OpenShift Users

Identity providers
  • Allow all – this allows all users and any passwords
  • Deny all – denies alls
  • HTPasswd – use the basic auth of htpasswd.  /etc/origin/master has the master-config.yml file that will tell you what Oauth you are using.  HTPasswd usually located at /etc/origin/master/htpasswd.  Setup user – htpasswd -b /etc/origin/master/htpasswd <user> <passwd>
  • Keystone – Used with Openstack
  • LDAP – connection with LDAP authentication
  • Basic auth remote – generic backend for remote authentication backends
  • Request header – uses header values such as X-Remote-User.  Kubernetes, Ldap or SAML authentication  can do this
User access.
Initial setup of user is basic user.  To elevate a users access you would use “oc adm policy”.  To give cluster admin you can do “oc adm policy add-cluster-role-admin cluster-admin <user>:
oc get cluster roles
users and groups are cluster centered.
    • gives the options for roles to give or take from users
Self-provisioners. To remove this from all users.
  • oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
View/Edit role to project
  • Add a view for a project to a user
  • oc adm policy add–role-to-user view <user> -n <project
  • You can give “edit” by replacing view with edit.
Consolidate users to groups
  • oc adm groups new <group-name> <user1> <user2>
  • After you have the group, you can add self-provisioning to the group
  • oc adm policy add-cluster-role-to-group self-provisioner <group>
  • Now the new group can create projects