com", ...}
```
Copy to Clipboard Toggle word wrap
A preferred user name using the preferred_username key. This is useful when the unique, unchangeable subject is a database key or UID, and a more human-readable name exists. This is used as a hint when provisioning the OpenShift Container Platform user for the authenticated identity. For example:
```
{"sub":"014fbff9a07c", "preferred_username":"bob", ...}
```
```
{"sub":"014fbff9a07c", "preferred_username":"bob", ...}
```
Copy to Clipboard Toggle word wrap

Example 12.7. Master Configuration Using BasicAuthPasswordIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_remote_basic_auth_provider 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: BasicAuthPasswordIdentityProvider
      url: https://www.example.com/remote-idp 
      ca: /path/to/ca.file 
      certFile: /path/to/client.crt 
      keyFile: /path/to/client.key

oauthConfig:
  ...
  identityProviders:
  - name: my_remote_basic_auth_provider


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: BasicAuthPasswordIdentityProvider
      url: https://www.example.com/remote-idp


      ca: /path/to/ca.file


      certFile: /path/to/client.crt


      keyFile: /path/to/client.key

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to the returned user ID to form an identity name.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to a login page backed by this provider.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: URL accepting credentials in Basic authentication headers.
6: Optional: Certificate bundle to use to validate server certificates for the configured URL.
7: Optional: Client certificate to present when making requests to the configured URL.
8: Key for the client certificate. Required if certFile is specified.

12.3.10. Request header
링크 복사

Set RequestHeaderIdentityProvider in the identityProviders stanza to identify users from request header values, such as X-Remote-User. It is typically used in combination with an authenticating proxy, which sets the request header value. This is similar to how the remote user plug-in in OpenShift Enterprise 2 allowed administrators to provide Kerberos, LDAP, and many other forms of enterprise authentication.

You can also use the request header identity provider for advanced configurations such as SAML authentication.

For users to authenticate using this identity provider, they must access https://<master>/oauth/authorize (and subpaths) via an authenticating proxy. To accomplish this, configure the OAuth server to redirect unauthenticated requests for OAuth tokens to the proxy endpoint that proxies to https://<master>/oauth/authorize.

To redirect unauthenticated requests from clients expecting browser-based login flows:

Set the login parameter to true.
Set the provider.loginURL parameter to the authenticating proxy URL that will authenticate interactive clients and then proxy the request to https://<master>/oauth/authorize.

To redirect unauthenticated requests from clients expecting WWW-Authenticate challenges:

Set the challenge parameter to true.
Set the provider.challengeURL parameter to the authenticating proxy URL that will authenticate clients expecting WWW-Authenticate challenges and then proxy the request to https://<master>/oauth/authorize.

The provider.challengeURL and provider.loginURL parameters can include the following tokens in the query portion of the URL:

${url} is replaced with the current URL, escaped to be safe in a query parameter.
For example: https://www.example.com/sso-login?then=${url}
${query} is replaced with the current query string, unescaped.
For example: https://www.example.com/auth-proxy/oauth/authorize?${query}

Warning

If you expect unauthenticated requests to reach the OAuth server, a clientCA parameter MUST be set for this identity provider, so that incoming requests are checked for a valid client certificate before the request’s headers are checked for a user name. Otherwise, any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.

Example 12.8. Master Configuration Using RequestHeaderIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_request_header_provider 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: RequestHeaderIdentityProvider
      challengeURL: "https://www.example.com/challenging-proxy/oauth/authorize?${query}" 
      loginURL: "https://www.example.com/login-proxy/oauth/authorize?${query}" 
      clientCA: /path/to/client-ca.file 
      clientCommonNames: 
      - my-auth-proxy
      headers: 
      - X-Remote-User
      - SSO-User
      emailHeaders: 
      - X-Remote-User-Email
      nameHeaders: 
      - X-Remote-User-Display-Name
      preferredUsernameHeaders: 
      - X-Remote-User-Login

oauthConfig:
  ...
  identityProviders:
  - name: my_request_header_provider


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: RequestHeaderIdentityProvider
      challengeURL: "https://www.example.com/challenging-proxy/oauth/authorize?${query}"


      loginURL: "https://www.example.com/login-proxy/oauth/authorize?${query}"


      clientCA: /path/to/client-ca.file


      clientCommonNames:


      - my-auth-proxy
      headers:


      - X-Remote-User
      - SSO-User
      emailHeaders:


      - X-Remote-User-Email
      nameHeaders:


      - X-Remote-User-Display-Name
      preferredUsernameHeaders:


      - X-Remote-User-Login

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to the user name in the request header to form an identity name.
2: RequestHeaderIdentityProvider can only respond to clients that request WWW-Authenticate challenges by redirecting to a configured challengeURL. The configured URL should respond with a WWW-Authenticate challenge.
3: RequestHeaderIdentityProvider can only respond to clients requesting a login flow by redirecting to a configured loginURL. The configured URL should respond with a login flow.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: Optional: URL to redirect unauthenticated /oauth/authorize requests to, that will authenticate browser-based clients and then proxy their request to https://<master>/oauth/authorize. The URL that proxies to https://<master>/oauth/authorize must end with /authorize (with no trailing slash), and also proxy subpaths, in order for OAuth approval flows to work properly. ${url} is replaced with the current URL, escaped to be safe in a query parameter. ${query} is replaced with the current query string.
6: Optional: URL to redirect unauthenticated /oauth/authorize requests to, that will authenticate clients which expect WWW-Authenticate challenges, and then proxy them to https://<master>/oauth/authorize. ${url} is replaced with the current URL, escaped to be safe in a query parameter. ${query} is replaced with the current query string.
7: Optional: PEM-encoded certificate bundle. If set, a valid client certificate must be presented and validated against the certificate authorities in the specified file before the request headers are checked for user names.
8: Optional: list of common names (cn). If set, a valid client certificate with a Common Name (cn) in the specified list must be presented before the request headers are checked for user names. If empty, any Common Name is allowed. Can only be used in combination with clientCA.
9: Header names to check, in order, for the user identity. The first header containing a value is used as the identity. Required, case-insensitive.
10: Header names to check, in order, for an email address. The first header containing a value is used as the email address. Optional, case-insensitive.
11: Header names to check, in order, for a display name. The first header containing a value is used as the display name. Optional, case-insensitive.
12: Header names to check, in order, for a preferred user name, if different than the immutable identity determined from the headers specified in headers. The first header containing a value is used as the preferred user name when provisioning. Optional, case-insensitive.

Example 12.9. Apache Authentication Using RequestHeaderIdentityProvider

This example configures an authentication proxy on the same host as the master. Having the proxy and master on the same host is merely a convenience and may not be suitable for your environment. For example, if you were already running a router on the master, port 443 would not be available.

It is also important to note that while this reference configuration uses Apache’s mod_auth_form, it is by no means required and other proxies can easily be used if the following requirements are met:

Block the X-Remote-User header from client requests to prevent spoofing.
Enforce client certificate authentication in the RequestHeaderIdentityProvider configuration.
Require the X-Csrf-Token header be set for all authentication request using the challenge flow.
Only the /oauth/authorize endpoint and its subpaths should be proxied, and redirects should not be rewritten to allow the backend server to send the client to the correct location.
The URL that proxies to https://<master>/oauth/authorize must end with /authorize (with no trailing slash). For example:
- https://proxy.example.com/login-proxy/authorize?… https://<master>/oauth/authorize?…
Subpaths of the URL that proxies to https://<master>/oauth/authorize must proxy to subpaths of https://<master>/oauth/authorize. For example:
- https://proxy.example.com/login-proxy/authorize/approve?… https://<master>/oauth/authorize/approve?…

Installing the Prerequisites

The mod_auth_form module is shipped as part of the mod_session package that is found in the Optional channel:

yum install -y httpd mod_ssl mod_session apr-util-openssl

# yum install -y httpd mod_ssl mod_session apr-util-openssl

Copy to Clipboard

Toggle word wrap

Generate a CA for validating requests that submit the trusted header. This CA should be used as the file name for clientCA in the master’s identity provider configuration.

oc adm ca create-signer-cert \
  --cert='/etc/origin/master/proxyca.crt' \
  --key='/etc/origin/master/proxyca.key' \
  --name='openshift-proxy-signer@1432232228' \
  --serial='/etc/origin/master/proxyca.serial.txt'

# oc adm ca create-signer-cert \
  --cert='/etc/origin/master/proxyca.crt' \
  --key='/etc/origin/master/proxyca.key' \
  --name='openshift-proxy-signer@1432232228' \
  --serial='/etc/origin/master/proxyca.serial.txt'

Copy to Clipboard

Toggle word wrap

The oc adm ca create-signer-cert command generates a certificate that is valid for five years. This can be altered with the --expire-days option, but for security reasons, it is recommended to not make it greater than this value.

Run oc adm commands only from the first master listed in the Ansible host inventory file, by default /etc/ansible/hosts.

Generate a client certificate for the proxy. This can be done using any x509 certificate tooling. For convenience, the oc adm CLI can be used:

oc adm create-api-client-config \
  --certificate-authority='/etc/origin/master/proxyca.crt' \
  --client-dir='/etc/origin/master/proxy' \
  --signer-cert='/etc/origin/master/proxyca.crt' \
  --signer-key='/etc/origin/master/proxyca.key' \
  --signer-serial='/etc/origin/master/proxyca.serial.txt' \
  --user='system:proxy'
pushd /etc/origin/master
cp master.server.crt /etc/pki/tls/certs/localhost.crt
cp master.server.key /etc/pki/tls/private/localhost.key
cp ca.crt /etc/pki/CA/certs/ca.crt
cat proxy/system\:proxy.crt \
  proxy/system\:proxy.key > \
  /etc/pki/tls/certs/authproxy.pem
popd

# oc adm create-api-client-config \
  --certificate-authority='/etc/origin/master/proxyca.crt' \
  --client-dir='/etc/origin/master/proxy' \
  --signer-cert='/etc/origin/master/proxyca.crt' \
  --signer-key='/etc/origin/master/proxyca.key' \
  --signer-serial='/etc/origin/master/proxyca.serial.txt' \
  --user='system:proxy'



# pushd /etc/origin/master
# cp master.server.crt /etc/pki/tls/certs/localhost.crt


# cp master.server.key /etc/pki/tls/private/localhost.key
# cp ca.crt /etc/pki/CA/certs/ca.crt
# cat proxy/system\:proxy.crt \
  proxy/system\:proxy.key > \
  /etc/pki/tls/certs/authproxy.pem
# popd

Copy to Clipboard

Toggle word wrap

1: The user name can be anything, however it is useful to give it a descriptive name as it will appear in logs.
2: When running the authentication proxy on a different host name than the master, it is important to generate a certificate that matches the host name instead of using the default master certificate as shown above. The value for masterPublicURL in the /etc/origin/master/master-config.yaml file must be included in the X509v3 Subject Alternative Name in the certificate that is specified for SSLCertificateFile. If a new certificate needs to be created, the oc adm ca create-server-cert command can be used.

The oc adm create-api-client-config command generates a certificate that is valid for two years. This can be altered with the --expire-days option, but for security reasons, it is recommended to not make it greater than this value. Run oc adm commands only from the first master listed in the Ansible host inventory file, by default /etc/ansible/hosts.

Configuring Apache

Unlike OpenShift Enterprise 2, this proxy does not need to reside on the same host as the master. It uses a client certificate to connect to the master, which is configured to trust the X-Remote-User header.

Configure Apache per the following:

LoadModule auth_form_module modules/mod_auth_form.so
LoadModule session_module modules/mod_session.so
LoadModule request_module modules/mod_request.so

# Nothing needs to be served over HTTP.  This virtual host simply redirects to
# HTTPS.
<VirtualHost *:80>
  DocumentRoot /var/www/html
  RewriteEngine              On
  RewriteRule     ^(.*)$     https://%{HTTP_HOST}$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
  # This needs to match the certificates you generated.  See the CN and X509v3
  # Subject Alternative Name in the output of:
  # openssl x509 -text -in /etc/pki/tls/certs/localhost.crt
  ServerName www.example.com

  DocumentRoot /var/www/html
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  SSLCACertificateFile /etc/pki/CA/certs/ca.crt

  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt
  # It's critical to enforce client certificates on the Master.  Otherwise
  # requests could spoof the X-Remote-User header by accessing the Master's
  # /oauth/authorize endpoint directly.
  SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem

  # Send all requests to the console
  RewriteEngine              On
  RewriteRule     ^/console(.*)$     https://%{HTTP_HOST}:8443/console$1 [R,L]

  # In order to using the challenging-proxy an X-Csrf-Token must be present.
  RewriteCond %{REQUEST_URI} ^/challenging-proxy
  RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
  RewriteRule ^.* - [F,L]

  <Location /challenging-proxy/oauth/authorize>
    # Insert your backend server name/ip here.
    ProxyPass https://[MASTER]:8443/oauth/authorize
    AuthType basic
  </Location>

  <Location /login-proxy/oauth/authorize>
    # Insert your backend server name/ip here.
    ProxyPass https://[MASTER]:8443/oauth/authorize

    # mod_auth_form providers are implemented by mod_authn_dbm, mod_authn_file,
    # mod_authn_dbd, mod_authnz_ldap and mod_authn_socache.
    AuthFormProvider file
    AuthType form
    AuthName openshift
    ErrorDocument 401 /login.html
  </Location>

  <ProxyMatch /oauth/authorize>
    AuthUserFile /etc/origin/master/htpasswd
    AuthName openshift
    Require valid-user
    RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER

    # For ldap:
    # AuthBasicProvider ldap
    # AuthLDAPURL "ldap://ldap.example.com:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)"

    # It's possible to remove the mod_auth_form usage and replace it with
    # something like mod_auth_kerb, mod_auth_gssapi or even mod_auth_mellon.
    # The former would be able to support both the login and challenge flows
    # from the Master.  Mellon would likely only support the login flow.

    # For Kerberos
    # yum install mod_auth_gssapi
    # AuthType GSSAPI
    # GssapiCredStore keytab:/etc/httpd.keytab
  </ProxyMatch>

</VirtualHost>

RequestHeader unset X-Remote-User

LoadModule auth_form_module modules/mod_auth_form.so
LoadModule session_module modules/mod_session.so
LoadModule request_module modules/mod_request.so

# Nothing needs to be served over HTTP.  This virtual host simply redirects to
# HTTPS.
<VirtualHost *:80>
  DocumentRoot /var/www/html
  RewriteEngine              On
  RewriteRule     ^(.*)$     https://%{HTTP_HOST}$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
  # This needs to match the certificates you generated.  See the CN and X509v3
  # Subject Alternative Name in the output of:
  # openssl x509 -text -in /etc/pki/tls/certs/localhost.crt
  ServerName www.example.com

  DocumentRoot /var/www/html
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  SSLCACertificateFile /etc/pki/CA/certs/ca.crt

  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt
  # It's critical to enforce client certificates on the Master.  Otherwise
  # requests could spoof the X-Remote-User header by accessing the Master's
  # /oauth/authorize endpoint directly.
  SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem

  # Send all requests to the console
  RewriteEngine              On
  RewriteRule     ^/console(.*)$     https://%{HTTP_HOST}:8443/console$1 [R,L]

  # In order to using the challenging-proxy an X-Csrf-Token must be present.
  RewriteCond %{REQUEST_URI} ^/challenging-proxy
  RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
  RewriteRule ^.* - [F,L]

  <Location /challenging-proxy/oauth/authorize>
    # Insert your backend server name/ip here.
    ProxyPass https://[MASTER]:8443/oauth/authorize
    AuthType basic
  </Location>

  <Location /login-proxy/oauth/authorize>
    # Insert your backend server name/ip here.
    ProxyPass https://[MASTER]:8443/oauth/authorize

    # mod_auth_form providers are implemented by mod_authn_dbm, mod_authn_file,
    # mod_authn_dbd, mod_authnz_ldap and mod_authn_socache.
    AuthFormProvider file
    AuthType form
    AuthName openshift
    ErrorDocument 401 /login.html
  </Location>

  <ProxyMatch /oauth/authorize>
    AuthUserFile /etc/origin/master/htpasswd
    AuthName openshift
    Require valid-user
    RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER

    # For ldap:
    # AuthBasicProvider ldap
    # AuthLDAPURL "ldap://ldap.example.com:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)"

    # It's possible to remove the mod_auth_form usage and replace it with
    # something like mod_auth_kerb, mod_auth_gssapi or even mod_auth_mellon.
    # The former would be able to support both the login and challenge flows
    # from the Master.  Mellon would likely only support the login flow.

    # For Kerberos
    # yum install mod_auth_gssapi
    # AuthType GSSAPI
    # GssapiCredStore keytab:/etc/httpd.keytab
  </ProxyMatch>

</VirtualHost>

RequestHeader unset X-Remote-User

Copy to Clipboard

Toggle word wrap

Additional mod_auth_form Requirements

A sample login page is available from the openshift_extras repository. This file should be placed in the DocumentRoot location (/var/www/html by default).

Creating Users

At this point, you can create the users in the system Apache is using to store accounts information. In this example, file-backed authentication is used:

yum -y install httpd-tools
touch /etc/origin/master/htpasswd
htpasswd /etc/origin/master/htpasswd <user_name>

# yum -y install httpd-tools
# touch /etc/origin/master/htpasswd
# htpasswd /etc/origin/master/htpasswd <user_name>

Copy to Clipboard

Toggle word wrap

Configuring the Master

The identityProviders stanza in the /etc/origin/master/master-config.yaml file must be updated as well:

  identityProviders:
  - name: requestheader
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: RequestHeaderIdentityProvider
      challengeURL: "https://[MASTER]/challenging-proxy/oauth/authorize?${query}"
      loginURL: "https://[MASTER]/login-proxy/oauth/authorize?${query}"
      clientCA: /etc/origin/master/proxyca.crt
      headers:
      - X-Remote-User

  identityProviders:
  - name: requestheader
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: RequestHeaderIdentityProvider
      challengeURL: "https://[MASTER]/challenging-proxy/oauth/authorize?${query}"
      loginURL: "https://[MASTER]/login-proxy/oauth/authorize?${query}"
      clientCA: /etc/origin/master/proxyca.crt
      headers:
      - X-Remote-User

Copy to Clipboard

Toggle word wrap

Restarting Services

Finally, restart the following services:

systemctl restart httpd
systemctl restart atomic-openshift-master-api atomic-openshift-master-controllers

# systemctl restart httpd
# systemctl restart atomic-openshift-master-api atomic-openshift-master-controllers

Copy to Clipboard

Toggle word wrap

Verifying the Configuration

Test by bypassing the proxy. You should be able to request a token if you supply the correct client certificate and header:

curl -L -k -H "X-Remote-User: joe" \
   --cert /etc/pki/tls/certs/authproxy.pem \
   https://[MASTER]:8443/oauth/token/request

# curl -L -k -H "X-Remote-User: joe" \
   --cert /etc/pki/tls/certs/authproxy.pem \
   https://[MASTER]:8443/oauth/token/request

Copy to Clipboard

Toggle word wrap

If you do not supply the client certificate, the request should be denied:

curl -L -k -H "X-Remote-User: joe" \
   https://[MASTER]:8443/oauth/token/request

# curl -L -k -H "X-Remote-User: joe" \
   https://[MASTER]:8443/oauth/token/request

Copy to Clipboard

Toggle word wrap

This should show a redirect to the configured challengeURL (with additional query parameters):

curl -k -v -H 'X-Csrf-Token: 1' \
   '<masterPublicURL>/oauth/authorize?client_id=openshift-challenging-client&response_type=token'

# curl -k -v -H 'X-Csrf-Token: 1' \
   '<masterPublicURL>/oauth/authorize?client_id=openshift-challenging-client&response_type=token'

Copy to Clipboard

Toggle word wrap

This should show a 401 response with a WWW-Authenticate basic challenge:

 curl -k -v -H 'X-Csrf-Token: 1' \
    '<redirected challengeURL from step 3 +query>'

#  curl -k -v -H 'X-Csrf-Token: 1' \
    '<redirected challengeURL from step 3 +query>'

Copy to Clipboard

Toggle word wrap

This should show a redirect with an access token:

 curl -k -v -u <your_user>:<your_password> \
    -H 'X-Csrf-Token: 1' '<redirected_challengeURL_from_step_3 +query>'

#  curl -k -v -u <your_user>:<your_password> \
    -H 'X-Csrf-Token: 1' '<redirected_challengeURL_from_step_3 +query>'

Copy to Clipboard

Toggle word wrap

12.3.11. GitHub
링크 복사

Set GitHubIdentityProvider in the identityProviders stanza to use GitHub as an identity provider, using the OAuth integration.

Note

Using GitHub as an identity provider requires users to get a token using <master>/oauth/token/request to use with command-line tools.

Warning

Using GitHub as an identity provider allows any GitHub user to authenticate to your server. You can limit authentication to members of specific GitHub organizations with the organizations configuration attribute, as shown below.

Example 12.10. Master Configuration Using GitHubIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: github 
    challenge: false 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: GitHubIdentityProvider
      clientID: ... 
      clientSecret: ... 
      organizations: 
      - myorganization1
      - myorganization2
      teams: 
      - myorganization1/team-a
      - myorganization2/team-b

oauthConfig:
  ...
  identityProviders:
  - name: github


    challenge: false


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: GitHubIdentityProvider
      clientID: ...


      clientSecret: ...


      organizations:


      - myorganization1
      - myorganization2
      teams:


      - myorganization1/team-a
      - myorganization2/team-b

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to the GitHub numeric user ID to form an identity name. It is also used to build the callback URL.
2: GitHubIdentityProvider cannot be used to send WWW-Authenticate challenges.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to GitHub to log in.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: The client ID of a registered GitHub OAuth application. The application must be configured with a callback URL of <master>/oauth2callback/<identityProviderName>.
6: The client secret issued by GitHub. This value may also be provided in an environment variable, external file, or encrypted file.
7: Optional list of organizations. If specified, only GitHub users that are members of at least one of the listed organizations will be allowed to log in. If the GitHub OAuth application configured in clientID is not owned by the organization, an organization owner must grant third-party access in order to use this option. This can be done during the first GitHub login by the organization’s administrator, or from the GitHub organization settings. Cannot be used in combination with the teams field.
8: Optional list of teams. If specified, only GitHub users that are members of at least one of the listed teams will be allowed to log in. If the GitHub OAuth application configured in clientID is not owned by the team’s organization, an organization owner must grant third-party access in order to use this option. This can be done during the first GitHub login by the organization’s administrator, or from the GitHub organization settings. Cannot be used in combination with the organizations field.

12.3.12. GitLab
링크 복사

Set GitLabIdentityProvider in the identityProviders stanza to use GitLab.com or any other GitLab instance as an identity provider, using the OAuth integration. The OAuth provider feature requires GitLab version 7.7.0 or higher.

Example 12.11. Master Configuration Using GitLabIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: gitlab 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: GitLabIdentityProvider
      url: ... 
      clientID: ... 
      clientSecret: ... 
      ca: ...

oauthConfig:
  ...
  identityProviders:
  - name: gitlab


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: GitLabIdentityProvider
      url: ...


      clientID: ...


      clientSecret: ...


      ca: ...

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to the GitLab numeric user ID to form an identity name. It is also used to build the callback URL.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider. This uses the Resource Owner Password Credentials grant flow to obtain an access token from GitLab.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to GitLab to log in.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: The host URL of a GitLab OAuth provider. This could either be https://gitlab.com/ or any other self hosted instance of GitLab.
6: The client ID of a registered GitLab OAuth application. The application must be configured with a callback URL of <master>/oauth2callback/<identityProviderName>.
7: The client secret issued by GitLab. This value may also be provided in an environment variable, external file, or encrypted file.
8: CA is an optional trusted certificate authority bundle to use when making requests to the GitLab instance. If empty, the default system roots are used.

12.3.13. Google
링크 복사

Set GoogleIdentityProvider in the identityProviders stanza to use Google as an identity provider, using Google’s OpenID Connect integration.

Note

Using Google as an identity provider requires users to get a token using <master>/oauth/token/request to use with command-line tools.

Warning

Using Google as an identity provider allows any Google user to authenticate to your server. You can limit authentication to members of a specific hosted domain with the hostedDomain configuration attribute, as shown below.

Example 12.12. Master Configuration Using GoogleIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: google 
    challenge: false 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: GoogleIdentityProvider
      clientID: ... 
      clientSecret: ... 
      hostedDomain: ""

oauthConfig:
  ...
  identityProviders:
  - name: google


    challenge: false


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: GoogleIdentityProvider
      clientID: ...


      clientSecret: ...


      hostedDomain: ""

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to the Google numeric user ID to form an identity name. It is also used to build the redirect URL.
2: GoogleIdentityProvider cannot be used to send WWW-Authenticate challenges.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to Google to log in.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: The client ID of a registered Google project. The project must be configured with a redirect URI of <master>/oauth2callback/<identityProviderName>.
6: The client secret issued by Google. This value may also be provided in an environment variable, external file, or encrypted file.
7: Optional hosted domain to restrict sign-in accounts to. If empty, any Google account is allowed to authenticate.

12.3.14. OpenID connect
링크 복사

Set OpenIDIdentityProvider in the identityProviders stanza to integrate with an OpenID Connect identity provider using an Authorization Code Flow.

Note

ID Token and UserInfo decryptions are not supported.

By default, the openid scope is requested. If required, extra scopes can be specified in the extraScopes field.

Claims are read from the JWT id_token returned from the OpenID identity provider and, if specified, from the JSON returned by the UserInfo URL.

At least one claim must be configured to use as the user’s identity. The standard identity claim is sub.

You can also indicate which claims to use as the user’s preferred user name, display name, and email address. If multiple claims are specified, the first one with a non-empty value is used. The standard claims are:

`sub`	Short for "subject identifier." The remote identity for the user at the issuer.
`preferred_username`	The preferred user name when provisioning a user. A shorthand name that the user wants to be referred to as, such as `janedoe`. Typically a value that corresponding to the user’s login or username in the authentication system, such as username or email.
`email`	Email address.
`name`	Display name.

See the OpenID claims documentation for more information.

Note

Using an OpenID Connect identity provider requires users to get a token using <master>/oauth/token/request to use with command-line tools.

Standard Master Configuration Using OpenIDIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_openid_connect 
    challenge: true 
    login: true 
    mappingMethod: claim 
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: ... 
      clientSecret: ... 
      claims:
        id: 
        - sub
        preferredUsername:
        - preferred_username
        name:
        - name
        email:
        - email
      urls:
        authorize: https://myidp.example.com/oauth2/authorize 
        token: https://myidp.example.com/oauth2/token

oauthConfig:
  ...
  identityProviders:
  - name: my_openid_connect


    challenge: true


    login: true


    mappingMethod: claim


    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: ...


      clientSecret: ...


      claims:
        id:


        - sub
        preferredUsername:
        - preferred_username
        name:
        - name
        email:
        - email
      urls:
        authorize: https://myidp.example.com/oauth2/authorize


        token: https://myidp.example.com/oauth2/token

Copy to Clipboard

Toggle word wrap

1: This provider name is prefixed to the value of the identity claim to form an identity name. It is also used to build the redirect URL.
2: When true, unauthenticated token requests from non-web clients (like the CLI) are sent a WWW-Authenticate challenge header for this provider. This requires the OpenID provider to support the Resource Owner Password Credentials grant flow.
3: When true, unauthenticated token requests from web clients (like the web console) are redirected to the authorize URL to log in.
4: Controls how mappings are established between this provider’s identities and user objects, as described above.
5: The client ID of a client registered with the OpenID provider. The client must be allowed to redirect to <master>/oauth2callback/<identityProviderName>.
6: The client secret. This value may also be provided in an environment variable, external file, or encrypted file.
7: List of claims to use as the identity. First non-empty claim is used. At least one claim is required. If none of the listed claims have a value, authentication fails. For example, this uses the value of the sub claim in the returned id_token as the user’s identity.
8: Authorization Endpoint described in the OpenID spec. Must use https.
9: Token Endpoint described in the OpenID spec. Must use https.

A custom certificate bundle, extra scopes, extra authorization request parameters, and userInfo URL can also be specified:

Example 12.13. Full Master Configuration Using OpenIDIdentityProvider

oauthConfig:
  ...
  identityProviders:
  - name: my_openid_connect
    challenge: false
    login: true
    mappingMethod: claim
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: ...
      clientSecret: ...
      ca: my-openid-ca-bundle.crt 
      extraScopes: 
      - email
      - profile
      extraAuthorizeParameters: 
        include_granted_scopes: "true"
      claims:
        id: 
        - custom_id_claim
        - sub
        preferredUsername: 
        - preferred_username
        - email
        name: 
        - nickname
        - given_name
        - name
        email: 
        - custom_email_claim
        - email
      urls:
        authorize: https://myidp.example.com/oauth2/authorize
        token: https://myidp.example.com/oauth2/token
        userInfo: https://myidp.example.com/oauth2/userinfo

oauthConfig:
  ...
  identityProviders:
  - name: my_openid_connect
    challenge: false
    login: true
    mappingMethod: claim
    provider:
      apiVersion: v1
      kind: OpenIDIdentityProvider
      clientID: ...
      clientSecret: ...
      ca: my-openid-ca-bundle.crt


      extraScopes:


      - email
      - profile
      extraAuthorizeParameters:


        include_granted_scopes: "true"
      claims:
        id:


        - custom_id_claim
        - sub
        preferredUsername:


        - preferred_username
        - email
        name:


        - nickname
        - given_name
        - name
        email:


        - custom_email_claim
        - email
      urls:
        authorize: https://myidp.example.com/oauth2/authorize
        token: https://myidp.example.com/oauth2/token
        userInfo: https://myidp.example.com/oauth2/userinfo

Copy to Clipboard

Toggle word wrap

1: Certificate bundle to use to validate server certificates for the configured URLs. If empty, system trusted roots are used.
2: Optional list of scopes to request, in addition to the openid scope, during the authorization token request.
3: Optional map of extra parameters to add to the authorization token request.
4: List of claims to use as the identity. First non-empty claim is used. At least one claim is required. If none of the listed claims have a value, authentication fails.
5: List of claims to use as the preferred user name when provisioning a user for this identity. First non-empty claim is used.
6: List of claims to use as the display name. First non-empty claim is used.
7: List of claims to use as the email address. First non-empty claim is used.
8: UserInfo Endpoint described in the OpenID spec. Must use https.

12.4. Token options
링크 복사

The OAuth server generates two kinds of tokens:

Access tokens	Longer-lived tokens that grant access to the API.
Authorize codes	Short-lived tokens whose only use is to be exchanged for an access token.

Use the tokenConfig stanza to set token options:

Example 12.14. Master Configuration Token Options

oauthConfig:
  ...
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400 
    authorizeTokenMaxAgeSeconds: 300

oauthConfig:
  ...
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400


    authorizeTokenMaxAgeSeconds: 300

Copy to Clipboard

Toggle word wrap

1: Set accessTokenMaxAgeSeconds to control the lifetime of access tokens. The default lifetime is 24 hours.
2: Set authorizeTokenMaxAgeSeconds to control the lifetime of authorize codes. The default lifetime is five minutes.

12.5. Grant options
링크 복사

When the OAuth server receives token requests for a client to which the user has not previously granted permission, the action that the OAuth server takes is dependent on the OAuth client’s grant strategy.

When the OAuth client requesting token does not provide its own grant strategy, the server-wide default strategy is used. To configure the default strategy, set the method value in the grantConfig stanza. Valid values for method are:

`auto`	Auto-approve the grant and retry the request.
`prompt`	Prompt the user to approve or deny the grant.
`deny`	Auto-deny the grant and return a failure error to the client.

Example 12.15. Master Configuration Grant Options

oauthConfig:
  ...
  grantConfig:
    method: auto

oauthConfig:
  ...
  grantConfig:
    method: auto

Copy to Clipboard

Toggle word wrap

12.6. Session options
링크 복사

The OAuth server uses a signed and encrypted cookie-based session during login and redirect flows.

Use the sessionConfig stanza to set session options:

Example 12.16. Master Configuration Session Options

oauthConfig:
  ...
  sessionConfig:
    sessionMaxAgeSeconds: 300 
    sessionName: ssn 
    sessionSecretsFile: "..."

oauthConfig:
  ...
  sessionConfig:
    sessionMaxAgeSeconds: 300


    sessionName: ssn


    sessionSecretsFile: "..."

Copy to Clipboard

Toggle word wrap

1: Controls the maximum age of a session; sessions auto-expire once a token request is complete. If auto-grant is not enabled, sessions must last as long as the user is expected to take to approve or reject a client authorization request.
2: Name of the cookie used to store the session.
3: File name containing serialized SessionSecrets object. If empty, a random signing and encryption secret is generated at each server start.

If no sessionSecretsFile is specified, a random signing and encryption secret is generated at each start of the master server. This means that any logins in progress will have their sessions invalidated if the master is restarted. It also means that if multiple masters are configured, they will not be able to decode sessions generated by one of the other masters.

To specify the signing and encryption secret to use, specify a sessionSecretsFile. This allows you separate secret values from the configuration file and keep the configuration file distributable, for example for debugging purposes.

Multiple secrets can be specified in the sessionSecretsFile to enable rotation. New sessions are signed and encrypted using the first secret in the list. Existing sessions are decrypted and authenticated by each secret until one succeeds.

Example 12.17. Session Secret Configuration:

apiVersion: v1
kind: SessionSecrets
secrets: 
- authentication: "..." 
  encryption: "..." 
- authentication: "..."
  encryption: "..."
...

apiVersion: v1
kind: SessionSecrets
secrets:


- authentication: "..."


  encryption: "..."


- authentication: "..."
  encryption: "..."
...

Copy to Clipboard

Toggle word wrap

1: List of secrets used to authenticate and encrypt cookie sessions. At least one secret must be specified. Each secret must set an authentication and encryption secret.
2: Signing secret, used to authenticate sessions using HMAC. Recommended to use a secret with 32 or 64 bytes.
3: Encrypting secret, used to encrypt sessions. Must be 16, 24, or 32 characters long, to select AES-128, AES-192, or AES-256.

12.7. Preventing CLI version mismatch with user agent
링크 복사

OpenShift Container Platform implements a user agent that can be used to prevent an application developer’s CLI accessing the OpenShift Container Platform API.

User agents for the OpenShift Container Platform CLI are constructed from a set of values within OpenShift Container Platform:

<command>/<version> (<platform>/<architecture>) <client>/<git_commit>

<command>/<version> (<platform>/<architecture>) <client>/<git_commit>

Copy to Clipboard

Toggle word wrap

So, for example, when:

<command> = oc
<version> = The client version. For example, v3.3.0. Requests made against the Kubernetes API at /api receive the Kubernetes version, while requests made against the OpenShift Container Platform API at /oapi receive the OpenShift Container Platform version (as specified by oc version)
<platform> = linux
<architecture> = amd64
<client> = openshift, or kubernetes depending on if the request is made against the Kubernetes API at /api, or the OpenShift Container Platform API at /oapi
<git_commit> = The Git commit of the client version (for example, f034127)

the user agent will be:

oc/v3.3.0 (linux/amd64) openshift/f034127

oc/v3.3.0 (linux/amd64) openshift/f034127

Copy to Clipboard

Toggle word wrap

As an OpenShift Container Platform administrator, you can prevent clients from accessing the API with the userAgentMatching configuration setting of a master configuration. So, if a client is using a particular library or binary, they will be prevented from accessing the API.

The following user agent example denies the Kubernetes 1.2 client binary, OpenShift Origin 1.1.3 binary, and the POST and PUT httpVerbs:

policyConfig:
  userAgentMatchingConfig:
    defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
    deniedClients:
    - regex: '\w+/v(?:(?:1\.1\.1)|(?:1\.0\.1)) \(.+/.+\) openshift/\w{7}'
    - regex: '\w+/v(?:1\.1\.3) \(.+/.+\) openshift/\w{7}'
      httpVerbs:
      - POST
      - PUT
    - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
      httpVerbs:
      - POST
      - PUT
    requiredClients: null

policyConfig:
  userAgentMatchingConfig:
    defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
    deniedClients:
    - regex: '\w+/v(?:(?:1\.1\.1)|(?:1\.0\.1)) \(.+/.+\) openshift/\w{7}'
    - regex: '\w+/v(?:1\.1\.3) \(.+/.+\) openshift/\w{7}'
      httpVerbs:
      - POST
      - PUT
    - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
      httpVerbs:
      - POST
      - PUT
    requiredClients: null

Copy to Clipboard

Toggle word wrap

Administrators can also deny clients that do not exactly match the expected clients:

policyConfig:
  userAgentMatchingConfig:
    defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
    deniedClients: []
    requiredClients:
    - regex: '\w+/v1\.1\.3 \(.+/.+\) openshift/\w{7}'
    - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
      httpVerbs:
      - POST
      - PUT

policyConfig:
  userAgentMatchingConfig:
    defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
    deniedClients: []
    requiredClients:
    - regex: '\w+/v1\.1\.3 \(.+/.+\) openshift/\w{7}'
    - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
      httpVerbs:
      - POST
      - PUT

Copy to Clipboard

Toggle word wrap

Note

When the client’s user agent mismatches the configuration, errors occur. To ensure that mutating requests match, enforce a whitelist. Rules are mapped to specific verbs, so you can ban mutating requests while allowing non-mutating requests.

맨 위로 이동

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 12. Configuring authentication and user agent

12.1. Overview
링크 복사

12.2. Identity provider parameters
링크 복사

12.3. Configuring identity providers
링크 복사

12.3.1. Configuring identity providers with Ansible
링크 복사

12.3.2. Configuring identity providers in the master configuration file
링크 복사

12.3.3. Configuring an identity provider or method
링크 복사

12.3.3.1. Manually provisioning a user when using the lookup mapping method
링크 복사

12.3.4. Allow all
링크 복사

12.3.5. Deny all
링크 복사

12.3.6. HTPasswd
링크 복사

12.3.7. Keystone
링크 복사

12.3.8. LDAP authentication
링크 복사

12.3.9. Basic authentication (remote)
링크 복사

12.3.10. Request header
링크 복사

12.3.11. GitHub
링크 복사

12.3.12. GitLab
링크 복사

12.3.13. Google
링크 복사

12.3.14. OpenID connect
링크 복사

12.4. Token options
링크 복사

12.5. Grant options
링크 복사

12.6. Session options
링크 복사

12.7. Preventing CLI version mismatch with user agent
링크 복사

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 12. Configuring authentication and user agent

12.1. Overview링크 복사링크가 클립보드에 복사되었습니다!

12.2. Identity provider parameters링크 복사링크가 클립보드에 복사되었습니다!

12.3. Configuring identity providers링크 복사링크가 클립보드에 복사되었습니다!

12.3.1. Configuring identity providers with Ansible링크 복사링크가 클립보드에 복사되었습니다!

12.3.2. Configuring identity providers in the master configuration file링크 복사링크가 클립보드에 복사되었습니다!

12.3.3. Configuring an identity provider or method링크 복사링크가 클립보드에 복사되었습니다!

12.3.3.1. Manually provisioning a user when using the lookup mapping method링크 복사링크가 클립보드에 복사되었습니다!

12.3.4. Allow all링크 복사링크가 클립보드에 복사되었습니다!

12.3.5. Deny all링크 복사링크가 클립보드에 복사되었습니다!

12.3.6. HTPasswd링크 복사링크가 클립보드에 복사되었습니다!

12.3.7. Keystone링크 복사링크가 클립보드에 복사되었습니다!

12.3.8. LDAP authentication링크 복사링크가 클립보드에 복사되었습니다!

12.3.9. Basic authentication (remote)링크 복사링크가 클립보드에 복사되었습니다!

12.3.10. Request header링크 복사링크가 클립보드에 복사되었습니다!

12.3.11. GitHub링크 복사링크가 클립보드에 복사되었습니다!

12.3.12. GitLab링크 복사링크가 클립보드에 복사되었습니다!

12.3.13. Google링크 복사링크가 클립보드에 복사되었습니다!

12.3.14. OpenID connect링크 복사링크가 클립보드에 복사되었습니다!

12.4. Token options링크 복사링크가 클립보드에 복사되었습니다!

12.5. Grant options링크 복사링크가 클립보드에 복사되었습니다!

12.6. Session options링크 복사링크가 클립보드에 복사되었습니다!

12.7. Preventing CLI version mismatch with user agent링크 복사링크가 클립보드에 복사되었습니다!

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

12.1. Overview
링크 복사

12.2. Identity provider parameters
링크 복사

12.3. Configuring identity providers
링크 복사

12.3.1. Configuring identity providers with Ansible
링크 복사

12.3.2. Configuring identity providers in the master configuration file
링크 복사

12.3.3. Configuring an identity provider or method
링크 복사

12.3.3.1. Manually provisioning a user when using the lookup mapping method
링크 복사

12.3.4. Allow all
링크 복사

12.3.5. Deny all
링크 복사

12.3.6. HTPasswd
링크 복사

12.3.7. Keystone
링크 복사

12.3.8. LDAP authentication
링크 복사

12.3.9. Basic authentication (remote)
링크 복사

12.3.10. Request header
링크 복사

12.3.11. GitHub
링크 복사

12.3.12. GitLab
링크 복사

12.3.13. Google
링크 복사

12.3.14. OpenID connect
링크 복사

12.4. Token options
링크 복사

12.5. Grant options
링크 복사

12.6. Session options
링크 복사

12.7. Preventing CLI version mismatch with user agent
링크 복사