[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Multi Clusters : Token management



Srinivas Naga Kotaru (skotaru) wrote on 02/22/2016 08:26 PM:
Thanks guys for having some discussion on this topic. Pl confirm whether my understanding is correct or not pertaining to multi cluster authentication and token management.

1. OSE3 authentication sub system can use external oAuth based solution ( corporate solution). This SSO only works for browser based clients ( console etc) but not CLI clients like OC etc

For CLI you can obtain a token with browser and do `oc login --token=...` also you can use a service account. But yeah, you cannot directly login with cli unless you already have a user token or a service account token.

2. Client cert bases solution might help both browser and CLI but it is difficult to operate and manage unless decent PKI infrastructure available for cert issuing and revocation

3. It’s not best practice to have same token being used across multiple clusters and no efforts currently going to integrate. It is assumed that each cluster has its own token key and lifetime.

4. If client dealign with multiple clusters and his applications spread across all these clusters, they have to authenticate on each cluster to manage. His .kube/config file might have details all these clusters and login separately. Administrators can increase the token validity to reduce number of login attempts but that is still pain from experience perceptive.

Even if you have a single token on all nodes, it would be equally convenient/inconvenient to switch between clusters (as you'll have to copy/paste the token). Perhaps easiest would be if you have a kerbesos infrastructure so that you can login everywhere passwordless (including web and cli). But I'm mot sure openshift cli supports that yet. And running kerberos is also non-trivial.
It's not like any SSO is trivial actually :)

Again you can look at freeIPA as it does provide both Kerberos/KDC and PKI capabilities. And is hopefully reasonably user-friendly.

Please add any helpful ideas to provide simple authentication layer in a multi cluster environment


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]