Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Openshift > 6. Manage Authentication and Authorization > Flashcards

6. Manage Authentication and Authorization Flashcards

1
Q
  1. Configure the HTPasswd identity provider for authentication
A

The HTPasswd identity provider validates users against a secret that contains usernames and passwords that are generated with the htpasswd command.

Configuring the OAuth Custom Resource

To use the HTPasswd identity provider, the OAuth custom resource must be edited to add an entry to the .spec.identityProviders array:

oauth
oc get oauth cluster -o yaml

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: myusers  # provider name
    mappingMethod: claim # Controls how mappings are established between provider identities and user objects
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpasswd-secret # An existing secret that contains data that is generated by using the htpasswd. Examples are just below Updating the OAuth Custom Resource

To update the OAuth custom resource, use the oc get command to export the existing OAuth cluster resource to a file, update the file with the needed changes and recreate the resource with oc replace

oauth
# get the oauth cluster resource
oc get oauth cluster -o yaml > oauth.yaml

# add changes
vim oauth.yaml

# apply changes
oc replace -f oauth.yaml

# check authentification pods
oc get all -n openshift-authentication
Find out more in the Identity provider documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Create and delete users
A

The httpd-tools package provides the htpasswd utility, which must be installed and available on your system.

Create users

Htpasswd - Secrets
# htpasswd: create/update a user

## create the htpasswd file by creating student credential
htpasswd -c -B -b /tmp/htpasswd student redhat123 # -c only when file doesn’t exist yet … to create

## add or update credential
htpasswd -b /tmp/htpasswd student redhat1234
htpasswd -b /tmp/htpasswd student4 toto1234

# delete user credential from htpasswd file
htpasswd -D /tmp/htpasswd student

# create K8S secret that contains the htpasswd data in “openshift-config” namespace
## !!! IMPORTANT !!! A secret that the HTPasswd identity provider uses requires adding the htpasswd= prefix before specifying the path to the file.

oc create secret generic htpasswd-secret –from-file htpasswd=/tmp/htpasswd -n openshift-config
Update users list

Extract - Policy
## use oc extract to get data from the secret, update it and then update the secret object
oc extract secret/htpasswd-secret -n openshift-config –to /tmp/ –confirm
/tmp/htpasswd

## update the extracted /tmp/htpasswd file
htpasswd -D /tmp/htpasswd user-to-delete
htpasswd -b /tmp/htpasswd student new-password

## apply changes
oc set data secret/htpasswd-secret –from-file htpasswd=/tmp/htpasswd -n openshift-config

## check authentificatio pods
oc get all -n openshift-authentication

# give cluster admin role to the user student
oc adm policy add-cluster-role-to-user cluster-admin student
Delete users

Delete Identity - User
# delete the user from htpasswd file and update the secret: see “Update users list” example section above

# then delete user & identity resources from the cluster
oc get users
NAME UID … IDENTITIES
admin 6126c5a9-4d18-4cdf-95f7-b16c3d3e7f24 … …
new_admin 489c7402-d318-4805-b91d-44d786a92fc1 … myusers:new_admin
new_developer 8dbae772-1dd4-4242-b2b4-955b005d9022 … myusers:new_developer

## delete new developer identity resource
oc delete identity “myusers:new_developer”

## delete new_developer user
oc delete user new_developer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Modify user passwords
A

See the Create and delete users step above.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Create and manage groups
A

Groups - Policy
# create group
oc adm groups new mygroup_x

# add user in the group
oc adm groups add-user mygroup_x user1

# assign role to group
oc adm policy add-role-to-group edit mygroup_x

# prevent users from creating projects in the cluster by removing self-provisioner roles
## assigned to all authenticated users by default
##
oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth
## OR
oc patch clusterrolebinding.rbac self-provisioners -p ‘{“subjects”: null}’
#
## edit to allow only specific groups/users
oc edit clusterrolebinding self-provisioners
##
### then add annotation to protect ths rolebinding and make the change permanent
### otherwise If the API server restarts, then Kubernetes restores this cluster role binding.
##
oc annotate clusterrolebinding/self-provisioners –overwrite rbac.authorization.kubernetes.io/autoupdate=false
##
### to remember the annotation name , use oc describe clusterrolebindings | grep auto

# to give a permission to a specific project, switch to the project with oc project and then use add-role-to-group
## grand ‘edit’ role privilges on ‘auth-review’ project to the ‘developers’ group
##
oc project auth-review
oc policy add-role-to-group edit developers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Modify user and group permissions
A

See the examples above or use oc adm policy, add-role-to-group|add-cluster-role-to-group|remove-cluster-role-from-group to manage group permission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Openshift (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions