The HTPasswd identity provider validates users against a secret that contains user names and
passwords generated with the htpasswd command from the Apache HTTP Server project. Only
a cluster administrator can change the data inside the HTPasswd secret. Regular users cannot
change their own passwords.
OpenShift Users and Groups
There are several OpenShift resources related to authentication and authorization.
The following is a list of the primary resource types and their definitions:
User:
In the OpenShift Container Platform architecture, users are entities that interact with the API
server. The user resource represents an actor within the system. Assign permissions by adding
roles to the user directly or to the groups of which the user is a member.
Identity:
The identity resource keeps a record of successful authentication attempts from a specific
user and identity provider. Any data concerning the source of the authentication is stored on
the identity. Only a single user resource is associated with an identity resource.
Service Account:
In OpenShift, applications can communicate with the API independently when user credentials
cannot be acquired. To preserve the integrity of a regular user’s credentials, credentials are
not shared and service accounts are used instead. Service accounts enable you to control API
access without the need to borrow a regular user’s credentials.
Group:
Groups represent a specific set of users. Users are assigned to one or to multiple groups.
Groups are leveraged when implementing authorization policies to assign permissions to
multiple users at the same time.
Role:
A role defines a set of permissions that enables a user to perform API operations over one
or more resource types. You grant permissions to users, groups, and service accounts by
assigning roles to them.
Managing Users with the HTPasswd Identity Provider
Managing user credentials with the HTPasswd Identity Provider requires creating a temporary “htpasswd” file, making changes to the file, and applying these changes to the secret.
Creating an HPTasswd File
The httpd-tools package provides the “htpasswd” utility, it must be installed and available on your system.
Create the htpasswd file.
[user@redaix ~]$ htpasswd -c -B -b /tmp/user.htpasswd student1 redhat123Creating another user, student2
[user@redaix ~]$ htpasswd -B -b /tmp/user.htpasswd student2 redhat123Note:
Use the -c option only when creating a new file. The -c option replaces all file
content if the file already exists.
If you want to delete an existing user from a file, use the below command
[user@redaix ~]$ htpasswd -D /tmp/user.htpasswd studentCreating the HTPasswd Secret
To use the HTPasswd provider, you must create a secret that contains the htpasswd file data.
The following example uses a secret named “htpasswd-secret”
[user@redaix ~]$ oc create secret generic htpasswd-secret \
> --from-file htpasswd=/tmp/user.htpasswd -n openshift-configUpdating the OAuth Custom Resource
To update the OAuth custom resource, use the oc get command to export the existing OAuth cluster resource to a file in YAML format.
[user@redaix ~]$ oc get oauth cluster -o yaml > oauth.yaml[user@redaix ~]$ vi oauth.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: my_htpasswd_provider
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpasswd-secretAfter completing modifications and saving the file, you must apply the new custom resource using the oc replace command.
[user@redaix ~]$ oc replace -f oauth.yamlVerification:
Monitor the redeployment of the new OAuth pods by running.
[user@redaix ~]$ watch oc get pods -n openshift-authenticationThank you for reading this post. If you like this post, please share or comment.
Buy Website Traffic
Your articles are very helpful to me. May I request more information?
Your articles are extremely helpful to me. Please provide more information!
Your articles are extremely helpful to me. Please provide more information!