-
Language:
English
-
Language:
English
8.10.3. Configuring Authentication for the Administration Console
If you enable external access to the Administration Console by modifying the broker host
httpd
proxy configuration as described in Section 8.10.2, “Accessing the Administration Console”, you can also configure authentication for the Administration Console by implementing a <Location /admin-console>
section in the same /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf
file. For example, you can configure the Administration Console to authenticate based on user credentials or client IP. See the Apache HTTP Server documentation at http://httpd.apache.org/docs/2.2/howto/auth.html for more information on available authentication methods.
Because the Administration Console runs as a plug-in to the broker application, access to the Administration Console can be controlled using any of the Apache HTTP Server authentication methods described in Section 8.2, “Configuring User Authentication for the Broker”. However, while the broker application and Management Console both validate authorization, the Administration Console does not.
Example Authentication Configurations
The following examples show how you can configure authentication for the Administration Console using various methods. You can add one of the example <Location /admin-console>
sections before the ProxyPass /admin-console
entry inside the <VirtualHost *:443>
section in the /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf
file on each broker host. Note that the httpd
service must be restarted to load any configuration changes.
Example 8.20. Authenticating by Host Name or IP Address
Using the
mod_authz_host
Apache module, you can configure authentication for the Administration Console based on the client host name or IP address.
The following section allows access for all hosts in the
example.com
domain and denies access for all other hosts:
<Location /admin-console> Order Deny,Allow Deny from all Allow from example.com </Location>
See the
mod_authz_host
documentation at http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html for more example usage.
Example 8.21. Authenticating Using LDAP
Using the
mod_authnz_ldap
Apache module, you can configure user authentication for the Administration Console to use an LDAP directory. This example assumes that an LDAP server already exists. See Section 8.2.2, “Authenticating Using LDAP” for details on how the mod_authnz_ldap
module is used for broker user authentication.
The following section enables user authentication using an LDAP directory:
<Location /admin-console> AuthName "OpenShift Administration Console" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://localhost:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)" require valid-user Order Deny,Allow Deny from all Satisfy any </Location>
The above section specifies an example server and query that must be modified to suit the requirements of your LDAP service. The most important information required is the
AuthLDAPURL
setting. Ensure the LDAP server's firewall is configured to allow access by the broker hosts.
The
require valid-user
directive in the above section uses the mod_authz_user
module and grants access to all successfully authenticated users. You can change this to instead only allow specific users or only members of a group. See the mod_authnz_ldap
documentation at http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for more example usage.
Example 8.22. Authenticating Using Kerberos
Using the
mod_auth_kerb
Apache module, you can configure user authentication for the Administration Console to use a Kerberos service. This example assumes that a Kerberos server already exists. See Section 8.2.3, “Authenticating Using Kerberos” for details on how the mod_auth_kerb
module is used for broker user authentication.
The following section enables user authentication using a Kerberos service:
<Location /admin-console> AuthName "OpenShift Administration Console" AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd On # The KrbLocalUserMapping enables conversion to local users, using # auth_to_local rules in /etc/krb5.conf. By default it strips the # @REALM part. See krb5.conf(5) for details how to set up specific rules. KrbLocalUserMapping On KrbServiceName HTTP/www.example.com KrbAuthRealms EXAMPLE.COM Krb5KeyTab /var/www/openshift/broker/httpd/conf.d/http.keytab require valid-user Order Deny,Allow Deny from all Satisfy any </Location>
Modify the
KrbServiceName
and KrbAuthRealms
settings to suit the requirements of your Kerberos service. Ensure the Kerberos server's firewall is configured to allow access by the broker hosts.
The
require valid-user
directive in the above section uses the mod_authz_user
module and grants access to all successfully authenticated users. You can change this to instead only allow specific users. See the mod_auth_kerb
documentation at http://modauthkerb.sourceforge.net/configure.html for more example usage.
Example 8.23. Authenticating Using htpasswd
Using the
mod_auth_basic
Apache module, you can configure user authentication for the Administration Console to use a flat htpasswd
file. This method is only intended for testing and demonstration purposes. See Section 8.2.1, “Authenticating Using htpasswd” for details on how the /etc/openshift/htpasswd
file is used for broker user authentication by a basic installation of OpenShift Enterprise.
The following section enables user authentication using the
/etc/openshift/htpasswd
file:
<Location /admin-console> AuthName "OpenShift Administration Console" AuthType Basic AuthUserFile /etc/openshift/htpasswd require valid-user Order Deny,Allow Deny from all Satisfy any </Location>
The
require valid-user
directive in the above section uses the mod_authz_user
module and grants access to all successfully authenticated users. You can change this to instead only allow specific users or only members of a group. See the mod_auth_basic
documentation at http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html and http://httpd.apache.org/docs/2.2/howto/auth.html for more example usage.