Srinivas Naga Kotaru (skotaru) wrote on 02/22/2016 08:26 PM:
Thanks guys for having some discussion on this topic. Pl confirm whether my
understanding is correct or not pertaining to multi cluster authentication and
token management.
1. OSE3 authentication sub system can use external oAuth based solution (
corporate solution). This SSO only works for browser based clients ( console
etc) but not CLI clients like OC etc
For CLI you can obtain a token with browser and do `oc login
--token=...` also you can use a service account. But yeah, you cannot
directly login with cli unless you already have a user token or a
service account token.
2. Client cert bases solution might help both browser and CLI but it is
difficult to operate and manage unless decent PKI infrastructure available for
cert issuing and revocation
3. It’s not best practice to have same token being used across multiple
clusters and no efforts currently going to integrate. It is assumed that each
cluster has its own token key and lifetime.
4. If client dealign with multiple clusters and his applications spread across
all these clusters, they have to authenticate on each cluster to manage. His
.kube/config file might have details all these clusters and login separately.
Administrators can increase the token validity to reduce number of login
attempts but that is still pain from experience perceptive.
Even if you have a single token on all nodes, it would be equally
convenient/inconvenient to switch between clusters (as you'll have to
copy/paste the token). Perhaps easiest would be if you have a kerbesos
infrastructure so that you can login everywhere passwordless (including
web and cli). But I'm mot sure openshift cli supports that yet. And
running kerberos is also non-trivial.
It's not like any SSO is trivial actually :)
Again you can look at freeIPA as it does provide both Kerberos/KDC and
PKI capabilities. And is hopefully reasonably user-friendly.
Please add any helpful ideas to provide simple authentication layer in a multi
cluster environment
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
