Configure OpenShift Authentication

RHODS itself has no particular authentication settings.
Instead, it relies on how OpenShift’s authentication has been configured.

Therefore, it’s important to have at least one Identity Provider configured.

The steps below will walk you through 2 fairly simple Identity Providers to get you started.

Log in to console.redhat.com

Make sure you are logged in https://console.redhat.com/.

Display detailed instructions:

Configure HTPasswd as an Identity Provider

This is a good option to use if you only need a single user and/or if you want to start by creating a Cluster Administrator account.

That is how we will set it up:

Add the Identity Provider

  • Choose the Access control tab for your cluster

  • Select Identity providers

  • Click the Dropdown to Add identity provider and choose HTPasswd

    add.htpass.idp1

  • On the next screen, keep all the defaults, including the suggested username and password

  • Make sure to save them somewhere
    They will not be shown again.

    add.htpass.idp2

  • click Add

Make this new user a Cluster-Admin

  • Select Cluster Roles and Access

    • Click Add User

      add.htpass.admin1

    • Enter the name of the admin- account that was created in the previous step, and choose Cluster-Admins

      add.htpass.admin2

    • Click Add User

Confirm you can log into OpenShift

  • To confirm, click on the blue button (Open Console).

    open.console

  • A new tab will open, prompting you to choose an Identity Provider+ choose HTPasswd, the one we just added

    choose.idp

  • On the next screen, enter the credentials that we were generated for you.

    enter.admin.creds

  • You should now be logged into the OpenShift Console

    logged.into.openshift

  • If your screen looks like the above, kudos, you’ve just created an admin account for your OpenShift cluster

The next section will show you how to use Github Authentication in order to easily grant access to many users.

Configure GitHub as an Identity provider for additional users

One of the fastest ways to grant access to many users is to add a GitHub Identity Provider to your OpenShift Cluster.

This only requires you (and them) to have a GitHub account.

If you’ve never done it before, the instructions below will guide you.

Create a GitHub Organization

  • Log into GitHub and go to the Organizations page

  • Create a new Org. (Must be an “Owner”)

    • Organizations → New Organization

      new.org

    • Choose to create a free Organization

      free.org

    • Fill out and indicate if creating an enterprise org

      org.name

Enforce 2FA for the GitHub Organization - (Optional but recommended)

  • This setting requires invited users to activate another authentication method. This will add a layer of security to their Github login, and therefore to the access to OpenShift and RHODS.

    require.twofa

Invite users to your organization

  • Your new Organization should now be ready

  • Invite additional users to the organization

    invite.member

Configure Github Identity provider in Red Hat Hybrid Cloud Console

  • The video below showcases the steps to be executed in order to configure the newly created Github Org as the authentication provider for the OpenShift Cluster.

    The steps shown in the video are described below:

  • In the Red Hat Hybrid Cloud console (https://console.redhat.com)

    • Select your cluster

    • Copy the link from Open console Button into the Homepage URL on Github

  • In Github (https://github.com/)

    • Select your Github organization and go to Settings

      org.settings

    • Go to Developer settings (bottom)

    • Select OAuth Apps

    • Click New OAuth App

  • In the Register a new OAuth page:

    • Choose an Application Name

    • Paste the URL of your cluster as the Homepage URL

  • Back in the Red Hat Hybrid Cloud console (https://console.redhat.com)

    • Select your cluster

    • Go to the Access Control tab

    • Click on Add identity provider

    • Select Github in the dropdown list

    • Edit the Name to something meaningful, such as Github-Auth

    • Copy the Oauth Callback URL

    • Paste that URL into the Github screen asking you for it

    • Click on the Register Application button in the github screen

    • On the next screen, copy the Client ID from Github into the Red Hat Hybrid Console screen

    • Click on Generate a new client secret and also copy that secret into the Red Hat Hybrid Console screen

    • Finally, enter the Github Organization name into the Red Hat Hybrid Console and click *Add

Make yourself and other GitHub users cluster-admins (Must be in Org)

  • Choose the Access control tab for your cluster

    • Select Cluster Roles and Access

    • Add user (Provide Github Username)

      add.htpass.admin1

    • Add your own Github ID as a Cluster-Admin

      github cluster admin

  • You should now be able to login using GitHub authentication

  • The first time you do so, you will be prompted to authorize the connection.

Remove the HTPasswd once your GitHub has access (optional)

  • Once you are able to log in as a Cluster-Admin using your own Github credentials, you can (and probably should) remove HTPasswd as a way to log in, as it is likely to be less secure than GitHub + MFA.

    delete.htp

Progress

400