search

minishift / minishift-addons

A repository for the community to exchange Minishift add-ons
Apache License 2.0
71 stars 86 forks source link

Ability to configure htpasswd based identity provider for openshift #134

Closed kameshsampath closed 6 years ago

kameshsampath commented 6 years ago

Resolving Issue #133

This allows the minishift user to change the default oauthConfig to use HTPasswdPasswordIdentityProvider.

Signed-off-by: Kamesh Sampath kamesh.sampath@hotmail.com

centos-ci commented 6 years ago

Can one of the admins verify this patch?

praveenkumar commented 6 years ago

add to whitelist.

gbraad commented 6 years ago

did you add a new commit to remove the echo? please, squash or amend the commit... ;-)

praveenkumar commented 6 years ago

@kameshsampath below is what I modified your addon template, I want also the user should be send as part of addon variable, assume by default you applied this addon so developer user will now use htpasswd but then you apply admin-user add-on which now a user not able to log in until he again add that to htpasswd file but now user reapply this addon with a different user than default and again set for everything.

# Name: htpasswd-identity-provider
# Description: Configures minishift to use HTPasswdIdentityProvider
# Url: https://docs.openshift.org/3.9/install_config/configuring_authentication.html#HTPasswdPasswordIdentityProvider
# Var-Defaults: USERNAME=developer,DEFAULT_PATH=/var/lib/minishift
# Required-Vars: USER_PASSWORD,USERNAME

# TODO remove hardcoded paths to ENV variables

# backup the existing master-config.yaml
ssh sudo cp -fp #{DEFAULT_PATH}/openshift.local.config/master/master-config.yaml #{DEFAULT_PATH}/openshift.local.config/master/master-config-htpasswd.yaml

# create users.htpasswd file
ssh sudo touch #{DEFAULT_PATH}/openshift.local.config/master/users.htpasswd

# add the default developer user to file
ssh sudo htpasswd -b #{DEFAULT_PATH}/openshift.local.config/master/users.htpasswd #{USERNAME} #{USER_PASSWORD}

# Patch the master configuration to use HTPasswdIdentityProvider
ssh grep "htpasswd" #{DEFAULT_PATH}/openshift.local.config/master/master-config.yaml > /dev/null || sudo #{DEFAULT_PATH}/bin/oc ex config patch #{DEFAULT_PATH}/openshift.local.config/master/master-config-htpasswd.yaml --patch='{"oauthConfig": {"identityProviders": [ {"challenge": true,"login": true,"mappingMethod": "add","name": "htpasswd","provider": {"apiVersion": "v1","kind": "HTPasswdPasswordIdentityProvider","file": "users.htpasswd"}}]}}' > #{DEFAULT_PATH}/openshift.local.config/master/master-config.yaml

# restart openshift
docker stop origin
docker start origin

# remove the prepatch file
ssh sudo rm -f /var/lib/minishift/openshift.local.config/master/master-config-htpasswd.yaml

echo 'Successfully installed addon htpasswd identity provider for #{USERNAME}'
LalatenduMohanty commented 6 years ago

@kameshsampath I tried it and it does not work for me. 

$ minishift addon list
- xpaas              : enabled  P(0)
- admin-user             : disabled P(0)
- anyuid             : disabled P(0)
- htpasswd-identity-provider     : disabled P(0)
- registry-route         : disabled P(0)

$ minishift addon apply htpasswd-identity-provider --addon-env  USER_PASSWORD=superS3cret
-- Applying addon 'htpasswd-identity-provider':...Error applying the add-on: Error executing command 'ssh command error:
command : sudo htpasswd -b /var/lib/minishift/openshift.local.config/master/users.htpasswd developer #{DEVELOPER_USER_PASSWORD}
err     : exit status 2
output  : Usage:
    htpasswd [-cimBdpsDv] [-C cost] passwordfile username
    htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password

    htpasswd -n[imBdps] [-C cost] username
#!/bin/bash

# Copyright (C) 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

programname=$0
function usage()
{
    echo "usage: $programname -r repository -m milestone"
    echo "  -r  repository name"
    echo "  -m  milestone id"
    exit 1
}

function print_content_with_nonempty_issues() {
  echo $1 | grep -q '[0-9]'
  if [[ "$?" == 0 ]]; then
    echo -e "$1"
  fi
}

# Given a minishift repo name and a milestone, generates a sorted list of issues for this milestone.
# Can be used to update the GitHub replease page as part of cutting a release.
function milestone_issues()
{
  # get the raw data
  milestone_data="`curl -s https://api.github.com/repos/minishift/$repository/issues?per_page=100\&milestone=$milestone\&state=closed`"

    htpasswd -nb[mBdps] [-C cost] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -b  Use the password from the command line rather than prompting for it.
 -i  Read password from stdin without verification (for script usage).
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 31).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).
 -p  Do not encrypt the password (plaintext, insecure).
 -D  Delete the specified user.
 -v  Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
':

$  minishift openshift config view | yq r - oauthConfig
alwaysShowProviderSelection: false
assetPublicURL: https://192.168.64.4:8443/console/
grantConfig:
  method: auto
  serviceAccountMethod: prompt
identityProviders:
- challenge: true
  login: true
  mappingMethod: claim
  name: anypassword
  provider:
    apiVersion: v1
    kind: AllowAllPasswordIdentityProvider
masterCA: ca-bundle.crt
masterPublicURL: https://192.168.64.4:8443
masterURL: https://127.0.0.1:8443
sessionConfig:
  sessionMaxAgeSeconds: 300
  sessionName: ssn
  sessionSecretsFile: ""
templates: null
tokenConfig:
  accessTokenMaxAgeSeconds: 86400
kameshsampath commented 6 years ago

@LalatenduMohanty there were some errors in the script during last commit, fixed it now will push back tomorrow

LalatenduMohanty commented 6 years ago

Merged https://github.com/minishift/minishift-addons/commit/b91fa693838223842104d890dec9b4df4d5d1942