Skip to content

Bug 1442252 - Reorg of the Configuring Authentication and User Agent page #4196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 37 additions & 1 deletion _topic_map.yml
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,40 @@ Topics:
Distros: openshift-enterprise
- Name: Installing a Stand-alone Deployment of OpenShift Container Registry
File: stand_alone_registry
- Name: Configuring Authentication
Dir: authentication
Distros: openshift-origin,openshift-enterprise
Topics:
- Name: Overview
File: index
- Name: Configuring OAuth
File: configuring_authentication_identity_provider
- Name: Allow All Authentication
File: configuring_authentication_allow_all
- Name: Deny All Authentication
File: configuring_authentication_deny_all
- Name: HTPasswd Authentication
File: configuring_authentication_htpasswd
- Name: Keystone Authentication
File: configuring_authentication_keystone
- Name: LDAP Authentication
File: configuring_authentication_ldap
- Name: Basic Authentication (Remote) Authentication
File: configuring_authentication_basic_auth
- Name: Request Header Authentication
File: configuring_authentication_request_header
- Name: Github Authentication
File: configuring_authentication_github
- Name: Gitlab Authentication
File: configuring_authentication_gitlab
- Name: Google Authentication
File: configuring_authentication_google
- Name: OpenID Connect Authentication
File: configuring_authentication_openid
- Name: OAuth Options
File: configuring_authentication_oauth_options
- Name: Preventing Access to the APIs
File: configuring_authentication_user_agent
- Name: Setting up the Registry
Dir: registry
Distros: openshift-origin,openshift-enterprise
Expand Down Expand Up @@ -337,7 +371,6 @@ Topics:
File: container_provider
- Name: Uninstalling
File: uninstalling

- Name: Upgrading a Cluster
Dir: upgrading
Distros: openshift-origin,openshift-enterprise
Expand Down Expand Up @@ -516,6 +549,9 @@ Topics:
- Name: Deploying External Persistent Volume Provisioners
File: provisioners
Distros: openshift-origin,openshift-enterprise
- Name: Deploying CloudForms on OpenShift
File: deploying_cfme
Distros: openshift-enterprise
- Name: Revision History
File: revhistory_install_config
Distros: openshift-enterprise
Expand Down
2 changes: 1 addition & 1 deletion admin_guide/manage_users.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ be deleted.
== Adding a User

After new users log in to {product-title}, an account is created for that user
per the xref:../install_config/configuring_authentication.adoc#identity-providers[identity
per the xref:../install_config/authentication/index.adoc#identity-providers[identity
provider] configured on the master. The cluster administrator can
xref:../admin_guide/manage_authorization_policy.adoc#admin-guide-manage-authorization-policy[manage the access level of
each user].
Expand Down
34 changes: 15 additions & 19 deletions admin_solutions/authentication.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ toc::[]
== Overview

{product-title} supports many different authentication methods, as defined in
xref:../install_config/configuring_authentication.adoc#install-config-configuring-authentication[Configuring Authentication]:
xref:../install_config/authentication/index.adoc#install-config-configuring-authentication-index[Configuring Authentication]:

- xref:basic-auth-remote[Basic Authentication (Remote)]
- xref:request-header-auth[Request Header]
Expand Down Expand Up @@ -84,13 +84,12 @@ If you use the following steps to modify your configuration manually after insta
+
. Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
. Copy
xref:../install_config/configuring_authentication.adoc#basic-auth-example-config[the example `BasicAuthPasswordIdentityProvider` configuration] and paste it to replace the existing stanza.
xref:../install_config/authentication/configuring_authentication_basic_auth.adoc#basic-auth-example-config[the example `BasicAuthPasswordIdentityProvider` configuration] and paste it to replace the existing stanza.
. Make the following modifications to the `identityProviders` stanza:
.. Set the provider `name` to something unique and relevant to your
deployment. This name is prefixed to the returned user ID to form an identity
name.
.. If required,
xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[set `mappingMethod`] to control how mappings are established between the
.. If required, set `mappingMethod` to control how mappings are established between the
provider's identities and user objects.
.. Specify the HTTPS `url` to use to connect to a server that accepts credentials in Basic authentication headers.
.. Optionally, set the `ca` to the certificate bundle to use in order to validate server certificates for the configured URL, or leave it empty to use the system-trusted roots.
Expand Down Expand Up @@ -226,30 +225,29 @@ If you use the following steps to modify your configuration manually after insta
====
+
. Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
. View
xref:../install_config/configuring_authentication.adoc#reqhead-auth-example-config[the example `RequestHeaderIdentityProvider` configuration]
. View
xref:../install_config/authentication/configuring_authentication_request_header.adoc#reqhead-ww-auth-optional[the example RequestHeaderIdentityProvider configuration]
and use it as a guide to replace the existing stanza.
. Modify the `identityProviders` stanza based on which headers you plan to
pass in.
.. Set the provider `name` to something unique and relevant to your
deployment. This name is prefixed to the returned user ID to form an identity
name.
.. If required,
xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[set `mappingMethod`]
.. If required, set `mappingMethod`
to control how mappings are established between the provider's identities and
user objects.
.. Set the `challenge` parameter to `true` to redirect unauthenticated
requests from clients expecting `WWW-Authenticate` challenges.
.. Set the `provider.challengeURL` parameter to the proxy URL to which to send
clients expecting `WWW-Authenticate` challenges, like the `oc` CLI client.
This parameter can include the
xref:../install_config/configuring_authentication.adoc#RequestHeaderIDP-urlquerytokens[`${url}` and `${query}` tokens]
xref:../install_config/authentication/configuring_authentication_request_header.adoc#requestheaderidp-urlquerytokens[`${url}` and `${query}` tokens]
in the query portion of the URL.
.. Set the `login` parameter to `true` to redirect unauthenticated requests
from clients expecting login flows.
.. Set the `provider.loginURL` parameter to the proxy URL to which to send
clients expecting login flows, like web browser clients. This parameter can include the
xref:../install_config/configuring_authentication.adoc#RequestHeaderIDP-urlquerytokens[`${url}` and `${query}` tokens]
xref:../install_config/authentication/configuring_authentication_request_header.adoc#requestheaderidp-urlquerytokens[`${url}` and `${query}` tokens]
in the query portion of the URL.
.. Set the `clientCA` parameter to the certificate bundle to use to check
incoming requests for a valid client certificate before the request's headers
Expand Down Expand Up @@ -360,13 +358,12 @@ If you use the following steps to modify your configuration manually after insta
+
. Edit the new *_keystoneconfig/master-config.yaml_* file's `identityProviders` stanza.
. Copy
xref:../install_config/configuring_authentication.adoc#KeystonePasswordIdentityProvider[the example `KeystonePasswordIdentityProvider` configuration]
xref:../install_config/authentication/configuring_authentication_keystone.adoc#install-config-configuring-authentication-keystone[the example `KeystonePasswordIdentityProvider` configuration]
and paste it to replace the existing stanza.
. Make the following modifications to the `identityProviders` stanza:
.. Change the provider `name` ("my_keystone_provider") to match your Keystone server.
This name is prefixed to provider user names to form an identity name.
.. If required,
xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[change `mappingMethod`] to control how mappings are established between the
.. If required change `mappingMethod` to control how mappings are established between the
provider's identities and user objects.
.. Change the `domainName` to the domain name of your OpenStack Keystone server. In Keystone, user names are domain-specific. Only a single domain is supported.
.. Specify the `url` to use to connect to your OpenStack Keystone server.
Expand Down Expand Up @@ -419,7 +416,7 @@ xref:../admin_solutions/user_role_mgmt.adoc#control-user-roles[control user role
LDAP uses bind operations to authenticate applications, and you can integrate your {product-title} cluster to use LDAPv3 authentication.
Configuring LDAP authentication allows users to log in to {product-title} with their LDAP credentials.

include::install_config/configuring_authentication.adoc[tag=ldapblurb]
include::install_config/authentication/configuring_authentication_ldap.adoc[tag=ldapblurb]

[WARNING]
====
Expand Down Expand Up @@ -479,14 +476,13 @@ If you use the following steps to modify your configuration manually after insta
+
. Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
. Copy
xref:../install_config/configuring_authentication.adoc#ldap-example-config[the example `LDAPPasswordIdentityProvider` configuration]
xref:../install_config/authentication/configuring_authentication_ldap.adoc#ldap-example-config[the example `LDAPPasswordIdentityProvider` configuration]
and paste it to replace the existing stanza.
. Make the following modifications to the `identityProviders` stanza:
.. Change the provider `name` ("my_ldap_provider") to something unique and
relevant to your deployment. This name is prefixed to the returned user name to
form an identity name.
.. If required,
xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[change `mappingMethod`] to control how mappings are established between the
.. If required, change `mappingMethod` to control how mappings are established between the
provider's identities and user objects.
.. Change `id` to the attribute to use as the identity, which must be unique
and immutable within the identity provider. This option can accept multiple
Expand Down Expand Up @@ -527,7 +523,7 @@ connect using TLS, and `ldap://` URLs are upgraded to TLS. When `true`, no TLS
connection is made to the server, however, setting this to `true` creates an
invalid configuration for LDAP.
.. Define an RFC 2255 URL that
xref:../install_config/configuring_authentication.adoc#ldap-url[specifies the LDAP host and search parameters] to use.
xref:../install_config/authentication/configuring_authentication_ldap.adoc#ldap-url[specifies the LDAP host and search parameters] to use.
. Save your changes and close the file.
. Start the {product-title} API server, specifying the configuration file you just
modified:
Expand Down Expand Up @@ -650,7 +646,7 @@ hostname that web browsers use to interact with your {product-title} cluster.
====
. Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
. Copy
xref:../install_config/configuring_authentication.adoc#GitHub[the example `GitHubIdentityProvider` configuration]
xref:../install_config/authentication/configuring_authentication_github.adoc#github-auth-example-config[the example `GitHubIdentityProvider` configuration]
and paste it to replace the existing stanza.
. Make the following modifications to the `identityProviders` stanza:
.. Change the provider `name` to match the callback URL you configured on
Expand Down
2 changes: 1 addition & 1 deletion admin_solutions/master_node_config.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ You can then use the password file when configuring xref:config-htpasswd[HTPassw

[NOTE]
====
For more information on the `htpasswd` command, see xref:../install_config/configuring_authentication.adoc#HTPasswdPasswordIdentityProvider[HTPasswd Identity Provider].
For more information on the `htpasswd` command, see xref:../install_config/authentication/configuring_authentication_htpasswd.adoc#install-config-configuring-authentication-htpasswd[Configuring the HTPasswd Identity Provider].
====

[[master-node-config-manual]]
Expand Down
8 changes: 4 additions & 4 deletions architecture/additional_concepts/authentication.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ requesting user to determine if the request should be allowed.

ifdef::openshift-enterprise,openshift-origin[]
As an administrator, you can
xref:../../install_config/configuring_authentication.adoc#install-config-configuring-authentication[configure authentication]
xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[configure authentication]
using a xref:../../install_config/master_node_configuration.adoc#install-config-master-node-configuration[master
configuration file].
endif::[]
Expand Down Expand Up @@ -131,7 +131,7 @@ access tokens to authenticate themselves to the API.

When a person requests a new OAuth token, the OAuth server uses the configured
ifdef::openshift-enterprise,openshift-origin[]
xref:../../install_config/configuring_authentication.adoc#install-config-configuring-authentication[identity
xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[identity
provider]
endif::[]
ifdef::openshift-dedicated[]
Expand Down Expand Up @@ -184,7 +184,7 @@ grantMethod: prompt <4>
<1> The `name` of the OAuth client is used as the `client_id` parameter when making requests to `_<master>_/oauth/authorize` and `_<master>_/oauth/token`.
<2> The `secret` is used as the `client_secret` parameter when making requests to `_<master>_/oauth/token`.
<3> The `redirect_uri` parameter specified in requests to `_<master>_/oauth/authorize` and `_<master>_/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`.
<4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user. Uses the same values seen in xref:../../install_config/configuring_authentication.adoc#grant-options[Grant Options].
<4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user. Uses the same values seen in xref:../../install_config/authentication/configuring_authentication_oauth_options.adoc#install-config-configuring-authentication-oauth-grant[Grant Options].
====

[[service-accounts-as-oauth-clients]]
Expand Down Expand Up @@ -553,7 +553,7 @@ All requests for OAuth tokens involve a request to `_<master>_/oauth/authorize`.
Most authentication integrations place an authenticating proxy in front of this
endpoint, or configure {product-title} to validate credentials against a backing
ifdef::openshift-enterprise,openshift-origin[]
xref:../../install_config/configuring_authentication.adoc#install-config-configuring-authentication[identity
xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[identity
provider].
endif::[]
ifdef::openshift-dedicated[]
Expand Down
2 changes: 1 addition & 1 deletion architecture/additional_concepts/other_api_objects.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ this token, if any.
=== Identity
When a user logs into {product-title}, they do so using a configured
ifdef::openshift-enterprise,openshift-origin[]
xref:../../install_config/configuring_authentication.adoc#identity-providers[identity
xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[identity
provider].
endif::[]
ifdef::openshift-dedicated[]
Expand Down
1 change: 1 addition & 0 deletions architecture/index.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
:experimental:
:linkattrs:


ifdef::openshift-origin,openshift-online,openshift-enterprise,openshift-dedicated[]
OpenShift v3 is a layered system designed to expose underlying Docker-formatted
container image and Kubernetes concepts as accurately as possible, with a focus
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
[[install-config-configuring-authentication-allow]]
= Configuring Allow All Authentication
{product-author}
{product-version}
:data-uri:
:icons:
:experimental:
:toc: macro
:toc-title:
:prewrap!:

{nbsp} +


You can configure the {product-title} master configuration file to use Allow All authentication in your cluster.

[[install-config-configuring-authentication-allow-intro]]
== Configuring the Allow All Identity Provider

Setting the `AllowAllPasswordIdentityProvider` in the `identityProviders` stanza allows any non-empty user name and password to log in. This is the default
identity provider when running {product-title} without a
xref:../../install_config/master_node_configuration.adoc#install-config-master-node-configuration[master configuration file].

To configure the Allow All identity provider:

//tag::configuring_authentication_common_steps1[]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍


. Edit the master configuration file:
+
----
/etc/origin/master/master-config.yaml
----

. Set the following parameters, as needed, or use the default values:
+
----
oauthConfig:
...
identityProviders:
- challenge: true
login: true
----
+
[cols="2a,8a",options="header"]
|===
|Parameter | Description
|`challenge` | When `true`, unauthenticated token requests from non-web
clients (like the CLI) are sent a `WWW-Authenticate` challenge header. Not
supported by all identity providers.

To prevent cross-site request forgery (CSRF) attacks against browser clients
Basic authentication challenges are only sent if a `X-CSRF-Token` header is
present on the request. Clients that expect to receive Basic `WWW-Authenticate`
challenges should set this header to a non-empty value.

|`login` | When `true`, unauthenticated token requests from web clients
(like the web console) are redirected to a login page backed by this provider.
Not supported by all identity providers.

If you want users to be sent to a branded page before being redirected to
the identity provider's login, then set `oauthConfig -> alwaysShowProviderSelection: true`. This provider selection page can be
xref:../../install_config/web_console_customization.adoc#customizing-the-login-page[customized].
|===
//end::configuring_authentication_common_steps1[]

. Specify the `mappingMethod` parameter to determine how identities are mapped to users.
//tag::configuring_authentication_common_steps2[]
+
----
oauthConfig:
...
identityProviders:
- mappingMethod: claim
----
+
[cols="2,8"]
|===
|Parameter | Description

|`claim` | The default value. Provisions a user with the identity's preferred
user name. Fails if a user with that user name is already mapped to another
identity.

|`lookup` | Looks up an existing identity, user identity mapping, and user,
but does not automatically provision users or identities. This allows cluster
administrators to set up identities and users manually, or using an external
process. For more information on provisioning users with the `lookup` method,
see xref:../../install_config/authentication/configuring_authentication_mapping_method.adoc#install-config-configuring-authentication-lookup[Manually Provisioning a User When Using the Lookup Mapping Method].

|`generate` | Provisions a user with the identity's preferred user name. If a
user with the preferred user name is already mapped to an existing identity, a
unique user name is generated. For example, `myuser2`. This method should not be
used in combination with external processes that require exact matches between
{product-title} user names and identity provider user names, such as LDAP group
sync.

|`add` | Provisions a user with the identity's preferred user name. If a user
with that user name already exists, the identity is mapped to the existing user,
adding to any existing identity mappings for the user. Required when multiple
identity providers are configured that identify the same set of users and map to
the same user names.
|===
//end::configuring_authentication_common_steps2[]

. Specify the following values to configure the Allow All provider:
+
.Master Configuration Using `AllowAllPasswordIdentityProvider`
====

----
oauthConfig:
...
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: my_allow_provider <1>
provider:
apiVersion: v1
kind: AllowAllPasswordIdentityProvider <2>
----
<1> This provider name is prefixed to provider user names to form an identity
name.
<2> Specify *_AllowAllPasswordIdentityProvider_* as the provider kind.
====
//tag::restart-after-config-master[]
. Restart the {product-title} service.
+
ifdef::openshift-enterprise[]
----
# systemctl restart atomic-openshift-master
----
endif::[]
ifdef::openshift-origin[]
----
# systemctl restart origin-master
----
endif::[]
//end::restart-after-config-master[]


Loading