Goglides Dev 🌱

Cover image for How to handle htpasswd authentication, authorization and project access in openshift?
Balkrishna Pandey
Balkrishna Pandey

Posted on

How to handle htpasswd authentication, authorization and project access in openshift?

What is Openshift Project/Namespace?

An OpenShift project is a logical separation of resources within a single OpenShift deployment. A project is a collection of objects that can be accessed by the users belonging to that project. A project allows an administrator to control who has access to what within a deployment.

A project can also be used to isolate resources from one another. For example, two different applications running in separate projects can share the same cluster resources but cannot access each other's data.

Pre-define roles in Openshift

OCP includes a default set of roles, which you can use to bind to users and groups.

Openshift Pre-define roles

Source: Redhat

You can bind these roles cluster-wide or locally.

If you bind the cluster-admin role, cluster-wide users will have cluster-admin permission.
If you bind the cluster-admin role locally, users will only have admin access to that project.

Let's see this in action.

Create a new Openshift Project.

First, we have to create an openshift project (Namespace). Creating a new Openshift Project is very simple. Just log into the Openshift console, navigate to "Home->Projects," and click the "Create Project" button. Enter the name of your project and click on the "Create" button.

Create New Openshift Project

Your new project will be created, and you will be redirected to it.

New Openshift Project

You can also create a project using oc CLI as follows,

oc new-project goglides
Enter fullscreen mode Exit fullscreen mode

Configuring an HTPasswd identity provider

By default, Openshift only creates only one user called kubeadmin. There are various way user can be created in an openshift cluster. The key idea is to use an identity provider rather than managing users manually.

In this blog, we are exploring the HTPasswd method to manage usernames and passwords.

The htpasswd command is required for this. Run this command on a server that already has the htpasswd command installed if your host doesn't have it, install the package yourself.

First, create an empty htpasswd file.

touch htpasswd
Enter fullscreen mode Exit fullscreen mode

Now use the htpasswd command to generate the username and password as follows,

htpasswd -Bb htpasswd goglides iam@Goglides
htpasswd -Bb htpasswd tiger-team SuperCoolPassword
htpasswd -Bb htpasswd qa-team b0kka-6
Enter fullscreen mode Exit fullscreen mode

Output:

Adding password for user goglides
Adding password for user tiger-team
Adding password for user qa-team
Enter fullscreen mode Exit fullscreen mode

If you cat htpasswd file, you will see output something similar to this,

goglides:$2y$05$BifSIw4GquB9v0YEGlzv4eQe230rZPDSku5AgeWLBS7M9itkgsTsC
tiger-team:$2y$05$U4wIS2k7GikRNVu1t9QRZ.MiDx.pVvJyvg8HTXBxgDMBh..NVNyLC
qa-team:$2y$05$uZVmPaALXl31W.czlSo18uHxt2zHloLY47hcjaUkWjyKri5jAoSU6
Enter fullscreen mode Exit fullscreen mode

Now, create a Secret in the openshift-config project. This allows OpenShift to authenticate using username and password as it reads it:

oc create secret generic htpass-secret --from-file=htpasswd=htpasswd -n openshift-config 
Enter fullscreen mode Exit fullscreen mode

Output:

secret/htpass-secret created
Enter fullscreen mode Exit fullscreen mode

Now we have to OAuth object reference to this htpasswd file. OAuth object holds cluster-wide information about OAuth. By default, the spec on this object is empty, as you can see in the following output:

oc get oauth cluster -o yaml
Enter fullscreen mode Exit fullscreen mode

Output:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
 annotations:
 include.release.openshift.io/ibm-cloud-managed: "true"
 include.release.openshift.io/self-managed-high-availability: "true"
 include.release.openshift.io/single-node-developer: "true"
 release.openshift.io/create-only: "true"
 creationTimestamp: "2022-06-20T22:49:25Z"
 generation: 1
 name: cluster
 ownerReferences:
 - apiVersion: config.openshift.io/v1
 kind: ClusterVersion
 name: version
 uid: 4dfd503a-288e-4c3b-ae67-33ffb11b9511
 resourceVersion: "1779"
 uid: ed759d21-98a4-4c84-b598-19dd990173c8
spec: {}
Enter fullscreen mode Exit fullscreen mode

Now you can create the OAuth custom resource using the references to the Secret you just created above as follows:

oc apply -f - <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
 name: cluster
spec:
 identityProviders:
 - name: HTPasswd
  mappingMethod: claim
  type: HTPasswd
  htpasswd:
   fileData:
    name: htpass-secret
EOF
Enter fullscreen mode Exit fullscreen mode

Now, if you get the yaml output again, you will see the following,

...
spec:
 identityProviders:
 - htpasswd:
  fileData:
  name: htpass-secret
 mappingMethod: claim
 name: HTPasswd
 type: HTPasswd
Enter fullscreen mode Exit fullscreen mode

You can use the HTPasswd approach to authenticate users, as shown in the following screenshots.

Openshift HTPasswd Login page

Grant pre-define role to users

You can add pre-defined roles to users. For example, if you want to grant view access to the goglides users at namespace istio-system, you can run the following command.

oc adm policy add-role-to-user view goglides -n istio-system
Enter fullscreen mode Exit fullscreen mode

Output:

clusterrole.rbac.authorization.k8s.io/view added: "goglides"
Enter fullscreen mode Exit fullscreen mode

Grant admin access by creating custom groups

You can run the following command to add cluster-admin access to users,

oc adm policy add-role-to-user cluster-admin goglides -n istio-system
Enter fullscreen mode Exit fullscreen mode
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "goglides"
Enter fullscreen mode Exit fullscreen mode

But if you do not want to assign pre-defined roles directly. You can create new groups and add users to that new groups. After that, you can give admin permission to groups.

For this, create a localadmins group as follows,

oc adm groups new localadmins
Enter fullscreen mode Exit fullscreen mode

Output:

group.user.openshift.io/localadmins created
Enter fullscreen mode Exit fullscreen mode

Now you can add the users to the group:

oc adm groups add-users localadmins goglides tiger-team qa-team
Enter fullscreen mode Exit fullscreen mode

Finally, grant the cluster-admin role to the group:

oc adm policy add-cluster-role-to-group cluster-admin localadmins
Enter fullscreen mode Exit fullscreen mode

Output:

group.user.openshift.io/localadmins added: ["goglides" "tiger-team" "qa-team"]
Enter fullscreen mode Exit fullscreen mode

Verification

Try running the following command before you start logging in using htpasswd-based users.

oc get users
Enter fullscreen mode Exit fullscreen mode

Initially, this command returns nothing. Now try login in using one of the users mentioned in your htpasswd file and rerun the same command. You will start seeing new users,

Output:

NAME   UID         FULL NAME IDENTITIES
goglides  49f6152e-bd16-4c27-a31b-e2d9fd8a666d    HTPasswd:goglides
tiger-team 31765f8c-e998-4489-8329-6fbf0970f6fa    HTPasswd:tiger-team
Enter fullscreen mode Exit fullscreen mode

You should also have admin permission with these users.

Remove users from the admin group

Removing users from the localadmins group is pretty easy; run the following command,

oc adm groups remove-users localadmins goglides
Enter fullscreen mode Exit fullscreen mode

Output:

group.user.openshift.io/localadmins removed: "goglides"
Enter fullscreen mode Exit fullscreen mode

Top comments (0)