[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenShift V3 identity and user changes




----- Original Message -----
> On 03/30/2015 04:09 PM, Jordan Liggitt wrote:
> > When https://github.com/openshift/origin/pull/1450 merges, the
> > interaction between identities (what you log in with) and users (who you
> > are in OpenShift) will change.
> > 
> > 
> > *TL;DR:*
> > Usernames for users that log into OpenShift using an identity provider
> > (like "htpasswd", "anypassword", etc) no longer contain the identity
> > provider prefix.
> > 
> > Old and busted:
> >     openshift ex new-project myproject _--admin=__anypassword:__joe_
> > |    openshift ex policy add-role-to-user admin anypassword:joe -n
> > |    myproject
> > 
> > |New hotness:
> > |    |openshift ex new-project myproject _--admin=joe_
> > |    openshift ex policy add-role-to-user admin joe -n myproject
> > |
> > 
> > *Nitty-gritty:*
> > Identities (what you log in with) and Users (who you are in OpenShift)
> > have been made separate objects.
> > 
> > The first time you log in with a new Identity, OpenShift provisions an
> > Identity object and corresponding User object.
> > 
> > If a User with your preferred username already exists, OpenShift will
> > find a unique username that is available, and map your identity to it.
> > 
> > The linked pull request updates documentation in the origin repo to
> > remove "anypassword:" prefixes from permission-granting and
> > project-creating commands, but if you have scripts or documentation
> > outside the repo, you will need to update it.
> > 
> > 
> > Example 1:
> > 
> >  1. Adam Brown logs in using the "anypassword" identity provider and the
> >     login "adam"
> >  2. His identity is "anypassword:adam"
> >  3. His preferred user name is "adam"
> >  4. Because that user name is available, OpenShift creates the user
> >     named "adam" and maps the identity "anypassword:adam" to it
> >  5. Adam Brown's OpenShift user name is "adam", and people would
> >     reference him as "adam" when granting permissions to him in OpenShift
> >  6. These objects can be inspected like this:
> > 
> >     $ osc get identities
> >     NAME                IDP NAME            IDP USER NAME       USER
> >     NAME           USER UID
> >     anypassword:adam    anypassword         adam
> >     adam                1b712c2e-d715-11e4-8c13-3c970e4b7ffe
> > 
> >     $ osc get users
> >     NAME                UID                                    FULL
> >     NAME           IDENTITIES
> >     adam
> >     1b712c2e-d715-11e4-8c13-3c970e4b7ffe
> >     anypassword:adam
> > 
> >     $ osc get useridentitymapping anypassword:adam
> >     NAME                IDENTITY            USER NAME           USER UID
> >     anypassword:adam    anypassword:adam    adam
> >     1b712c2e-d715-11e4-8c13-3c970e4b7ffe
> > 
> > Example 2:
> > 
> >  1. Adam Clark later logs in using the "htpasswd" identity provider and
> >     the login "adam"
> >  2. His identity is "htpasswd:adam"
> >  3. His preferred user name is also "adam"
> >  4. Because that user name already exists, OpenShift creates the user
> >     named "adam2" and maps the identity "htpasswd:adam" to it
> >  5. Adam Clark's OpenShift user name is "adam2", and people would
> >     reference him as "adam2" when granting permissions to him in OpenShift
> >  6. Note that Adam Clark's login ("adam") is not the same as his
> >     OpenShift user name ("adam2")
> 
> How does A Clark find this out?

It would be returned by various user info mechanisms (whoami) on the cluster.  The important place is when you are assigning access to someone, but that already requires more info than just username to make a good decision (email, display name, team, manager, etc).

> 
> Is the naming scheme configurable?

Unlikely for 3.0.  What would you want?

> 
> 
> >  7. These objects can be inspected like this:
> > 
> >     $ osc get identities
> >     NAME                IDP NAME            IDP USER NAME       USER
> >     NAME           USER UID
> >     anypassword:adam    anypassword         adam
> >     adam                1b712c2e-d715-11e4-8c13-3c970e4b7ffe
> >     htpasswd:adam       htpasswd            adam                adam2
> >                   1f4897a1-d715-11e4-8c13-3c970e4b7ffe
> > 
> >     $ osc get users
> >     NAME                UID                                    FULL
> >     NAME           IDENTITIES
> >     adam
> >     1b712c2e-d715-11e4-8c13-3c970e4b7ffe
> >     anypassword:adam
> >     adam2
> >     1f4897a1-d715-11e4-8c13-3c970e4b7ffe
> >     htpasswd:adam
> > 
> >     $ osc get useridentitymapping htpasswd:adam
> >     NAME                IDENTITY            USER NAME           USER UID
> >     htpasswd:adam       htpasswd:adam       adam2
> >     1f4897a1-d715-11e4-8c13-3c970e4b7ffe
> > 
> > 
> > 
> > 
> > _______________________________________________
> > dev mailing list
> > dev lists openshift redhat com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > 
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]