How to Configure Identity Provider in OpenShift | Linux | DO280 / EX280 Exam?

How to Configure Identity Provider in OpenShift | Linux | DO280 / EX280 Exam?

The HTPasswd identity provider validates users against a secret that contains user names and
passwords generated with the htpasswd command from the Apache HTTP Server project. Only
a cluster administrator can change the data inside the HTPasswd secret. Regular users cannot
change their own passwords.

OpenShift Users and Groups

There are several OpenShift resources related to authentication and authorization.
The following is a list of the primary resource types and their definitions:


In the OpenShift Container Platform architecture, users are entities that interact with the API
server. The user resource represents an actor within the system. Assign permissions by adding
roles to the user directly or to the groups of which the user is a member.


The identity resource keeps a record of successful authentication attempts from a specific
user and identity provider. Any data concerning the source of the authentication is stored on
the identity. Only a single user resource is associated with an identity resource.

Service Account:

In OpenShift, applications can communicate with the API independently when user credentials
cannot be acquired. To preserve the integrity of a regular user’s credentials, credentials are
not shared and service accounts are used instead. Service accounts enable you to control API
access without the need to borrow a regular user’s credentials.


Groups represent a specific set of users. Users are assigned to one or to multiple groups.
Groups are leveraged when implementing authorization policies to assign permissions to
multiple users at the same time.


A role defines a set of permissions that enables a user to perform API operations over one
or more resource types. You grant permissions to users, groups, and service accounts by
assigning roles to them.

Authentication Identity Provider in Openshift

Managing Users with the HTPasswd Identity Provider

Managing user credentials with the HTPasswd Identity Provider requires creating a temporary “htpasswd” file, making changes to the file, and applying these changes to the secret.

Creating an HPTasswd File

The httpd-tools package provides the “htpasswd” utility, it must be installed and available on your system.

Create the htpasswd file.

[user@redaix ~]$ htpasswd -c -B -b /tmp/user.htpasswd student1 redhat123

Creating another user, student2

[user@redaix ~]$ htpasswd -B -b /tmp/user.htpasswd student2 redhat123


Use the -c option only when creating a new file. The -c option replaces all file
content if the file already exists.

If you want to delete an existing user from a file, use the below command

[user@redaix ~]$ htpasswd -D /tmp/user.htpasswd student

Creating the HTPasswd Secret

To use the HTPasswd provider, you must create a secret that contains the htpasswd file data.

The following example uses a secret named “htpasswd-secret”

[user@redaix ~]$ oc create secret generic htpasswd-secret \
> --from-file htpasswd=/tmp/user.htpasswd -n openshift-config

Updating the OAuth Custom Resource

To update the OAuth custom resource, use the oc get command to export the existing OAuth cluster resource to a file in YAML format.

[user@redaix ~]$ oc get oauth cluster -o yaml > oauth.yaml
[user@redaix ~]$ vi oauth.yaml
kind: OAuth
name: cluster
- name: my_htpasswd_provider
mappingMethod: claim

type: HTPasswd
name: htpasswd-secret

After completing modifications and saving the file, you must apply the new custom resource using the oc replace command.

[user@redaix ~]$ oc replace -f oauth.yaml


Monitor the redeployment of the new OAuth pods by running.

[user@redaix ~]$ watch oc get pods -n openshift-authentication

Thank you for reading this post. If you like this post, please share or comment.

Buy Website Traffic

3 thoughts on “How to Configure Identity Provider in OpenShift | Linux | DO280 / EX280 Exam?

Leave a Reply

Your email address will not be published. Required fields are marked *