BasicAuthPasswordIdentityProvider with embedded authentication docker container
Issue
- I would to use the BasicAuthPasswordIdentityProvider IdentityProvider.
This BasicAuthPasswordIdentityProvider will be a docker container with apache configure to do the authentication process.
In the master-config.yaml file where the identityprovider is defined I need to set the url of my apache authentication server. As it is a docker container embedded in my openshift infrastructure I would like to be able to use the service name link to my authentication pod.
It fails because when I try : curl http://my_athentication_service:8080 I got "no route to host" output.
I don't want to expose my authentication server on internet, and I would prefer not use the ip (172.X.Y.Z) of my service.
Do you if there is a way to use the service name in the master-config.yaml file ?
- Since we upgrade our openshift infrastructure to 3.2 my authentication did not work anymore.
At this time we use a BasicAuthPasswordIdentityProvider authentication provider.
The remote authentication server is a pod hosted on openshift.
In the master-config.yaml file we configured the authentication with the following options :
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: htpasswd_auth
provider:
apiVersion: v1
ca: auth-ca.crt
kind: BasicAuthPasswordIdentityProvider
url: https://authentication:8443
When I tried to log into openshift with the web console I get the following error message in the master /var/log/messages file :
Jul 18 17:06:17 public-master atomic-openshift-master-api: E0718 17:06:17.208026 69788 login.go:162] Error authenticating "user" with provider "htpasswd_auth": Get https://authentication:8443: Forbidden
This configuration used to work in 3.1 but did not work anymore in 3.2.
On the remote authentication pod, there is no log when trying to log on openshift console. So I think that the problem is on master.
When I create an external route to the authentication pod, I can access the authentication web page (on the pod) with my browser.
- So with the correct running pod.
curl --cacert auth-ca.crt https://authentication:8443 -u mylogin:mypasswd
{"sub":"mylogin","name":"user","email":"user@example.com"}
For information here is the php code which creates the http response:
if (sizeof($result) == 0) {
$response['status'] = array(401 => "Unauthorized access");
http_response_code(401);
} else {
$name=$result['name']." ".$result['lastname'];
$login=$result['login'];
$email=$result['email'];
$response['status'] = array(200 => "OK");
$encoded = json_encode(array(
'sub' => $login,
'name' => $name,
'email' =>$email
));
http_response_code(200);
header('Content-type: application/json');
exit($encoded);
}
Regarding the json return by the curl request, everythings seems to be ok. But when i use the openshift login page, i got an error message in the /var/log/messages file of the master :
Jul 19 14:15:04 public-master atomic-openshift-master-api: E0719 14:15:04.580978 104190 login.go:162] Error authenticating "user" with provider "htpasswd_auth": Get https://authentication:8443: Forbidden
Environment
- Openshift Enterprise 3.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
