[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authentication with Client Certificates



The kubeconfig file from `oadm create-api-client-config` should be completely valid.  Try using `oc whoami --config=path/to/the/new/kubeconfig`

On Tue, Nov 17, 2015 at 7:51 AM, Fran Barrera <franbarrera6 gmail com> wrote:
Hello David,

I have some of questions about certificates OpenShift, for begin I have to modify the 'servingInfo.clientCA' parameter and specify this CA?: '/etc/origin/master/ca.crt'
And there are several parameters clientCA. I have to use this?:

---
assetConfig:
  logoutURL: ""
  masterPublicURL: https://10.0.2.15:8443
  publicURL: https://10.0.2.15:8443/console/
  servingInfo:
    bindAddress: 0.0.0.0:8443
    certFile: master.server.crt
    clientCA: "ca.crt"
---

To create the client certificate. I have to use the tool oadm create-api-client-config isn't it?
For example:
oadm create-api-client-config --certificate-authority='/etc/origin/master/ca.crt' --master='https://master.domain.es:8443' --client-dir='/etc/origin/master/usertest' --signer-cert='/etc/origin/master/ca.crt' --signer-key='/etc/origin/master/ca.key' --signer-serial='/etc/origin/master/ca.serial.txt' --user='usertest'

Once created, It is possible to test it with the oc client?

If I do:
oc config set-credentials usertest --client-certificate=/etc/origin/master/usertest/usertest.crt

I do not know if it should already be logged into the system or if I have to login again with oc login.


Thanks.

2015-11-16 14:34 GMT+01:00 David Eads <deads redhat com>:
It is possible, but you have to very careful what you sign.  Client certificates operate directly against API server and provide a User, not an Identity (see https://docs.openshift.org/latest/architecture/additional_concepts/other_api_objects.html#user-objects for the distinction between them).  

If you take a look here: https://docs.openshift.org/latest/install_config/master_node_configuration.html, you can find the `servingInfo.clientCA` element.  That controls which CA is trusted to sign client certificates that are presented to the API server.  If you sign a cert containing `Organization`, that will be considered the effective groups for the User. You can add your client certificates to your ~/.kube/config file (equivalent of `oc login`) by running `oc config set-credentials`.

Jordan can probably tell you if they work for the console.

On Mon, Nov 16, 2015 at 6:20 AM, Fran Barrera <franbarrera6 gmail com> wrote:
Hello,

We need to configure Openshift for allow authentication with client certificates. We are reading this doc (https://docs.openshift.org/latest/install_config/configuring_authentication.html) but we don't see anything.

If it is possible, what are options that would work? CLI, Web Console, API?

Best Regards,
Fran.

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]