OpenShift - Update htpasswd Identity Provider

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The openshift-authentication namespace handles OpenShift Authentication. The openshift-authentication namespace by default should contain a few objects, such as a deployment, one or more pods, a service, a route, one or more confiig maps, and one or more secrets. There will typically be a config map that contains the enabled authentication methods.

~]$ oc get configmaps --namespace openshift-authentication
NAME                                   DATA   AGE
kube-root-ca.crt                       1      161d
openshift-service-ca.crt               1      161d
v4-0-config-system-cliconfig           1      355d
v4-0-config-system-metadata            1      355d
v4-0-config-system-service-ca          1      355d
v4-0-config-system-trusted-ca-bundle   1      355d

 

In this example, the config map named v4-0-config-system-cliconfig in the openshift-authentication namespace contains an htpasswd identity provider. OpenShift can be configured with the following identity providers.

  • GitHub
  • htpasswd (flat file with a users username and password)
  • keystone
  • kubeadmin (default administrator user ID)
  • LDAP
  • OpenID Connect
~]$ oc get configmap v4-0-config-system-cliconfig --namespace openshift-authentication --output json
        "identityProviders": [
            {
                "challenge": true,
                "login": true,
                "mappingMethod": "claim",
                "name": "htpasswd_provider",
                "provider": {
                    "apiVersion": "osin.config.openshift.io/v1",
                    "file": "/var/config/user/idp/1/secret/v4-0-config-user-idp-1-file-data/htpasswd",
                    "kind": "HTPasswdPasswordIdentityProvider"
                }
            }
        ],

 

Similarly, the oc get oauth command can be used to list the OAuth Identity Providers. 

~]$ oc get oauth cluster --output yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpasswd-secret
    mappingMethod: claim
    name: htpasswd_provider
    type: HTPasswd

 

Before adding or removing a user from an htpasswd Identity Provider, you can use to oc get identities command to determine if the user is currently associated with the htpasswd identity provider.

~]$ oc get identities
NAME                                                  IDP NAME           IDP USER NAME                               USER NAME       USER UID
htpasswd_provider:john.doe                            htpasswd_provider  john.doe                                    john.doe        6b9b184a-cfea-44bf-ad62-a4a3454881cc

 


Add a user to an htpasswd Identity Provider

Let's say you want to add jane.doe to your htpasswd Identity Provider. In this scenario, you would use the htpasswd command with the -D file to remove john.doe from your htpasswd file.

htpasswd -b -B /usr/local/share/users.htpasswd jane.doe itsasecret

 

And then the following command can be used to update the htpasswd secret.

oc create secret generic htpasswd-secret --from-file=htpasswd=/usr/local/share/users.htpasswd --dry-run=client --output yaml --namespace openshift-config | oc replace -f -

 


Remove a user from an htpasswd Identity Provider

Let's say you want to remove john.doe from your htpasswd Identity Provider. In this scenario, you would use the htpasswd command with the -D file to remove john.doe from your htpasswd file.

~]# htpasswd -D /usr/local/share/users.htpasswd john.doe
Deleting password for user john.doe

 

And then the following command can be used to update the htpasswd secret.

oc create secret generic htpasswd-secret --from-file=htpasswd=/usr/local/share/users.htpasswd --dry-run=client --output yaml --namespace openshift-config | oc replace -f -

 

Then delete the users account.

oc delete user john.doe

 

And delete the users identity.

oc delete identity htpasswd_provider:john.doe

 


Validation

After the htpasswd secret has been updated, the following command can be used to return the base64 encoded secret data.

~]$ oc get secret htpasswd-secret --namespace openshift-config --output yaml
apiVersion: v1
data:
  htpasswd: am9obi5kb2U6JDJ5JDA1JGNrRVM0T3VTM2NVUGI2cm1pdWdDLi5aZU1tMTVYWkRhSXJ5UEhDZzB0MHNNNDdOLi80M3BXCmphbmUuZG9lOiQyeSQwNSREdng2UWRLTTYuU1lDaHFHS0xBN1VlVnpTQWZxL0JvU3E5WmhLS0sxdERJMjdVUnp2LjJDSwo=
kind: Secret
type: Opaque

 

And then the base64 --decode command can be used to validate the secret data is an exact match of your users.htpasswd file.

~]$ echo am9obi5kb2U6JDJ5JDA1JGNrRVM0T3VTM2NVUGI2cm1pdWdDLi5aZU1tMTVYWkRhSXJ5UEhDZzB0MHNNNDdOLi80M3BXCmphbmUuZG9lOiQyeSQwNSREdng2UWRLTTYuU1lDaHFHS0xBN1VlVnpTQWZxL0JvU3E5WmhLS0sxdERJMjdVUnp2LjJDSwo= | base64 --decode 
john.doe:$2y$05$ckES4OuS3cUPb6rmiugC..ZeMm15XZDaIryPHCg0t0sM47N./43pW
jane.doe:$2y$05$Dvx6QdKM6.SYChqGKLA7UeVzSAfq/BoSq9ZhKKK1tDI27URzv.2CK

 

And you should be able to log in as the htpasswd users.

~]$ oc login -u john.doe
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: john.doe
Password: 
Login successful.

~]$ oc login -u jane.doe
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: jane.doe
Password: 
Login successful.

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 8fad2 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |