openshift · mburke5678 · Apr 18, 2017 · adellape · May 3, 2017
diff --git a/_topic_map.yml b/_topic_map.yml
@@ -291,6 +291,40 @@ Topics:
     Distros: openshift-enterprise
   - Name: Installing a Stand-alone Deployment of OpenShift Container Registry
     File: stand_alone_registry
+- Name: Configuring Authentication
+  Dir: authentication
+  Distros: openshift-origin,openshift-enterprise
+  Topics:
+  - Name: Overview
+    File: index
+  - Name: Configuring OAuth
+    File: configuring_authentication_identity_provider
+  - Name: Allow All Authentication
+    File: configuring_authentication_allow_all
+  - Name: Deny All Authentication
+    File: configuring_authentication_deny_all
+  - Name: HTPasswd Authentication
+    File: configuring_authentication_htpasswd
+  - Name: Keystone Authentication
+    File: configuring_authentication_keystone
+  - Name: LDAP Authentication
+    File: configuring_authentication_ldap
+  - Name: Basic Authentication (Remote) Authentication
+    File: configuring_authentication_basic_auth
+  - Name: Request Header Authentication
+    File: configuring_authentication_request_header
+  - Name: Github Authentication
+    File: configuring_authentication_github
+  - Name: Gitlab Authentication
+    File: configuring_authentication_gitlab
+  - Name: Google Authentication
+    File: configuring_authentication_google
+  - Name: OpenID Connect Authentication
+    File: configuring_authentication_openid
+  - Name: OAuth Options
+    File: configuring_authentication_oauth_options
+- Name: Preventing Access to the APIs
+  File: configuring_authentication_user_agent
 - Name: Setting up the Registry
   Dir: registry
   Distros: openshift-origin,openshift-enterprise
@@ -337,7 +371,6 @@ Topics:
     File: container_provider
   - Name: Uninstalling
     File: uninstalling
-
 - Name: Upgrading a Cluster
   Dir: upgrading
   Distros: openshift-origin,openshift-enterprise
@@ -516,6 +549,9 @@ Topics:
 - Name: Deploying External Persistent Volume Provisioners
   File: provisioners
   Distros: openshift-origin,openshift-enterprise
+- Name: Deploying CloudForms on OpenShift
+  File: deploying_cfme
+  Distros: openshift-enterprise
 - Name: Revision History
   File: revhistory_install_config
   Distros: openshift-enterprise

diff --git a/admin_guide/manage_users.adoc b/admin_guide/manage_users.adoc
@@ -23,7 +23,7 @@ be deleted.
 == Adding a User
 
 After new users log in to {product-title}, an account is created for that user
-per the xref:../install_config/configuring_authentication.adoc#identity-providers[identity
+per the xref:../install_config/authentication/index.adoc#identity-providers[identity
 provider] configured on the master. The cluster administrator can
 xref:../admin_guide/manage_authorization_policy.adoc#admin-guide-manage-authorization-policy[manage the access level of
 each user].

diff --git a/admin_solutions/authentication.adoc b/admin_solutions/authentication.adoc
@@ -13,7 +13,7 @@ toc::[]
 == Overview
 
 {product-title} supports many different authentication methods, as defined in
-xref:../install_config/configuring_authentication.adoc#install-config-configuring-authentication[Configuring Authentication]:
+xref:../install_config/authentication/index.adoc#install-config-configuring-authentication-index[Configuring Authentication]:
 
 - xref:basic-auth-remote[Basic Authentication (Remote)]
 - xref:request-header-auth[Request Header]
@@ -84,13 +84,12 @@ If you use the following steps to modify your configuration manually after insta
 +
 . Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
 . Copy
-xref:../install_config/configuring_authentication.adoc#basic-auth-example-config[the example `BasicAuthPasswordIdentityProvider` configuration] and paste it to replace the existing stanza.
+xref:../install_config/authentication/configuring_authentication_basic_auth.adoc#basic-auth-example-config[the example `BasicAuthPasswordIdentityProvider` configuration] and paste it to replace the existing stanza.
 . Make the following modifications to the `identityProviders` stanza:
 .. Set the provider `name` to something unique and relevant to your
 deployment. This name is prefixed to the returned user ID to form an identity
 name.
-.. If required,
-xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[set `mappingMethod`] to control how mappings are established between the
+.. If required, set `mappingMethod` to control how mappings are established between the
 provider's identities and user objects.
 .. Specify the HTTPS `url` to use to connect to a server that accepts credentials in Basic authentication headers.
 .. Optionally, set the `ca` to the certificate bundle to use in order to validate server certificates for the configured URL, or leave it empty to use the system-trusted roots.
@@ -226,30 +225,29 @@ If you use the following steps to modify your configuration manually after insta
 ====
 +
 . Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
-. View
-xref:../install_config/configuring_authentication.adoc#reqhead-auth-example-config[the example `RequestHeaderIdentityProvider` configuration]
+. View  
+xref:../install_config/authentication/configuring_authentication_request_header.adoc#reqhead-ww-auth-optional[the example RequestHeaderIdentityProvider configuration]
 and use it as a guide to replace the existing stanza.
 . Modify the `identityProviders` stanza based on which headers you plan to
 pass in.
 .. Set the provider `name` to something unique and relevant to your
 deployment. This name is prefixed to the returned user ID to form an identity
 name.
-.. If required,
-xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[set `mappingMethod`]
+.. If required, set `mappingMethod`
 to control how mappings are established between the provider's identities and
 user objects.
 .. Set the `challenge` parameter to `true` to redirect unauthenticated
 requests from clients expecting `WWW-Authenticate` challenges.
 .. Set the `provider.challengeURL` parameter to the proxy URL to which to send
 clients expecting `WWW-Authenticate` challenges, like the `oc` CLI client.
 This parameter can include the
-xref:../install_config/configuring_authentication.adoc#RequestHeaderIDP-urlquerytokens[`${url}` and `${query}` tokens]
+xref:../install_config/authentication/configuring_authentication_request_header.adoc#requestheaderidp-urlquerytokens[`${url}` and `${query}` tokens]
 in the query portion of the URL.
 .. Set the `login` parameter to `true` to redirect unauthenticated requests
 from clients expecting login flows.
 .. Set the `provider.loginURL` parameter to the proxy URL to which to send
 clients expecting login flows, like web browser clients. This parameter can include the
-xref:../install_config/configuring_authentication.adoc#RequestHeaderIDP-urlquerytokens[`${url}` and `${query}` tokens]
+xref:../install_config/authentication/configuring_authentication_request_header.adoc#requestheaderidp-urlquerytokens[`${url}` and `${query}` tokens]
 in the query portion of the URL.
 .. Set the `clientCA` parameter to the certificate bundle to use to check
 incoming requests for a valid client certificate before the request's headers
@@ -360,13 +358,12 @@ If you use the following steps to modify your configuration manually after insta
 +
 . Edit the new *_keystoneconfig/master-config.yaml_* file's `identityProviders` stanza.
 . Copy
-xref:../install_config/configuring_authentication.adoc#KeystonePasswordIdentityProvider[the example `KeystonePasswordIdentityProvider` configuration]
+xref:../install_config/authentication/configuring_authentication_keystone.adoc#install-config-configuring-authentication-keystone[the example `KeystonePasswordIdentityProvider` configuration]
 and paste it to replace the existing stanza.
 . Make the following modifications to the `identityProviders` stanza:
 .. Change the provider `name` ("my_keystone_provider") to match your Keystone server.
 This name is prefixed to provider user names to form an identity name.
-.. If required,
-xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[change `mappingMethod`] to control how mappings are established between the
+.. If required change `mappingMethod` to control how mappings are established between the
 provider's identities and user objects.
 .. Change the `domainName` to the domain name of your OpenStack Keystone server. In Keystone, user names are domain-specific. Only a single domain is supported.
 .. Specify the `url` to use to connect to your OpenStack Keystone server.
@@ -419,7 +416,7 @@ xref:../admin_solutions/user_role_mgmt.adoc#control-user-roles[control user role
 LDAP uses bind operations to authenticate applications, and you can integrate your {product-title} cluster to use LDAPv3 authentication.
 Configuring LDAP authentication allows users to log in to {product-title} with their LDAP credentials.
 
-include::install_config/configuring_authentication.adoc[tag=ldapblurb]
+include::install_config/authentication/configuring_authentication_ldap.adoc[tag=ldapblurb]
 
 [WARNING]
 ====
@@ -479,14 +476,13 @@ If you use the following steps to modify your configuration manually after insta
 +
 . Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
 . Copy
-xref:../install_config/configuring_authentication.adoc#ldap-example-config[the example `LDAPPasswordIdentityProvider` configuration]
+xref:../install_config/authentication/configuring_authentication_ldap.adoc#ldap-example-config[the example `LDAPPasswordIdentityProvider` configuration]
 and paste it to replace the existing stanza.
 . Make the following modifications to the `identityProviders` stanza:
 .. Change the provider `name` ("my_ldap_provider") to something unique and
 relevant to your deployment. This name is prefixed to the returned user name to
 form an identity name.
-.. If required,
-xref:../install_config/configuring_authentication.adoc#mapping-identities-to-users[change `mappingMethod`] to control how mappings are established between the
+.. If required, change `mappingMethod` to control how mappings are established between the
 provider's identities and user objects.
 .. Change `id` to the attribute to use as the identity, which must be unique
 and immutable within the identity provider. This option can accept multiple
@@ -527,7 +523,7 @@ connect using TLS, and `ldap://` URLs are upgraded to TLS. When `true`, no TLS
 connection is made to the server, however, setting this to `true` creates an
 invalid configuration for LDAP.
 .. Define an RFC 2255 URL that
-xref:../install_config/configuring_authentication.adoc#ldap-url[specifies the LDAP host and search parameters] to use.
+xref:../install_config/authentication/configuring_authentication_ldap.adoc#ldap-url[specifies the LDAP host and search parameters] to use.
 . Save your changes and close the file.
 . Start the {product-title} API server, specifying the configuration file you just
 modified:
@@ -650,7 +646,7 @@ hostname that web browsers use to interact with your {product-title} cluster.
 ====
 . Edit the new *_master-config.yaml_* file's `identityProviders` stanza.
 . Copy
-xref:../install_config/configuring_authentication.adoc#GitHub[the example `GitHubIdentityProvider` configuration]
+xref:../install_config/authentication/configuring_authentication_github.adoc#github-auth-example-config[the example `GitHubIdentityProvider` configuration]
 and paste it to replace the existing stanza.
 . Make the following modifications to the `identityProviders` stanza:
 .. Change the provider `name` to match the callback URL you configured on

diff --git a/admin_solutions/master_node_config.adoc b/admin_solutions/master_node_config.adoc
@@ -238,7 +238,7 @@ You can then use the password file when configuring xref:config-htpasswd[HTPassw
 
 [NOTE]
 ====
-For more information on the `htpasswd` command, see xref:../install_config/configuring_authentication.adoc#HTPasswdPasswordIdentityProvider[HTPasswd Identity Provider].
+For more information on the `htpasswd` command, see xref:../install_config/authentication/configuring_authentication_htpasswd.adoc#install-config-configuring-authentication-htpasswd[Configuring the HTPasswd Identity Provider].
 ====
 
 [[master-node-config-manual]]

diff --git a/architecture/additional_concepts/authentication.adoc b/architecture/additional_concepts/authentication.adoc
@@ -17,7 +17,7 @@ requesting user to determine if the request should be allowed.
 
 ifdef::openshift-enterprise,openshift-origin[]
 As an administrator, you can
-xref:../../install_config/configuring_authentication.adoc#install-config-configuring-authentication[configure authentication]
+xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[configure authentication]
 using a xref:../../install_config/master_node_configuration.adoc#install-config-master-node-configuration[master
 configuration file].
 endif::[]
@@ -131,7 +131,7 @@ access tokens to authenticate themselves to the API.
 
 When a person requests a new OAuth token, the OAuth server uses the configured
 ifdef::openshift-enterprise,openshift-origin[]
-xref:../../install_config/configuring_authentication.adoc#install-config-configuring-authentication[identity
+xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[identity
 provider]
 endif::[]
 ifdef::openshift-dedicated[]
@@ -184,7 +184,7 @@ grantMethod: prompt <4>
 <1> The `name` of the OAuth client is used as the `client_id` parameter when making requests to `_<master>_/oauth/authorize` and `_<master>_/oauth/token`.
 <2> The `secret` is used as the `client_secret` parameter when making requests to `_<master>_/oauth/token`.
 <3> The `redirect_uri` parameter specified in requests to `_<master>_/oauth/authorize` and `_<master>_/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`.
-<4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user. Uses the same values seen in xref:../../install_config/configuring_authentication.adoc#grant-options[Grant Options].
+<4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user. Uses the same values seen in xref:../../install_config/authentication/configuring_authentication_oauth_options.adoc#install-config-configuring-authentication-oauth-grant[Grant Options].
 ====
 
 [[service-accounts-as-oauth-clients]]
@@ -553,7 +553,7 @@ All requests for OAuth tokens involve a request to `_<master>_/oauth/authorize`.
 Most authentication integrations place an authenticating proxy in front of this
 endpoint, or configure {product-title} to validate credentials against a backing
 ifdef::openshift-enterprise,openshift-origin[]
-xref:../../install_config/configuring_authentication.adoc#install-config-configuring-authentication[identity
+xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[identity
 provider].
 endif::[]
 ifdef::openshift-dedicated[]

diff --git a/architecture/additional_concepts/other_api_objects.adoc b/architecture/additional_concepts/other_api_objects.adoc
@@ -269,7 +269,7 @@ this token, if any.
 === Identity
 When a user logs into {product-title}, they do so using a configured
 ifdef::openshift-enterprise,openshift-origin[]
-xref:../../install_config/configuring_authentication.adoc#identity-providers[identity
+xref:../../install_config/authentication/index.adoc#install-config-configuring-authentication-index[identity
 provider].
 endif::[]
 ifdef::openshift-dedicated[]

diff --git a/architecture/index.adoc b/architecture/index.adoc
@@ -7,6 +7,7 @@
 :experimental:
 :linkattrs:
 
+
 ifdef::openshift-origin,openshift-online,openshift-enterprise,openshift-dedicated[]
 OpenShift v3 is a layered system designed to expose underlying Docker-formatted
 container image and Kubernetes concepts as accurately as possible, with a focus

diff --git a/install_config/authentication/configuring_authentication_allow_all.adoc b/install_config/authentication/configuring_authentication_allow_all.adoc
@@ -0,0 +1,141 @@
+[[install-config-configuring-authentication-allow]]
+= Configuring Allow All Authentication
+{product-author}
+{product-version}
+:data-uri:
+:icons:
+:experimental:
+:toc: macro
+:toc-title:
+:prewrap!:
+
+{nbsp} +
+
+
+You can configure the {product-title} master configuration file to use Allow All authentication in your cluster.
+
+[[install-config-configuring-authentication-allow-intro]]
+== Configuring the Allow All Identity Provider
+
+Setting the `AllowAllPasswordIdentityProvider` in the `identityProviders` stanza allows any non-empty user name and password to log in. This is the default
+identity provider when running {product-title} without a
+xref:../../install_config/master_node_configuration.adoc#install-config-master-node-configuration[master configuration file].
+
+To configure the Allow All identity provider:
+
+//tag::configuring_authentication_common_steps1[]
+
+. Edit the master configuration file:
++
+----
+/etc/origin/master/master-config.yaml
+----
+
+. Set the following parameters, as needed, or use the default values:
++
+----
+oauthConfig:
+  ...
+  identityProviders:
+  - challenge: true
+    login: true 
+---- 
++
+[cols="2a,8a",options="header"]
+|===
+|Parameter     | Description
+|`challenge` | When `true`, unauthenticated token requests from non-web
+clients (like the CLI) are sent a `WWW-Authenticate` challenge header. Not
+supported by all identity providers.
+
+To prevent cross-site request forgery (CSRF) attacks against browser clients
+Basic authentication challenges are only sent if a `X-CSRF-Token` header is
+present on the request. Clients that expect to receive Basic `WWW-Authenticate`
+challenges should set this header to a non-empty value.
+
+|`login`     | When `true`, unauthenticated token requests from web clients
+(like the web console) are redirected to a login page backed by this provider.
+Not supported by all identity providers.
+
+If you want users to be sent to a branded page before being redirected to
+the identity provider's login, then set `oauthConfig -> alwaysShowProviderSelection: true`. This provider selection page can be
+xref:../../install_config/web_console_customization.adoc#customizing-the-login-page[customized].
+|===
+//end::configuring_authentication_common_steps1[]
+
+. Specify the `mappingMethod` parameter to determine how identities are mapped to users.
+//tag::configuring_authentication_common_steps2[]
++
+----
+oauthConfig:
+  ...
+  identityProviders:
+  - mappingMethod: claim 
+----
++
+[cols="2,8"]
+|===
+|Parameter  | Description
+
+|`claim` | The default value. Provisions a user with the identity's preferred
+user name. Fails if a user with that user name is already mapped to another
+identity.
+
+|`lookup` | Looks up an existing identity, user identity mapping, and user,
+but does not automatically provision users or identities. This allows cluster
+administrators to set up identities and users manually, or using an external
+process. For more information on provisioning users with the `lookup` method,
+see xref:../../install_config/authentication/configuring_authentication_mapping_method.adoc#install-config-configuring-authentication-lookup[Manually Provisioning a User When Using the Lookup Mapping Method].
+
+|`generate` | Provisions a user with the identity's preferred user name. If a
+user with the preferred user name is already mapped to an existing identity, a
+unique user name is generated. For example, `myuser2`. This method should not be
+used in combination with external processes that require exact matches between
+{product-title} user names and identity provider user names, such as LDAP group
+sync.
+
+|`add` | Provisions a user with the identity's preferred user name. If a user
+with that user name already exists, the identity is mapped to the existing user,
+adding to any existing identity mappings for the user. Required when multiple
+identity providers are configured that identify the same set of users and map to
+the same user names.
+|===
+//end::configuring_authentication_common_steps2[]
+
+. Specify the following values to configure the Allow All provider:
++
+.Master Configuration Using `AllowAllPasswordIdentityProvider`
+====
+
+----
+oauthConfig:
+  ...
+  identityProviders:
+  - challenge: true 
+    login: true 
+    mappingMethod: claim 
+    name: my_allow_provider <1>    
+    provider:
+      apiVersion: v1
+      kind: AllowAllPasswordIdentityProvider <2>
+----
+<1> This provider name is prefixed to provider user names to form an identity
+name.
+<2> Specify *_AllowAllPasswordIdentityProvider_* as the provider kind.
+====
+//tag::restart-after-config-master[]
+. Restart the {product-title} service.
++
+ifdef::openshift-enterprise[]
+----
+# systemctl restart atomic-openshift-master
+----
+endif::[]
+ifdef::openshift-origin[]
+----
+# systemctl restart origin-master
+----
+endif::[]
+//end::restart-after-config-master[]
+
+
-Original file line number
+Diff line change
@@ Expand Up @@
     [NOTE]
     ====
-    For more information on the `htpasswd` command, see xref:../install_config/configuring_authentication.adoc#HTPasswdPasswordIdentityProvider[HTPasswd Identity Provider].
+    For more information on the `htpasswd` command, see xref:../install_config/authentication/configuring_authentication_htpasswd.adoc#install-config-configuring-authentication-htpasswd[Configuring the HTPasswd Identity Provider].
     ====
     [[master-node-config-manual]]
@@ Expand Down @@