Chapter 5. Managing users

Red Hat CodeReady Workspaces uses RH-SSO to create, import, manage, delete, and authenticate users. RH-SSO uses built-in authentication mechanisms and user storage. It can use third-party identity management systems to create and authenticate users. Red Hat CodeReady Workspaces requires a RH-SSO token when you request access to CodeReady Workspaces resources.

Local users and imported federation users must have an email address in their profile.

The default RH-SSO credentials are admin:admin. You can use the admin:admin credentials when logging into Red Hat CodeReady Workspaces for the first time. It has system privileges.

The deployment script configures RH-SSO. It creates a che-public client with the following fields:

The following are common errors when configuring CodeReady Workspaces to work with RH-SSO:

Invalid redirectURI error: occurs when you access CodeReady Workspaces at myhost, which is an alias, and your original CODEREADY_HOST is 1.1.1.1. If this error occurs, go to the RH-SSO administration console and ensure that the valid redirect URIs are configured.

CORS error: occurs when you have an invalid web origin

A user token expires after 30 minutes by default.

You can change the following RH-SSO token settings:

RH-SSO federates external user databases and supports LDAP and Active Directory. You can test the connection and authenticate users before choosing a storage provider.

See the User storage federation page in RH-SSO documentation to learn how to add a provider.

See the LDAP and Active Directory page in RH-SSO documentation to specify multiple LDAP servers.

RH-SSO provides built-in support for GitHub, OpenShift, and most common social networks such as Facebook and Twitter.

See Instructions to enable Login with GitHub.

You can also enable the SSH key and upload it to the CodeReady Workspaces users’ GitHub accounts.

To enable this feature when you register a GitHub identity provider:

This is the default delegated OAuth service mode for multiuser CodeReady Workspaces. You can configure the OAuth service mode with the property che.oauth.service_mode.

RH-SSO supports SAML v2.0 and OpenID Connect v1.0 protocols. You can connect your identity provider systems if they support these protocols.

You can add, delete, and edit users in the user interface. See: RH-SSO User Management for more information.

Red Hat CodeReady Workspaces does not provide any pre-configured MTP servers.

To enable SMTP servers in RH-SSO:

Red Hat CodeReady Workspaces uses the default theme for email templates for registration, email confirmation, password recovery, and failed login.

Organizations allow administrators to group Red Hat CodeReady Workspaces users and allocate resources. The system administrator controls and allocates resources and permissions within the administrator dashboard.

A user can have the following roles in an organization:

The top-level organizations are called root organizations. Multiple root organizations can be created. Any organization can have zero to a set number of sub-organizations. Only the system administrator can create root organizations and manage the resources of the root organization.

Only the system administrator can create root organizations. An administrator can create sub-organizations.

To create an organization:

The Organization page displays a list of all the organizations. The list contains the following information for each organization: number of members, total RAM, available RAM, and number of sub-organizations.

To add members to an organization:

A workspace is created inside of an organization and uses the resources of the organization. The workspace creator chooses the organization on the Workspace Creation page.

The steps to create a sub-organization are the same as that for creating an organization. Use them to create the organization.

You can only add members of the parent organization as members of the sub-organization.

The settings of the organization are visible to all members of the organization. Only the Red Hat CodeReady Workspaces system administrator can modify the settings.

The name of the organization or sub-organization must follow these rules:

To leave an organization, members need to contact the administrator of the organization or the system administrator of Red Hat CodeReady Workspaces.

Workspaces use the resources of the organization that are allocated by the system administrator. The resources for sub-organizations are taken from the parent organization. Administrators control the portion of resources, of the parent organization, that are available to the sub-organization.

The system configuration defines the default limits. The CodeReady Workspaces instance inherit from the limits configured on the underlying platform. The administrator of the organization manages only the limits of its sub-organizations. No resource limits apply to the organization by default. The following are the limits defined by the system administrator:

To remove multiple members:

In case user data needs to be deleted, the following API should be used with the user or the admin authorization token:

curl -X DELETE `http(s)://{che-host}/api/user/{id}`

To remove the data of all the users, follow instructions for Uninstalling Red Hat CodeReady Workspaces.