CentOS 7 : OpenShift : Keystone Authentication : Server World

OpenShift Origin 3.7 : Keystone Authentication

2018/02/08

The OpenShift installation example on this tutorial showed to configure HTPasswd for Authentication provider, however it's possible to select some Authentication provider except HTPasswd.

On here, Configure Openstack Keystone for Authentication provider.

This example is based on the environment like follows.

-----------+--------------+------------------------------------------+------------
           |10.0.0.30     |             |10.0.0.51                   |10.0.0.52
+----------+-----------+  |  +----------+-----------+     +----------+-----------+
|  [  dlp.srv.world ]  |  |  | [ node01.srv.world ] |     | [ node02.srv.world ] |
|     (Master Node)    |  |  |    (Compute Node)    |     |    (Compute Node)    |
|     (Compute Node)   |  |  |                      |     |                      |
+----------------------+  |  +----------------------+     +----------------------+
                          |
+----------------------+  |
| [keystone.srv.world] |  |
|  Openstack Keystone  +--+
|                      |10.0.0.50
+----------------------+

[1]	Configure Openstack Keystone, refer to here.
[2]	Login as root or Cluster admin user and change authentication settings.

[origin@dlp ~]$

sudo vi /etc/origin/master/master-config.yaml

# line 159: change like follows

  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    # any name you like
    name: keystone_auth
    provider:
      apiVersion: v1
      kind: KeystonePasswordIdentityProvider
      # keystone domain name (Openstack's default is just the [default])
      domainName: default
      # keystone auth URL
      url: http://10.0.0.50:5000

.....
.....

[origin@dlp ~]$

sudo systemctl restart origin-master-api origin-master-controllers

[3]	Add any user for Openshift Cluster on Keystone Server.

[root@keystone ~(keystone)]#

openstack user create --domain default --password mypassword redhat

+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | c81f839e6460492f8d111012c75395fc |
| name                | redhat                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

[4]	Make sure it's possible to login to Openshift Cluster with the user above.

[cent@dlp ~]$

oc login

Authentication required for https://dlp.srv.world:8443 (openshift)
Username: redhat
Password:
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

[cent@dlp ~]$

oc whoami

redhat

[cent@dlp ~]$

oc new-project myproject

Now using project "myproject" on server "https://dlp.srv.world:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.
.....
.....