Hi, Can anyone please help me with the query above with respect to requestheader identity provider.
Thanks you so much Thanks, Priya On Thu, Dec 8, 2016 at 12:17 PM, Pri <[email protected]> wrote: > Hi Jordan, > > Thanks for the response. Yes when I access this https://[MASTER]:8443/ > oauth/token/request is redirects me to auth proxy. But again when I enter > credentials it doesnt redirect or logs in to the OpenShift. It would be > really helpful if you can give some pointers on that. Thanks a lot ! > > Below is my apache config file: > > LoadModule auth_form_module modules/mod_auth_form.so > LoadModule session_module modules/mod_session.so > LoadModule request_module modules/mod_request.so > > # Nothing needs to be served over HTTP. This virtual host simply > redirects to > # HTTPS. > <VirtualHost *:80> > DocumentRoot /var/www/html > RewriteEngine On > RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L] > </VirtualHost> > > <VirtualHost *:443> > # This needs to match the certificates you generated. See the CN and > X509v3 > # Subject Alternative Name in the output of: > # openssl x509 -text -in /etc/pki/tls/certs/localhost.crt > ServerName localhost > > DocumentRoot /var/www/html > SSLEngine on > SSLCertificateFile /etc/pki/tls/certs/localhost.crt > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > SSLCACertificateFile /etc/pki/CA/certs/ca.crt > > SSLProxyEngine on > SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt > # It's critical to enforce client certificates on the Master. Otherwise > # requests could spoof the X-Remote-User header by accessing the Master's > # /oauth/authorize endpoint directly. > SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem > > # Send all requests to the console > RewriteEngine On > RewriteRule ^/console(.*)$ https://%{HTTP_HOST}:8443/console$1 > [R,L] > > # In order to using the challenging-proxy an X-Csrf-Token must be > present. > RewriteCond %{REQUEST_URI} ^/challenging-proxy > RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC] > RewriteRule ^.* - [F,L] > > > <Location /challenging-proxy/oauth/authorize> > # Insert your backend server name/ip here. > ProxyPass https://mymaster:8443/oauth/authorize > AuthType basic > </Location> > > <Location /login-proxy/oauth/authorize> > # Insert your backend server name/ip here. > ProxyPass https://mymaster:8443/oauth/authorize > > AuthFormProvider file > AuthType form > AuthName openshift > ErrorDocument 401 /login.html > </Location> > > > <ProxyMatch /oauth/authorize> > AuthUserFile /etc/origin/master/htpasswd > AuthName openshift > Require valid-user > RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER > > # For ldap: > # AuthBasicProvider ldap > # AuthLDAPURL "ldap://ldap.example.com:389/ > ou=People,dc=my-domain,dc=com?uid?sub?(objectClass=*)" > > # It's possible to remove the mod_auth_form usage and replace it with > # something like mod_auth_kerb, mod_auth_gsspai or even > mod_auth_mellon. > # The former would be able to support both the login and challenge > flows > # from the Master. Mellon would likely only support the login flow. > > # For Kerberos > # yum install mod_auth_gssapi > # AuthType GSSAPI > # GssapiCredStore keytab:/etc/httpd.keytab > </ProxyMatch> > > </VirtualHost> > > RequestHeader unset X-Remote-User > > > Thanks, > Priyanka > > On Tue, Dec 6, 2016 at 8:34 PM, Jordan Liggitt <[email protected]> > wrote: > >> When using RequestHeaderIdentityProvider, it is up to the auth proxy to >> determine which users are valid. >> >> Those steps are to test whether OpenShift is correctly accepting >> usernames from the auth proxy, and rejecting usernames if the auth proxy >> client cert is not present. >> >> When you access https://[MASTER]:8443/oauth/token/request in the >> browser, are you redirected to the auth proxy, and limited to the users in >> the htpasswd file? >> >> >> >> >> On Tue, Dec 6, 2016 at 9:52 AM, Pri <[email protected]> wrote: >> >>> Hi Liggitt, >>> >>> I am configuring RequestHeaderIdentityProvider using apache >>> authentication in my Openshift 3.2 cluster taking reference from here >>> https://docs.openshift.com/enterprise/3.2/install_confi >>> g/configuring_authentication.html#RequestHeaderIdentityProvider >>> >>> but somehow it authenticates any random user when I run >>> >>> # curl -L -k -H "X-Remote-User: joe" \ >>> --cert /etc/pki/tls/certs/authproxy.pem \ >>> https://[MASTER]:8443/oauth/token/request >>> >>> >>> I want only users present in file this "/etc/origin/master/htpasswd" to >>> authenticate. I dont know whats going wrong. Could you please help me with >>> that? >>> >>> It would be really helpful if you can provide any help. >>> >>> Thanks, >>> Priyanka >>> >> >> >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
