-
Language:
English
-
Language:
English
8.10.3. Configuring Authentication for the Administration Console
If you enable external access to the Administration Console by modifying the broker host
httpd proxy configuration as described in Section 8.10.2, “Accessing the Administration Console”, you can also configure authentication for the Administration Console by implementing a <Location /admin-console> section in the same /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf file. For example, you can configure the Administration Console to authenticate based on user credentials or client IP. See the Apache HTTP Server documentation at http://httpd.apache.org/docs/2.2/howto/auth.html for more information on available authentication methods.
Because the Administration Console runs as a plug-in to the broker application, access to the Administration Console can be controlled using any of the Apache HTTP Server authentication methods described in Section 8.2, “Configuring User Authentication for the Broker”. However, while the broker application and Management Console both validate authorization, the Administration Console does not.
Example Authentication Configurations
The following examples show how you can configure authentication for the Administration Console using various methods. You can add one of the example <Location /admin-console> sections before the ProxyPass /admin-console entry inside the <VirtualHost *:443> section in the /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf file on each broker host. Note that the httpd service must be restarted to load any configuration changes.
Example 8.20. Authenticating by Host Name or IP Address
Using the
mod_authz_host Apache module, you can configure authentication for the Administration Console based on the client host name or IP address.
The following section allows access for all hosts in the
example.com domain and denies access for all other hosts:
<Location /admin-console>
Order Deny,Allow
Deny from all
Allow from example.com
</Location>
See the
mod_authz_host documentation at http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html for more example usage.
Example 8.21. Authenticating Using LDAP
Using the
mod_authnz_ldap Apache module, you can configure user authentication for the Administration Console to use an LDAP directory. This example assumes that an LDAP server already exists. See Section 8.2.2, “Authenticating Using LDAP” for details on how the mod_authnz_ldap module is used for broker user authentication.
The following section enables user authentication using an LDAP directory:
<Location /admin-console>
AuthName "OpenShift Administration Console"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost:389/ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)"
require valid-user
Order Deny,Allow
Deny from all
Satisfy any
</Location>
The above section specifies an example server and query that must be modified to suit the requirements of your LDAP service. The most important information required is the
AuthLDAPURL setting. Ensure the LDAP server's firewall is configured to allow access by the broker hosts.
The
require valid-user directive in the above section uses the mod_authz_user module and grants access to all successfully authenticated users. You can change this to instead only allow specific users or only members of a group. See the mod_authnz_ldap documentation at http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for more example usage.
Example 8.22. Authenticating Using Kerberos
Using the
mod_auth_kerb Apache module, you can configure user authentication for the Administration Console to use a Kerberos service. This example assumes that a Kerberos server already exists. See Section 8.2.3, “Authenticating Using Kerberos” for details on how the mod_auth_kerb module is used for broker user authentication.
The following section enables user authentication using a Kerberos service:
<Location /admin-console>
AuthName "OpenShift Administration Console"
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd On
# The KrbLocalUserMapping enables conversion to local users, using
# auth_to_local rules in /etc/krb5.conf. By default it strips the
# @REALM part. See krb5.conf(5) for details how to set up specific rules.
KrbLocalUserMapping On
KrbServiceName HTTP/www.example.com
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /var/www/openshift/broker/httpd/conf.d/http.keytab
require valid-user
Order Deny,Allow
Deny from all
Satisfy any
</Location>
Modify the
KrbServiceName and KrbAuthRealms settings to suit the requirements of your Kerberos service. Ensure the Kerberos server's firewall is configured to allow access by the broker hosts.
The
require valid-user directive in the above section uses the mod_authz_user module and grants access to all successfully authenticated users. You can change this to instead only allow specific users. See the mod_auth_kerb documentation at http://modauthkerb.sourceforge.net/configure.html for more example usage.
Example 8.23. Authenticating Using htpasswd
Using the
mod_auth_basic Apache module, you can configure user authentication for the Administration Console to use a flat htpasswd file. This method is only intended for testing and demonstration purposes. See Section 8.2.1, “Authenticating Using htpasswd” for details on how the /etc/openshift/htpasswd file is used for broker user authentication by a basic installation of OpenShift Enterprise.
The following section enables user authentication using the
/etc/openshift/htpasswd file:
<Location /admin-console>
AuthName "OpenShift Administration Console"
AuthType Basic
AuthUserFile /etc/openshift/htpasswd
require valid-user
Order Deny,Allow
Deny from all
Satisfy any
</Location>
The
require valid-user directive in the above section uses the mod_authz_user module and grants access to all successfully authenticated users. You can change this to instead only allow specific users or only members of a group. See the mod_auth_basic documentation at http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html and http://httpd.apache.org/docs/2.2/howto/auth.html for more example usage.
