[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

OpenShift V3 identity and user changes



When https://github.com/openshift/origin/pull/1450 merges, the interaction between identities (what you log in with) and users (who you are in OpenShift) will change.


TL;DR:
Usernames for users that log into OpenShift using an identity provider (like "htpasswd", "anypassword", etc) no longer contain the identity provider prefix.

Old and busted: 
    openshift ex new-project myproject --admin=anypassword:joe
    openshift ex policy add-role-to-user admin anypassword:joe -n myproject

New hotness:
    openshift ex new-project myproject --admin=joe
    openshift ex policy add-role-to-user admin joe -n myproject


Nitty-gritty:
Identities (what you log in with) and Users (who you are in OpenShift) have been made separate objects.

The first time you log in with a new Identity, OpenShift provisions an Identity object and corresponding User object.

If a User with your preferred username already exists, OpenShift will find a unique username that is available, and map your identity to it.

The linked pull request updates documentation in the origin repo to remove "anypassword:" prefixes from permission-granting and project-creating commands, but if you have scripts or documentation outside the repo, you will need to update it.


Example 1:
  1. Adam Brown logs in using the "anypassword" identity provider and the login "adam"
  2. His identity is "anypassword:adam"
  3. His preferred user name is "adam"
  4. Because that user name is available, OpenShift creates the user named "adam" and maps the identity "anypassword:adam" to it
  5. Adam Brown's OpenShift user name is "adam", and people would reference him as "adam" when granting permissions to him in OpenShift
  6. These objects can be inspected like this:

    $ osc get identities
    NAME                IDP NAME            IDP USER NAME       USER NAME           USER UID
    anypassword:adam    anypassword         adam                adam                1b712c2e-d715-11e4-8c13-3c970e4b7ffe

    $ osc get users
    NAME                UID                                    FULL NAME           IDENTITIES
    adam                1b712c2e-d715-11e4-8c13-3c970e4b7ffe                       anypassword:adam

    $ osc get useridentitymapping anypassword:adam
    NAME                IDENTITY            USER NAME           USER UID
    anypassword:adam    anypassword:adam    adam                1b712c2e-d715-11e4-8c13-3c970e4b7ffe

Example 2:
  1. Adam Clark later logs in using the "htpasswd" identity provider and the login "adam"
  2. His identity is "htpasswd:adam"
  3. His preferred user name is also "adam"
  4. Because that user name already exists, OpenShift creates the user named "adam2" and maps the identity "htpasswd:adam" to it
  5. Adam Clark's OpenShift user name is "adam2", and people would reference him as "adam2" when granting permissions to him in OpenShift
  6. Note that Adam Clark's login ("adam") is not the same as his OpenShift user name ("adam2")
  7. These objects can be inspected like this:

    $ osc get identities
    NAME                IDP NAME            IDP USER NAME       USER NAME           USER UID
    anypassword:adam    anypassword         adam                adam                1b712c2e-d715-11e4-8c13-3c970e4b7ffe
    htpasswd:adam       htpasswd            adam                adam2               1f4897a1-d715-11e4-8c13-3c970e4b7ffe

    $ osc get users
    NAME                UID                                    FULL NAME           IDENTITIES
    adam                1b712c2e-d715-11e4-8c13-3c970e4b7ffe                       anypassword:adam
    adam2               1f4897a1-d715-11e4-8c13-3c970e4b7ffe                       htpasswd:adam

    $ osc get useridentitymapping htpasswd:adam
    NAME                IDENTITY            USER NAME           USER UID
    htpasswd:adam       htpasswd:adam       adam2               1f4897a1-d715-11e4-8c13-3c970e4b7ffe



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]