Creating Openshift Users Using Htpasswd

Creating Users in OpenShift Using htpasswd

OpenShift is a powerful Kubernetes-based platform for containerized applications. Managing users and their access is crucial for maintaining a secure and efficient environment. One common method for user authentication in OpenShift is using `htpasswd`. In this article, we will walk through the steps to create users in OpenShift using `htpasswd`, and we will also explain key authentication and authorization concepts such as user, service account, role, role binding, and identity provider.

Step-by-Step Guide to Create Users in OpenShift Using htpasswd

Step 1: Install the `httpd-tools` Package

The httpd-tools package includes the htpasswd utility, which we will use to create the password file.

sudo yum install httpd -y

For Debian-based systems, use:

‍sudo apt-get install apache2-utils -y‍

‍

Step 2: Create the htpasswd File with bcrypt Encryption

Create a password file using htpasswd and ensure it uses bcrypt encryption for better security.

htpasswd -c -B -b /etc/origin/master/htpasswd <username> <password>

- `-c` creates a new file.

- `-B` uses bcrypt encryption.

- `-b` allows you to specify the password on the command line.

For example:

htpasswd -c -B -b /etc/origin/master/htpasswd johnDoe mySecurePass123

‍

Step 3: Create an OpenShift Secret with the htpasswd File

Create a secret in the openshift-config namespace using the htpasswd file.

oc create secret generic htpasswd-secret --from-file=htpasswd=/etc/origin/master/htpasswd -n openshift-config‍

‍

Step 4: Edit the OpenShift OAuth Configuration

Edit the OAuth configuration to use the htpasswd as an identity provider.

‍oc edit oauth cluster

Add the following configuration under spec.identityProviders:

- name: htpasswd_provider  
  mappingMethod: claim  
  type: HTPasswd  
  htpasswd:    
  	fileData:      
    	name: htpasswd-secret

Save the configuration.

Step 5: Watch the Pods in the `openshift-authentication` Namespace Recreate

After updating the OAuth configuration, the authentication pods will be recreated to apply the changes.

oc get pods -n openshift-authentication -w

‍

Wait until the old pods are terminated and the new pods are in the `Running` state.

‍

Step 6: Login as the new user

oc login -u johnDoe -p mySecurePass123

‍

Understanding Authentication and Authorization in OpenShift

User

In OpenShift, a user is an entity that can authenticate and interact with the system. Users can be human users or service accounts. Each user has a unique identity and can be assigned roles to determine what actions they can perform.

Service Account

A service account is a special type of user intended for applications, services, or system components. Service accounts allow these entities to authenticate to the OpenShift API and perform actions on resources. They are typically used for automation and running applications within the cluster.

Role

A role in OpenShift defines a set of permissions, or verbs, on a collection of resources. Roles are used to control access to resources within a project. For example, a role can define permissions to get, list, create, update, or delete pods.

Role Binding

A role binding assigns a role to a user or a service account, effectively granting them the permissions defined in the role. Role bindings can be project-specific (namespaced) or cluster-wide (cluster role bindings).

Identity Provider

An identity provider (IdP) is a system that manages user identities and provides authentication services. OpenShift supports multiple identity providers, including HTPasswd, LDAP, OAuth, and more. In this article, we used `htpasswd` as the identity provider, which authenticates users based on the credentials stored in an `htpasswd` file.

‍