7.8.9. Configuring OpenShift Enterprise Authentication

With the remote user authentication plug-in, the broker service relies on the httpd service to handle authentication and pass on the authenticated user, or "remote user". Therefore, it is necessary to configure authentication in httpd. In a production environment, you can configure httpd to use LDAP, Kerberos, or another industrial-strength technology. This example uses Apache Basic Authentication and a htpasswd file to configure authentication.

Procedure 7.15. To Configure Authentication for the OpenShift Enterprise Broker:

  1. Copy the example file to the correct location. This configures httpd to use /etc/openshift/htpasswd for its password file.
    # cp /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf.sample /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf 


    The /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf file must be readable by Apache for proper authentication. Red Hat recommends not making the file unreadable by httpd.
  2. Create the htpasswd file with an initial user "demo":
    # htpasswd -c /etc/openshift/htpasswd demo
    New password:
    Re-type new password:
    Adding password for user demo


If you use the kickstart or bash script, the configure_httpd_auth function performs these steps. The script creates the demo user with a default password, which is set to changeme in OpenShift Enterprise 2.0 and prior releases. With OpenShift Enterprise 2.1 and later, the default password is randomized and displayed after the installation completes. The demo user is intended for testing an installation, and must not be enabled in a production installation.