6. Manage Authentication and Authorization Flashcards
- Configure the HTPasswd identity provider for authentication
The HTPasswd identity provider validates users against a secret that contains usernames and passwords that are generated with the htpasswd command.
Configuring the OAuth Custom Resource
To use the HTPasswd identity provider, the OAuth custom resource must be edited to add an entry to the .spec.identityProviders array:
oauth
oc get oauth cluster -o yaml
apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: myusers # provider name mappingMethod: claim # Controls how mappings are established between provider identities and user objects type: HTPasswd htpasswd: fileData: name: htpasswd-secret # An existing secret that contains data that is generated by using the htpasswd. Examples are just below Updating the OAuth Custom Resource
To update the OAuth custom resource, use the oc get command to export the existing OAuth cluster resource to a file, update the file with the needed changes and recreate the resource with oc replace
oauth
# get the oauth cluster resource
oc get oauth cluster -o yaml > oauth.yaml
# add changes
vim oauth.yaml
# apply changes
oc replace -f oauth.yaml
# check authentification pods
oc get all -n openshift-authentication
Find out more in the Identity provider documentation.
- Create and delete users
The httpd-tools package provides the htpasswd utility, which must be installed and available on your system.
Create users
Htpasswd - Secrets
# htpasswd: create/update a user
## create the htpasswd file by creating student credential
htpasswd -c -B -b /tmp/htpasswd student redhat123 # -c only when file doesn’t exist yet … to create
## add or update credential
htpasswd -b /tmp/htpasswd student redhat1234
htpasswd -b /tmp/htpasswd student4 toto1234
# delete user credential from htpasswd file
htpasswd -D /tmp/htpasswd student
# create K8S secret that contains the htpasswd data in “openshift-config” namespace
## !!! IMPORTANT !!! A secret that the HTPasswd identity provider uses requires adding the htpasswd= prefix before specifying the path to the file.
oc create secret generic htpasswd-secret –from-file htpasswd=/tmp/htpasswd -n openshift-config
Update users list
Extract - Policy
## use oc extract to get data from the secret, update it and then update the secret object
oc extract secret/htpasswd-secret -n openshift-config –to /tmp/ –confirm
/tmp/htpasswd
## update the extracted /tmp/htpasswd file
htpasswd -D /tmp/htpasswd user-to-delete
htpasswd -b /tmp/htpasswd student new-password
## apply changes
oc set data secret/htpasswd-secret –from-file htpasswd=/tmp/htpasswd -n openshift-config
## check authentificatio pods
oc get all -n openshift-authentication
# give cluster admin role to the user student
oc adm policy add-cluster-role-to-user cluster-admin student
Delete users
Delete Identity - User
# delete the user from htpasswd file and update the secret: see “Update users list” example section above
# then delete user & identity resources from the cluster
oc get users
NAME UID … IDENTITIES
admin 6126c5a9-4d18-4cdf-95f7-b16c3d3e7f24 … …
new_admin 489c7402-d318-4805-b91d-44d786a92fc1 … myusers:new_admin
new_developer 8dbae772-1dd4-4242-b2b4-955b005d9022 … myusers:new_developer
## delete new developer identity resource
oc delete identity “myusers:new_developer”
## delete new_developer user
oc delete user new_developer
- Modify user passwords
See the Create and delete users step above.
- Create and manage groups
Groups - Policy
# create group
oc adm groups new mygroup_x
# add user in the group
oc adm groups add-user mygroup_x user1
# assign role to group
oc adm policy add-role-to-group edit mygroup_x
# prevent users from creating projects in the cluster by removing self-provisioner roles
## assigned to all authenticated users by default
##
oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth
## OR
oc patch clusterrolebinding.rbac self-provisioners -p ‘{“subjects”: null}’
#
## edit to allow only specific groups/users
oc edit clusterrolebinding self-provisioners
##
### then add annotation to protect ths rolebinding and make the change permanent
### otherwise If the API server restarts, then Kubernetes restores this cluster role binding.
##
oc annotate clusterrolebinding/self-provisioners –overwrite rbac.authorization.kubernetes.io/autoupdate=false
##
### to remember the annotation name , use oc describe clusterrolebindings | grep auto
# to give a permission to a specific project, switch to the project with oc project and then use add-role-to-group
## grand ‘edit’ role privilges on ‘auth-review’ project to the ‘developers’ group
##
oc project auth-review
oc policy add-role-to-group edit developers
- Modify user and group permissions
See the examples above or use oc adm policy, add-role-to-group|add-cluster-role-to-group|remove-cluster-role-from-group to manage group permission.