The authentication layer identifies the user associated with requests to the {product-title} API. The authorization layer then uses information about the requesting user to determine if the request should be allowed.
A user in {product-title} is an entity that can make requests to the {product-title} API. Typically, this represents the account of a developer or administrator that is interacting with {product-title}.
A user can be assigned to one or more groups, each of which represent a certain set of users. Groups are useful when to grant permissions to multiple users at once, for example allowing access to objects within a project, versus granting them to users individually.
In addition to explicitly defined groups, there are also system groups, or virtual groups, that are automatically provisioned by OpenShift.
In the default set of virtual groups, note the following in particular:
| Virtual Group | Description |
|---|---|
system:authenticated |
Automatically associated with all authenticated users. |
system:authenticated:oauth |
Automatically associated with all users authenticated with an OAuth access token. |
system:unauthenticated |
Automatically associated with all unauthenticated users. |
Requests to the {product-title} API are authenticated using the following methods:
- OAuth Access Tokens
-
-
Obtained from the {product-title} OAuth server using the
<master>/oauth/authorizeand<master>/oauth/tokenendpoints. -
Sent as an
Authorization: Bearer…header or anaccess_token=…query parameter
-
- X.509 Client Certificates
-
-
Requires a HTTPS connection to the API server.
-
Verified by the API server against a trusted certificate authority bundle.
-
The API server creates and distributes certificates to controllers to authenticate themselves.
-
Any request with an invalid access token or an invalid certificate is rejected by the authentication layer with a 401 error.
If no access token or certificate is presented, the authentication layer assigns
the system:anonymous virtual user and the system:unauthenticated virtual
group to the request. This allows the authorization layer to determine which
requests, if any, an anonymous user is allowed to make.
See the REST API Overview for more information and examples.
A request to the {product-title} API may include an Impersonate-User header,
which indicates that the requester wants to have the request handled as though
it came from the specified user. This can be done on the command line by passing
the --as=username flag.
Before User A is allowed to impersonate User B, User A is first authenticated. Then, an authorization check occurs to ensure that User A is allowed to impersonate the user named User B. If User A is requesting to impersonate a service account (system:serviceaccount:namespace:name), {product-title} checks to ensure that User A can impersonate the serviceaccount named name in namespace. If the check fails, the request fails with a 403 (Forbidden) error code.
By default, project administrators and editors are allowed to impersonate
service accounts in their namespace. The sudoers role allows a user to
impersonate system:admin, which in turn has cluster administrator permissions.
This grants some protection against typos (but not security) for someone
administering the cluster. For example, oc delete nodes --all would be
forbidden, but oc delete nodes --all --as=system:admin would be allowed. You
can add a user to that group using oadm policy add-cluster-role-to-user sudoer
<username>.
The {product-title} master includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.
When a person requests a new OAuth token, the OAuth server uses the configured to determine the identity of the person making the request.
It then determines what user that identity maps to, creates an access token for that user, and returns the token for use.
Every request for an OAuth token must specify the OAuth client that will receive and use the token. The following OAuth clients are automatically created when starting the {product-title} API:
| OAuth Client | Usage |
|---|---|
openshift-web-console |
Requests tokens for the web console. |
openshift-browser-client |
Requests tokens at |
openshift-challenging-client |
Requests tokens with a user-agent that can handle |
To register additional clients:
$ oc create -f <(echo ' kind: OAuthClient apiVersion: v1 metadata: name: demo (1) secret: "..." (2) redirectURIs: - "http://www.example.com/" (3) grantMethod: prompt (4) ')
-
The
nameof the OAuth client is used as theclient_idparameter when making requests to<master>/oauth/authorizeand<master>/oauth/token. -
The
secretis used as theclient_secretparameter when making requests to<master>/oauth/token. -
The
redirect_uriparameter specified in requests to<master>/oauth/authorizeand<master>/oauth/tokenmust be equal to (or prefixed by) one of the URIs inredirectURIs. -
The
grantMethodis used to determine what action to take when this client requests tokens and has not yet been granted access by the user. Uses the same values seen in Grant Options.
A service account can be used as a constrained form of OAuth client. Service accounts can only request a subset of scopes that allow access to some basic user information and role-based power inside of the service account’s own namespace:
-
user:info -
user:check-access -
role:<any_role>:<serviceaccount_namespace> -
role:<any_role>:<serviceaccount_namespace>:!
When using a service account as an OAuth client:
-
client_idissystem:serviceaccount:<serviceaccount_namespace>:<serviceaccount_name>. -
client_secretcan be any of the API tokens for that service account. For example:$ oc sa get-token <serviceaccount_name>
-
To get
WWW-Authenticatechallenges, set anserviceaccounts.openshift.io/oauth-want-challengesannotation on the service account to true. -
redirect_urimust match an annotation on the service account. Redirect URIs for Service Accounts as OAuth Clients provides more information.
Annotation keys must have the prefix
serviceaccounts.openshift.io/oauth-redirecturi. or
serviceaccounts.openshift.io/oauth-redirectreference. such as:
serviceaccounts.openshift.io/oauth-redirecturi.<name>
In its simplest form, the annotation can be used to directly specify valid redirect URIs. For example:
"serviceaccounts.openshift.io/oauth-redirecturi.first": "https://example.com" "serviceaccounts.openshift.io/oauth-redirecturi.second": "https://other.com"
The first and second postfixes in the above example are used to separate the
two valid redirect URIs.
In more complex configurations, static redirect URIs may not be enough. For
example, perhaps you want all ingresses for a route to be considered valid. This
is where dynamic redirect URIs via the
serviceaccounts.openshift.io/oauth-redirectreference. prefix come into play.
For example:
"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"
Since the value for this annotation contains serialized JSON data, it is easier to see in an expanded format:
{
"kind": "OAuthRedirectReference",
"apiVersion": "v1",
"reference": {
"kind": "Route",
"name": "jenkins"
}
}
Now you can see that an OAuthRedirectReference allows us to reference the
route named jenkins. Thus, all ingresses for that route will now be considered
valid. The full specification for an OAuthRedirectReference is:
{
"kind": "OAuthRedirectReference",
"apiVersion": "v1",
"reference": {
"kind": ..., (1)
"name": ..., (2)
"group": ... (3)
}
}
-
kindrefers to the type of the object being referenced. Currently, onlyrouteis supported. -
namerefers to the name of the object. The object must be in the same namespace as the service account. -
grouprefers to the group of the object. Leave this blank, as the group for a route is the empty string.
Both annotation prefixes can be combined to override the data provided by the reference object. For example:
"serviceaccounts.openshift.io/oauth-redirecturi.first": "custompath"
"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"
The first postfix is used to tie the annotations together. Assuming that the
jenkins route had an ingress of https://example.com, now
https://example.com/custompath is considered valid, but
https://example.com is not. The format for partially supplying override
data is as follows:
| Type | Syntax |
|---|---|
Scheme |
"https://" |
Hostname |
"//website.com" |
Port |
"//:8000" |
Path |
"examplepath" |
|
Note
|
Specifying a host name override will replace the host name data from the referenced object, which is not likely to be desired behavior. |
Any combination of the above syntax can be combined using the following format:
<scheme:>//<hostname><:port>/<path>
The same object can be referenced more than once for more flexibility:
"serviceaccounts.openshift.io/oauth-redirecturi.first": "custompath"
"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"
"serviceaccounts.openshift.io/oauth-redirecturi.second": "//:8000"
"serviceaccounts.openshift.io/oauth-redirectreference.second": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"
Assuming that the route named jenkins has an ingress of
https://example.com, then both https://example.com:8000 and
https://example.com/custompath are considered valid.
Static and dynamic annotations can be used at the same time to achieve the desired behavior:
"serviceaccounts.openshift.io/oauth-redirectreference.first": "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}"
"serviceaccounts.openshift.io/oauth-redirecturi.second": "https://other.com"
All requests for OAuth tokens involve a request to <master>/oauth/authorize.
Most authentication integrations place an authenticating proxy in front of this
endpoint, or configure {product-title} to validate credentials against a backing
Requests to <master>/oauth/authorize can come from user-agents that cannot
display interactive login pages, such as the CLI. Therefore, {product-title}
supports authenticating using a WWW-Authenticate challenge in addition to
interactive login flows.
If an authenticating proxy is placed in front of the
<master>/oauth/authorize endpoint, it should send unauthenticated,
non-browser user-agents WWW-Authenticate challenges, rather than displaying an
interactive login page or redirecting to an interactive login flow.
|
Note
|
To prevent cross-site request forgery (CSRF) attacks against browser clients, Basic authentication challenges
should only be sent if a If the authenticating proxy cannot support |
Applications running in {product-title} may need to discover information about
the built-in OAuth server. For example, they may need to discover what the
address of the <master> server is without manual configuration. To aid in
this, {product-title} implements the IETF
OAuth 2.0
Authorization Server Metadata draft specification.
Thus, any application running inside the cluster can issue a GET request to
https://openshift.default.svc/.well-known/oauth-authorization-server to fetch
the following information:
{
"issuer": "https://<master>", (1)
"authorization_endpoint": "https://<master>/oauth/authorize", (2)
"token_endpoint": "https://<master>/oauth/token", (3)
"scopes_supported": [ (4)
"user:full",
"user:info",
"user:check-access",
"user:list-scoped-projects",
"user:list-projects"
],
"response_types_supported": [ (5)
"code",
"token"
],
"grant_types_supported": [ (6)
"authorization_code",
"implicit"
],
"code_challenge_methods_supported": [ (7)
"plain",
"S256"
]
}
-
The authorization server’s issuer identifier, which is a URL that uses the
httpsscheme and has no query or fragment components. This is the location where.well-knownRFC 5785 resources containing information about the authorization server are published. -
URL of the authorization server’s authorization endpoint. See RFC 6749.
-
URL of the authorization server’s token endpoint. See RFC 6749.
-
JSON array containing a list of the OAuth 2.0 RFC 6749 scope values that this authorization server supports. Note that not all supported scope values are advertised.
-
JSON array containing a list of the OAuth 2.0
response_typevalues that this authorization server supports. The array values used are the same as those used with theresponse_typesparameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" in RFC 7591. -
JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the
grant_typesparameter defined by OAuth 2.0 Dynamic Client Registration Protocol in RFC 7591. -
JSON array containing a list of PKCE RFC 7636 code challenge methods supported by this authorization server. Code challenge method values are used in the
code_challenge_methodparameter defined in Section 4.3 of RFC 7636. The valid code challenge method values are those registered in the IANA PKCE Code Challenge Methods registry. See IANA OAuth Parameters.
The OAuth server supports standard authorization code grant and the implicit grant OAuth authorization flows.
When requesting an OAuth token using the implicit grant flow
(response_type=token) with a client_id configured to request WWW-Authenticate
challenges (like openshift-challenging-client), these are the possible server
responses from /oauth/authorize, and how they should be handled:
| Status | Content | Client response |
|---|---|---|
302 |
|
Use the |
302 |
|
Fail, optionally surfacing the |
302 |
Other |
Follow the redirect, and process the result using these rules |
401 |
|
Respond to challenge if type is recognized (e.g. |
401 |
|
No challenge authentication is possible. Fail and show response body (which might contain links or details on alternate methods to obtain an OAuth token) |
Other |
Other |
Fail, optionally surfacing response body to the user |