BasicAuthPasswordIdentityProvider with embedded authentication docker container

Solution In Progress - Updated -

Issue

  • I would to use the BasicAuthPasswordIdentityProvider IdentityProvider.
    This BasicAuthPasswordIdentityProvider will be a docker container with apache configure to do the authentication process.

In the master-config.yaml file where the identityprovider is defined I need to set the url of my apache authentication server. As it is a docker container embedded in my openshift infrastructure I would like to be able to use the service name link to my authentication pod.

It fails because when I try : curl http://my_athentication_service:8080 I got "no route to host" output.

I don't want to expose my authentication server on internet, and I would prefer not use the ip (172.X.Y.Z) of my service.

Do you if there is a way to use the service name in the master-config.yaml file ?

  • Since we upgrade our openshift infrastructure to 3.2 my authentication did not work anymore.

At this time we use a BasicAuthPasswordIdentityProvider authentication provider.
The remote authentication server is a pod hosted on openshift.

In the master-config.yaml file we configured the authentication with the following options :

  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: htpasswd_auth
    provider:
      apiVersion: v1
      ca: auth-ca.crt
      kind: BasicAuthPasswordIdentityProvider
      url: https://authentication:8443

When I tried to log into openshift with the web console I get the following error message in the master /var/log/messages file :

Jul 18 17:06:17 public-master atomic-openshift-master-api: E0718 17:06:17.208026   69788 login.go:162] Error authenticating "user" with provider "htpasswd_auth": Get https://authentication:8443: Forbidden

This configuration used to work in 3.1 but did not work anymore in 3.2.

On the remote authentication pod, there is no log when trying to log on openshift console. So I think that the problem is on master.

When I create an external route to the authentication pod, I can access the authentication web page (on the pod) with my browser.

  • So with the correct running pod.
curl --cacert auth-ca.crt https://authentication:8443 -u mylogin:mypasswd
{"sub":"mylogin","name":"user","email":"user@example.com"}

For information here is the php code which creates the http response:

if (sizeof($result) == 0) {
    $response['status'] = array(401 => "Unauthorized access");
    http_response_code(401);
} else {
    $name=$result['name']." ".$result['lastname'];
    $login=$result['login'];
    $email=$result['email'];
    $response['status'] = array(200 => "OK");
    $encoded = json_encode(array(
        'sub' => $login,
        'name' => $name,
        'email' =>$email
    ));
    http_response_code(200);
    header('Content-type: application/json');
    exit($encoded);
}

Regarding the json return by the curl request, everythings seems to be ok. But when i use the openshift login page, i got an error message in the /var/log/messages file of the master :

Jul 19 14:15:04 public-master atomic-openshift-master-api: E0719 14:15:04.580978  104190 login.go:162] Error authenticating "user" with provider "htpasswd_auth": Get https://authentication:8443: Forbidden

Environment

  • Openshift Enterprise 3.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.