RHOCP 4 Cluster Login Failure for Specific User

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)

    • 4

  • Red Hat OpenShift Service on AWS (ROSA)

  • Red Hat OpenShift Dedicated 4 (OSD)

    • 4

  • Azure Red Hat OpenShift (ARO)

    • 4

Issue

  • A particular user is unable to login into the cluster even if the user is present in the IDP.

  • How to reclaim an accidentally deleted user in Red Hat OpenShift?

  • A user cannot login after being deleted from the Red Hat OpenShift web console to switch to a different authentication system, displaying the following error in the OAuth logs:

    Error authenticating "<username>" with provider "<provider>": users.user.openshift.io "<username>" not found.

Resolution

  • To reclaim the accidentally deleted user, remove the leftover identity for the user:

    $ oc delete identity <identity_name>

  • Once the associated identity is deleted, try to login again with the same user so that the user and the identity should be created and mapped automatically with the login attempt.

    $ oc delete identity htpasswd_auth:demo

Root Cause

  • RHOCP decouples user configuration into two distinct objects: user and identity.

    • To get the current list of users:

      # oc get user

NAME      UID                                    FULL NAME   IDENTITIES
demo     75e4b80c-xxxxxxxxxx                               htpasswd_auth:demo

    • To get the current list of identities:

      # oc get identity

NAME                  IDP NAME        IDP USER NAME   USER NAME   USER UID
htpasswd_auth:demo    htpasswd_auth   demo            demo        75e4b80c-xxxxxxxxxx

  • Authentication fails if the user object is deleted but the associated identity remains. Therefore, to completely remove a user, the associated identity must also be deleted.

Diagnostic Steps

  • Check the oauth pod logs to identify the reason behind failed login.

    # oc get pod -l app=oauth-openshift -n openshift-authentication
NAME                               READY   STATUS    RESTARTS   AGE
oauth-openshift-xxxxxxxxxx-xxxxx   1/1     Running   0          20d
oauth-openshift-xxxxxxxxxx-yyyyy   1/1     Running   0          7d3h
oauth-openshift-xxxxxxxxxx-zzzzz   1/1     Running   0          20d

# oc logs -n openshift-authentication oauth-openshift-xxxxxxxxxx-xxxxx | grep <username>

E0614 16:11:58.572096       1 errorpage.go:28] AuthenticationError: users.user.openshift.io "<username>" not found

  • Verify if the user is present in the cluster by listing the existing users:

    # oc get users | grep <username>

  • Verify if the identity object associated with that username is present in the cluster:

    # oc get identity | grep <username>

NAME                   IDP NAME   IDP USER NAME   USER NAME         USER UID
htpasswd_auth:demo    htpasswd_auth   demo            demo        75e4b80c-dbf1-11e5-8dc6-0e81e52cc949

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments