Bootstrap FreeKB - OpenShift - Update htpasswd Identity Provider
OpenShift - Update htpasswd Identity Provider
Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The openshift-authentication namespace handles OpenShift Authentication. The openshift-authentication namespace by default should contain a few objects, such as a deployment, one or more pods, a service, a route, one or more confiig maps, and one or more secrets. There will typically be a config map that contains the enabled authentication methods.

~]$ oc get configmaps --namespace openshift-authentication
NAME                                   DATA   AGE
kube-root-ca.crt                       1      161d
openshift-service-ca.crt               1      161d
v4-0-config-system-cliconfig           1      355d
v4-0-config-system-metadata            1      355d
v4-0-config-system-service-ca          1      355d
v4-0-config-system-trusted-ca-bundle   1      355d

 

In this example, the config map named v4-0-config-system-cliconfig in the openshift-authentication namespace contains an htpasswd identity provider. OpenShift can be configured with the following identity providers.

  • GitHub
  • htpasswd (flat file with a users username and password)
  • keystone
  • kubeadmin (default administrator user ID)
  • LDAP
  • OpenID Connect
~]$ oc get configmap v4-0-config-system-cliconfig --namespace openshift-authentication --output json
        "identityProviders": [
            {
                "challenge": true,
                "login": true,
                "mappingMethod": "claim",
                "name": "htpasswd_provider",
                "provider": {
                    "apiVersion": "osin.config.openshift.io/v1",
                    "file": "/var/config/user/idp/1/secret/v4-0-config-user-idp-1-file-data/htpasswd",
                    "kind": "HTPasswdPasswordIdentityProvider"
                }
            }
        ],

 

Similarly, the oc get oauth command can be used to list the OAuth Identity Providers. 

~]$ oc get oauth cluster --output yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpasswd-secret
    mappingMethod: claim
    name: htpasswd_provider
    type: HTPasswd

 

Before adding or removing a user from an htpasswd Identity Provider, you can use to oc get identities command to determine if the user is currently associated with the htpasswd identity provider.

~]$ oc get identities
NAME                                                  IDP NAME           IDP USER NAME                               USER NAME       USER UID
htpasswd_provider:john.doe                            htpasswd_provider  john.doe                                    john.doe        6b9b184a-cfea-44bf-ad62-a4a3454881cc

 

Add a user to an htpasswd Identity Provider

Let's say you want to add jane.doe to your htpasswd Identity Provider. In this scenario, you would use the htpasswd command with the -D file to remove john.doe from your htpasswd file.

htpasswd -b -B /usr/local/share/users.htpasswd jane.doe itsasecret

 

And then the following command can be used to update the htpasswd secret.

oc create secret generic htpasswd-secret --from-file=htpasswd=/usr/local/share/users.htpasswd --dry-run=client --output yaml --namespace openshift-config | oc replace -f -

 

Remove a user from an htpasswd Identity Provider

Let's say you want to remove john.doe from your htpasswd Identity Provider. In this scenario, you would use the htpasswd command with the -D file to remove john.doe from your htpasswd file.

~]# htpasswd -D /usr/local/share/users.htpasswd john.doe
Deleting password for user john.doe

 

And then the following command can be used to update the htpasswd secret.

oc create secret generic htpasswd-secret --from-file=htpasswd=/usr/local/share/users.htpasswd --dry-run=client --output yaml --namespace openshift-config | oc replace -f -

 

Then delete the users account.

oc delete user john.doe

 

And delete the users identity.

oc delete identity htpasswd_provider:john.doe

 

Validation

After the htpasswd secret has been updated, the following command can be used to return the base64 encoded secret data.

~]$ oc get secret htpasswd-secret --namespace openshift-config --output yaml
apiVersion: v1
data:
  htpasswd: am9obi5kb2U6JDJ5JDA1JGNrRVM0T3VTM2NVUGI2cm1pdWdDLi5aZU1tMTVYWkRhSXJ5UEhDZzB0MHNNNDdOLi80M3BXCmphbmUuZG9lOiQyeSQwNSREdng2UWRLTTYuU1lDaHFHS0xBN1VlVnpTQWZxL0JvU3E5WmhLS0sxdERJMjdVUnp2LjJDSwo=
kind: Secret
type: Opaque

 

And then the base64 --decode command can be used to validate the secret data is an exact match of your users.htpasswd file.

~]$ echo am9obi5kb2U6JDJ5JDA1JGNrRVM0T3VTM2NVUGI2cm1pdWdDLi5aZU1tMTVYWkRhSXJ5UEhDZzB0MHNNNDdOLi80M3BXCmphbmUuZG9lOiQyeSQwNSREdng2UWRLTTYuU1lDaHFHS0xBN1VlVnpTQWZxL0JvU3E5WmhLS0sxdERJMjdVUnp2LjJDSwo= | base64 --decode 
john.doe:$2y$05$ckES4OuS3cUPb6rmiugC..ZeMm15XZDaIryPHCg0t0sM47N./43pW
jane.doe:$2y$05$Dvx6QdKM6.SYChqGKLA7UeVzSAfq/BoSq9ZhKKK1tDI27URzv.2CK

 

And you should be able to log in as the htpasswd users.

~]$ oc login -u john.doe
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: john.doe
Password: 
Login successful.

~]$ oc login -u jane.doe
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: jane.doe
Password: 
Login successful.

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter bc2c32 in the box below so that we can be sure you are a human.