After creating the cluster, default user kubeadmin was prepared to log in to the new environment. However, there are several more secure ways to access your Red Hat OpenShift cluster. You can use different identity providers like LDAP, Keystone, Google, GitHub or OpenID Connect. Another one is HTPasswd which seems to be easiest to configure and use.

OpenShift uses build-in OAuth server to grant users token access to authenticate to the API.
You only need to have installed on your machine httpd-tools, oc binaries and ability to log in to the cluster. This solution is a good entry point, if you want to quickly grant permissions to your teammates, administrators, developers or other users. You can easily configure permissions, roles, cluster roles and consume RBAC abilities.

In this blogpost, I will show how to configure htpasswd identity provider in the OpenShift cluster. Remember, this solution is not recommended for production infrastructure and you should consider to use, for example LDAP. You can use this identity provider as a temporary solution for development, test or PoC setups.

1. Preparing HTPasswd identity provider

As I said at the beginning, make sure you have httpd-tools and oc binaries installed on your host.

To use htpasswd identity provider we need to prepare a few things: htpasswd file, secret and htpasswd identity provider custom resource (cr).

1. At first, create htpasswd file with some user name and password.

htpasswd -c -B -b users.htpasswd vmattroman SuperPasswd123#

-c -> -create a new file
-B -> -force bcrypt hashing of the password
-b -> -use the password from the command line rather than prompting for it
users.htpasswd -> Name of file with added users. If you want, you can use a different name.

2. File users.htpasswd with added vmattroman user was created. We can look inside to confirm that there is an user and hashed password.

3. Log in to the cluster using shell. Create a new secret that contains the htpasswd users file.

oc create secret generic <secret-name> --from-file=htpasswd=<path-to-users.htpasswd-file> -n openshift-config

4. Than, create Custom Resource yaml file.
– spec/identityProviders/name -> name of you identity provider, choose whatever name you want
– spec/identityProviders/mappingMethod -> leave claim as a default method. It’s possible to use different methods like lookup or add. More info there
– spec/identityProviders/htpasswd/fileData/name -> name of the htpasswd secret from the previous step
Save the file.

5. You can list 2 existing files and apply Custom Resource cr01.yaml file into Red Hat OpenShift cluster.
Base configuration was done 😉

oc apply -f cr01.yaml

2. Access to the Web Console as a new user

1. Let’s log in to the Red Hat OpenShift Web Console.
As you can see, a second login method is now visible instead of just kube:admin.
The new identity provider name is lab, so click on it.

2. Type a username and password to log in.
And you’re logged as a new user – vmattroman! 😉 From this view (Deverloper) we can start to manage our space, create new project etc…

3. After changing a view from Developer to Administrator, we can confirm that user vmattroman doesn’t have an “admin” rights to make any major changes in the system. What was the intended purpose.
To change this, let’s add it some permissions.

3. Define new permissions and check OAuth configuration

1. Log in to the cluster again using shell and enter the command below to add the local cluster admin role to the vmattroman user. More information about roles and RBAC can be found here.

cluster-admin role is super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.

oc adm policy add-cluster-role-to-user cluster-admin vmattroman

2. Log out and log in to the Web Console. Now, user has assigned a higher permission to the whole cluster (all projects/namespaces).

3. To check OAuth configuration, go to the Administration->Cluster Settings and choose Configuration tab. Find configuration resource with a name “OAuth” and click on it.

4. At below, it’s visible an Indentity provider with a name: lab, type: HTPasswd and Mapping method: claim (values from Custom Resource)

3. Additional configuration

Add a new user

1. Retrieve the htpasswd file from the htpass-secret secret object and save the file:

oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > users.htpasswd

2. Add a two new users (test01, test02):

htpasswd -bB users.htpasswd test01 pass01
htpasswd -bB users.htpasswd test02 pass02

3. Replace the htpass-secret Secret object with the updated users in the users.htpasswd file:

oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -

4. We can list all users and identities existing in a cluster:

oc get users
oc get oc get identities

Remove an existing user

1. Retrieve the htpasswd file from the htpass-secret Secret object and save the file:

oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > users.htpasswd

2. Remove single user (test01):

htpasswd -D users.htpasswd test01

3. Replace the htpass-secret Secret object with the updated users in the users.htpasswd file:

oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc replace -f -

4. Delete the User object for user test01:

oc delete user test01

5. Delete the Identity object for the user test01:

oc delete identity lab:test01

6. List users and identities existing in a cluster. User test01 was gone.

Summary

Configuration and management of HTPasswd is easy and straightforward. You can use it mainly for testing purposes and learn how RBAC works in Red Hat OpenShift.

Keep looking at my blog, new posts are coming! There is so much more great features to explore 😉