Conditional access to OpenShift based on its origin

Solution In Progress - Updated -

Issue

  • We would dynamically provision access rights to OpenShift when a user logs in and an OAuth token is issued. Depending on the users origin, access right would be provisioned conditionally. Also, a mechanism would need to make sure that as long as a user is logged in with a specific token, that token is associated with the users "origin" (so that he/she cannot switch from internal to external access with the same token).

  • Because we use one OpenShift instance for multiple tenants, we have the requirements to treat access to the OpenShift API "conditionally". If a user comes from the internet, he might have access to only a subset of projects. If he accesses the API from trusted networks or devices, he shall have access to all projects. The motivation is to prevent data leakage for some projects (but it should be our tenant's choice for which projects this rule should apply).

Environment

  • Openshift Container Platform
    • 3.3.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.