[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Help needed for RequestHeaderIdentityProvider usage



Hi, 

Can anyone please help me with the query above with respect to requestheader identity provider.

Thanks you so much

Thanks,
Priya

On Thu, Dec 8, 2016 at 12:17 PM, Pri <priyanka4openshift gmail com> wrote:
Hi Jordan,

Thanks for the response. Yes when I access this https://[MASTER]:8443/oauth/token/request is redirects me to auth proxy. But again when I enter credentials it doesnt redirect or logs in to the OpenShift. It would be really helpful if you can give some pointers on that. Thanks a lot !

Below is my apache config file:

LoadModule auth_form_module modules/mod_auth_form.so
LoadModule session_module modules/mod_session.so
LoadModule request_module modules/mod_request.so

# Nothing needs to be served over HTTP.  This virtual host simply redirects to
# HTTPS.
<VirtualHost *:80>
  DocumentRoot /var/www/html
  RewriteEngine              On
  RewriteRule     ^(.*)$     https://%{HTTP_HOST}$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
  # This needs to match the certificates you generated.  See the CN and X509v3
  # Subject Alternative Name in the output of:
  # openssl x509 -text -in /etc/pki/tls/certs/localhost.crt
  ServerName localhost

  DocumentRoot /var/www/html
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  SSLCACertificateFile /etc/pki/CA/certs/ca.crt

  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt
  # It's critical to enforce client certificates on the Master.  Otherwise
  # requests could spoof the X-Remote-User header by accessing the Master's
  # /oauth/authorize endpoint directly.
  SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem

  # Send all requests to the console
  RewriteEngine              On
  RewriteRule     ^/console(.*)$     https://%{HTTP_HOST}:8443/console$1 [R,L]

  # In order to using the challenging-proxy an X-Csrf-Token must be present.
  RewriteCond %{REQUEST_URI} ^/challenging-proxy
  RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
  RewriteRule ^.* - [F,L]


  <Location /challenging-proxy/oauth/authorize>
    # Insert your backend server name/ip here.
    AuthType basic
  </Location>

 <Location /login-proxy/oauth/authorize>
  # Insert your backend server name/ip here.

  AuthFormProvider file
    AuthType form
    AuthName openshift
    ErrorDocument 401 /login.html
</Location>


  <ProxyMatch /oauth/authorize>
    AuthUserFile /etc/origin/master/htpasswd
    AuthName openshift
    Require valid-user
    RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER

    # For ldap:
    # AuthBasicProvider ldap

    # It's possible to remove the mod_auth_form usage and replace it with
    # something like mod_auth_kerb, mod_auth_gsspai or even mod_auth_mellon.
    # The former would be able to support both the login and challenge flows
    # from the Master.  Mellon would likely only support the login flow.

    # For Kerberos
    # yum install mod_auth_gssapi
    # AuthType GSSAPI
    # GssapiCredStore keytab:/etc/httpd.keytab
  </ProxyMatch>

</VirtualHost>

RequestHeader unset X-Remote-User


Thanks,
Priyanka 

On Tue, Dec 6, 2016 at 8:34 PM, Jordan Liggitt <jliggitt redhat com> wrote:
When using RequestHeaderIdentityProvider, it is up to the auth proxy to determine which users are valid.

Those steps are to test whether OpenShift is correctly accepting usernames from the auth proxy, and rejecting usernames if the auth proxy client cert is not present.

When you access https://[MASTER]:8443/oauth/token/request in the browser, are you redirected to the auth proxy, and limited to the users in the htpasswd file?




On Tue, Dec 6, 2016 at 9:52 AM, Pri <priyanka4openshift gmail com> wrote:
Hi Liggitt,

I am configuring RequestHeaderIdentityProvider using apache authentication in my Openshift 3.2 cluster taking reference from here https://docs.openshift.com/enterprise/3.2/install_config/configuring_authentication.html#RequestHeaderIdentityProvider

but somehow it authenticates any random user when I run

# curl -L -k -H "X-Remote-User: joe" \
   --cert /etc/pki/tls/certs/authproxy.pem \
   https://[MASTER]:8443/oauth/token/request

I want only users present in file this "/etc/origin/master/htpasswd" to authenticate. I dont know whats going wrong. Could you please help me with that?

It would be really helpful if you can provide any help.

Thanks,
Priyanka




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]