Get real username on OCP

[k8vance88]

Currently we get the username from the headers passed to us by the oauth proxy: req.user = req.headers['x-forwarded-user']

The code for this is in app.js. This is working in OKD but in OCP 4.2 we see that it is returning some kind of username or more likely a role (kube:admin). I do not see the real username in the request headers. However, we can configure the oauth proxy to return the access token: -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header (see https://github.com/openshift/oauth-proxy)

Then we should be able to exchange the access token for the user information like we have done previously for ICP. Perhaps there is enough info here: https://docs.openshift.com/container-platform/3.5/architecture/additional_concepts/authentication.html

If not, we need to consult with Chunlong and security team.

[k8vance88]

There is a temp fix for this: https://github.com/kappnav/Issues/issues/74. That's a bandaid and only just unblocks the setTrace failure, but is not a real fix and should be removed after this work item is completed.

[paulben]

kube:admin is a valid user name for Openshift 4, though I can't find that in any offical documentation. Here is a reference that describes kubeadmin as an alias for user kube:admin: http://admin-labguides.6923.rh-us-east-1.openshiftapps.com/workshop/ocp-for-admins/lab/installation

From my own fyre OCP 4 system:

mbp-work:/U/paul $ oc login -u kubeadmin -p ********************
Login successful.

You have access to 54 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
mbp-work:/U/paul $ oc whoami
kube:admin
mbp-work:/U/paul $

The kube:admin user is also described in multiple other posts.