[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenShift V3 identity and user changes



>From a security perspective, this change makes it up to the OpenShift admin to "reuse" a user name.  If an admin does not delete the original "adam" in Jordan's example, then any existing roles and policies will continue to refer to solely to Adam Brown.  There will be an administrative operation to cleanup roles and policies so that "adam" could be released for reuse eventually.

----- Original Message -----
> When https://github.com/openshift/origin/pull/1450 merges, the interaction
> between identities (what you log in with) and users (who you are in
> OpenShift) will change.
> 
> 
> TL;DR:
> Usernames for users that log into OpenShift using an identity provider (like
> "htpasswd", "anypassword", etc) no longer contain the identity provider
> prefix.
> 
> Old and busted:
> openshift ex new-project myproject --admin= anypassword: joe
> openshift ex policy add-role-to-user admin anypassword:joe -n myproject
> 
> New hotness:
> openshift ex new-project myproject --admin=joe
> openshift ex policy add-role-to-user admin joe -n myproject
> 
> 
> Nitty-gritty:
> Identities (what you log in with) and Users (who you are in OpenShift) have
> been made separate objects.
> 
> The first time you log in with a new Identity, OpenShift provisions an
> Identity object and corresponding User object.
> 
> If a User with your preferred username already exists, OpenShift will find a
> unique username that is available, and map your identity to it.
> 
> The linked pull request updates documentation in the origin repo to remove
> "anypassword:" prefixes from permission-granting and project-creating
> commands, but if you have scripts or documentation outside the repo, you
> will need to update it.
> 
> 
> Example 1:
> 
> 
>     1. Adam Brown logs in using the "anypassword" identity provider and the
>     login "adam"
>     2. His identity is "anypassword:adam"
>     3. His preferred user name is "adam"
>     4. Because that user name is available, OpenShift creates the user named
>     "adam" and maps the identity "anypassword:adam" to it
>     5. Adam Brown's OpenShift user name is "adam", and people would reference
>     him as "adam" when granting permissions to him in OpenShift
>     6. These objects can be inspected like this: $ osc get identities NAME
>     IDP NAME IDP USER NAME USER NAME USER UID anypassword:adam anypassword
>     adam adam 1b712c2e-d715-11e4-8c13-3c970e4b7ffe $ osc get users NAME UID
>     FULL NAME IDENTITIES adam 1b712c2e-d715-11e4-8c13-3c970e4b7ffe
>     anypassword:adam $ osc get useridentitymapping anypassword:adam NAME
>     IDENTITY USER NAME USER UID anypassword:adam anypassword:adam adam
>     1b712c2e-d715-11e4-8c13-3c970e4b7ffe
> 
> Example 2:
> 
> 
>     1. Adam Clark later logs in using the "htpasswd" identity provider and
>     the login "adam"
>     2. His identity is "htpasswd:adam"
>     3. His preferred user name is also "adam"
>     4. Because that user name already exists, OpenShift creates the user
>     named "adam2" and maps the identity "htpasswd:adam" to it
>     5. Adam Clark's OpenShift user name is "adam2", and people would
>     reference him as "adam2" when granting permissions to him in OpenShift
>     6. Note that Adam Clark's login ("adam") is not the same as his OpenShift
>     user name ("adam2")
>     7. These objects can be inspected like this: $ osc get identities NAME
>     IDP NAME IDP USER NAME USER NAME USER UID anypassword:adam anypassword
>     adam adam 1b712c2e-d715-11e4-8c13-3c970e4b7ffe htpasswd:adam htpasswd
>     adam adam2 1f4897a1-d715-11e4-8c13-3c970e4b7ffe $ osc get users NAME UID
>     FULL NAME IDENTITIES adam 1b712c2e-d715-11e4-8c13-3c970e4b7ffe
>     anypassword:adam adam2 1f4897a1-d715-11e4-8c13-3c970e4b7ffe
>     htpasswd:adam $ osc get useridentitymapping htpasswd:adam NAME IDENTITY
>     USER NAME USER UID htpasswd:adam htpasswd:adam adam2
>     1f4897a1-d715-11e4-8c13-3c970e4b7ffe
> 
> 
> 
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]