$ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>
- Documentation
- OpenShift Container Platform
- Authentication and authorization
- Configuring identity providers
- Configuring an HTPasswd identity provider history
Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
- About
- Release notes
- Architecture
- Installing
- Installing on AWS
- Configuring an AWS account
- Manually creating IAM
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS into an existing VPC
- Installing a private cluster on AWS
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network
- Uninstalling a cluster on AWS
- Installing on Azure
- Configuring an Azure account
- Manually creating IAM
- Installing a cluster quickly on Azure
- Installing a cluster on Azure with customizations
- Installing a cluster on Azure with network customizations
- Installing a cluster on Azure into an existing VNet
- Installing a private cluster on Azure
- Installing a cluster on Azure using ARM templates
- Uninstalling a cluster on Azure
- Installing on GCP
- Configuring a GCP project
- Manually creating IAM
- Installing a cluster quickly on GCP
- Installing a cluster on GCP with customizations
- Installing a cluster on GCP with network customizations
- Installing a cluster on GCP into an existing VPC
- Installing a private cluster on GCP
- Installing a cluster on GCP using Deployment Manager templates
- Restricted network GCP installation
- Uninstalling a cluster on GCP
- Installing on bare metal
- Installing on IBM Z and LinuxONE
- Installing on IBM Power
- Installing on OpenStack
- Installing a cluster on OpenStack with customizations
- Installing a cluster on OpenStack with Kuryr
- Installing a cluster on OpenStack on your own infrastructure
- Installing a cluster on OpenStack with Kuryr on your own infrastructure
- Installing a cluster on OpenStack in a restricted network
- Uninstalling a cluster on OpenStack
- Uninstalling a cluster on OpenStack from your own infrastructure
- Installing on RHV
- Installing on vSphere
- Troubleshooting installation issues
- Support for FIPS cryptography
- Installation configuration
- Installing on AWS
- Updating clusters
- Support
- Web console
- Security
- Container security
- Understanding container security
- Understanding host and VM security
- Hardening Red Hat Enterprise Linux CoreOS
- Understanding compliance
- Securing container content
- Using container registries securely
- Securing the build process
- Deploying containers
- Securing the container platform
- Securing networks
- Securing attached storage
- Monitoring cluster events and logs
- Configuring certificates
- Certificate types and descriptions
- User-provided certificates for the API server
- Proxy certificates
- Service CA certificates
- Node certificates
- Bootstrap certificates
- etcd certificates
- OLM certificates
- User-provided certificates for default ingress
- Ingress certificates
- Monitoring and cluster logging Operator component certificates
- Control plane certificates
- Viewing audit logs
- Allowing JavaScript-based access to the API server from additional hosts
- Encrypting etcd data
- Scanning pods for vulnerabilities
- Container security
- Authentication and authorization
- Understanding authentication
- Configuring the internal OAuth server
- Understanding identity provider configuration
- Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Configuring the user agent
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Using bound service account tokens
- Managing security context constraints
- Impersonating the system:admin user
- Syncing LDAP groups
- Networking
- Understanding networking
- Accessing hosts
- Understanding the Cluster Network Operator
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Using SCTP
- Network policy
- Multiple networks
- Understanding multiple networks
- Attaching a Pod to an additional network
- Removing a Pod from an additional network
- Configuring a bridge network
- Configuring a macvlan network
- Configuring an ipvlan network
- Configuring a host-device network
- Editing an additional network
- Removing an additional network
- Configuring PTP
- Hardware networks
- OpenShift SDN default CNI network provider
- About the OpenShift SDN default CNI network provider
- Configuring egress IPs for a project
- Configuring an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Deploying an egress router pod in HTTP proxy mode
- Deploying an egress router pod in DNS proxy mode
- Configuring an egress router pod destination list from a config map
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring multitenant isolation
- Configuring kube-proxy
- OVN-Kubernetes default CNI network provider
- Configuring Routes
- Configuring ingress cluster traffic
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Storage
- Understanding ephemeral storage
- Understanding persistent storage
- Configuring persistent storage
- Persistent storage using Amazon EFS
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Using Container Storage Interface (CSI)
- Expanding persistent volumes
- Dynamic provisioning
- Registry
- Operators
- Understanding Operators
- Understanding the Operator Lifecycle Manager (OLM)
- Understanding the OperatorHub
- Adding Operators to a cluster
- Configuring proxy support
- Deleting Operators from a cluster
- Creating applications from installed Operators
- Viewing Operator status
- Creating policy for Operator installations and upgrades
- Using OLM on restricted networks
- CRDs
- Operator SDK
- Red Hat Operators
- Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Creating and using ConfigMaps
- Pipelines
- Images
- Configuring the Samples Operator
- Using the Samples Operator with an alternate registry
- Understanding containers, images, and imagestreams
- Creating images
- Managing images
- Managing image streams
- Using image streams with Kubernetes resources
- Triggering updates on image stream changes
- Image configuration resources
- Using templates
- Using Ruby on Rails
- Using images
- Applications
- Machine management
- Nodes
- Working with pods
- Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Evicting pods using the descheduler
- Using Jobs and DaemonSets
- Working with nodes
- Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
- Logging
- About cluster logging
- About deploying cluster logging
- Deploying cluster logging
- Updating cluster logging
- Viewing cluster logs
- Viewing cluster logs using Kibana
- Configuring your cluster logging deployment
- About configuring cluster logging
- Changing cluster logging management state
- Configuring cluster logging
- Configuring Elasticsearch
- Configuring Kibana
- Configuring Curator
- Configuring the logging collector
- Collecting and storing Kubernetes events
- Using tolerations to control cluster logging pod placement
- Forward logs to third party systems
- Configuring systemd-journald for cluster logging
- Viewing Elasticsearch status
- Viewing cluster logging status
- Moving the cluster logging resources with node selectors
- Manually rolling out Elasticsearch
- Collecting logging data for Red Hat Support
- Troubleshooting Kibana
- Exported fields
- Uninstalling cluster logging
- Monitoring
- Metering
- Scalability and performance
- Recommended installation practices
- Recommended host practices
- Recommended cluster scaling practices
- Using the Node Tuning Operator
- Using Cluster Loader
- Using CPU Manager
- Using Topology Manager
- Scaling the Cluster Monitoring Operator
- Planning your environment according to object maximums
- Optimizing storage
- Optimizing routing
- Optimizing networking
- What huge pages do and how they are consumed by apps
- Backup and restore
- Migration
- Migrating from OpenShift Container Platform 3
- About migrating from OpenShift Container Platform 3 to 4
- Planning your migration from OpenShift Container Platform 3 to 4
- Migration tools and prerequisites
- Deploying the Cluster Application Migration tool
- Configuring a replication repository
- Migrating applications with the CAM web console
- Migrating control plane settings with the Control Plane Migration Assistant
- Troubleshooting
- Migrating from OpenShift Container Platform 4.1
- Migrating from OpenShift Container Platform 4.2 and later
- Migrating from OpenShift Container Platform 3
- CLI tools
- OpenShift CLI (oc)
- Developer CLI (odo)
- Understanding odo
- odo architecture
- Installing odo
- Using odo in a restricted environment
- Creating a single-component application with odo
- Creating a multicomponent application with odo
- Creating an application with a database
- Creating applications by using devfiles
- Using sample applications
- Creating instances of services managed by Operators
- Debugging applications in odo
- Managing environment variables in odo
- Configuring the odo CLI
- odo CLI reference
- odo release notes
- Helm CLI
- Knative CLI (kn) for use with OpenShift Serverless
- Pipelines CLI (tkn)
- API reference
- API list
- Common object reference
- Authorization APIs
- About Authorization APIs
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- TokenReview [authentication.k8s.io/v1]
- LocalSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectRulesReview [authorization.k8s.io/v1]
- SubjectAccessReview [authorization.k8s.io/v1]
- Autoscale APIs
- Config APIs
- About Config APIs
- APIServer [config.openshift.io/v1]
- Authentication [config.openshift.io/v1]
- Build [config.openshift.io/v1]
- ClusterOperator [config.openshift.io/v1]
- ClusterVersion [config.openshift.io/v1]
- Console [config.openshift.io/v1]
- DNS [config.openshift.io/v1]
- FeatureGate [config.openshift.io/v1]
- Image [config.openshift.io/v1]
- Infrastructure [config.openshift.io/v1]
- Ingress [config.openshift.io/v1]
- Network [config.openshift.io/v1]
- OAuth [config.openshift.io/v1]
- OperatorHub [config.openshift.io/v1]
- Project [config.openshift.io/v1]
- Proxy [config.openshift.io/v1]
- Scheduler [config.openshift.io/v1]
- Console APIs
- Extension APIs
- Image APIs
- About Image APIs
- Image [image.openshift.io/v1]
- ImageSignature [image.openshift.io/v1]
- ImageStreamImage [image.openshift.io/v1]
- ImageStreamImport [image.openshift.io/v1]
- ImageStreamMapping [image.openshift.io/v1]
- ImageStream [image.openshift.io/v1]
- ImageStreamTag [image.openshift.io/v1]
- ImageTag [image.openshift.io/v1]
- Machine APIs
- About Machine APIs
- ContainerRuntimeConfig [machineconfiguration.openshift.io/v1]
- ControllerConfig [machineconfiguration.openshift.io/v1]
- KubeletConfig [machineconfiguration.openshift.io/v1]
- MachineConfigPool [machineconfiguration.openshift.io/v1]
- MachineConfig [machineconfiguration.openshift.io/v1]
- MachineHealthCheck [machine.openshift.io/v1beta1]
- Machine [machine.openshift.io/v1beta1]
- MachineSet [machine.openshift.io/v1beta1]
- Metadata APIs
- Monitoring APIs
- Network APIs
- About Network APIs
- ClusterNetwork [network.openshift.io/v1]
- Endpoints [core/v1]
- EndpointSlice [discovery.k8s.io/v1beta1]
- EgressNetworkPolicy [network.openshift.io/v1]
- HostSubnet [network.openshift.io/v1]
- Ingress [networking.k8s.io/v1beta1]
- NetNamespace [network.openshift.io/v1]
- NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]
- NetworkPolicy [networking.k8s.io/v1]
- Route [route.openshift.io/v1]
- Service [core/v1]
- Node APIs
- OAuth APIs
- Operator APIs
- About Operator APIs
- Authentication [operator.openshift.io/v1]
- Console [operator.openshift.io/v1]
- Config [imageregistry.operator.openshift.io/v1]
- Config [samples.operator.openshift.io/v1]
- CSISnapshotController [operator.openshift.io/v1]
- DNS [operator.openshift.io/v1]
- DNSRecord [ingress.operator.openshift.io/v1]
- Etcd [operator.openshift.io/v1]
- ImageContentSourcePolicy [operator.openshift.io/v1alpha1]
- ImagePruner [imageregistry.operator.openshift.io/v1]
- IngressController [operator.openshift.io/v1]
- KubeAPIServer [operator.openshift.io/v1]
- KubeControllerManager [operator.openshift.io/v1]
- KubeScheduler [operator.openshift.io/v1]
- KubeStorageVersionMigrator [operator.openshift.io/v1]
- Network [operator.openshift.io/v1]
- OpenShiftAPIServer [operator.openshift.io/v1]
- OpenShiftControllerManager [operator.openshift.io/v1]
- ServiceCA [operator.openshift.io/v1]
- ServiceCatalogAPIServer [operator.openshift.io/v1]
- ServiceCatalogControllerManager [operator.openshift.io/v1]
- OperatorHub APIs
- About OperatorHub APIs
- CatalogSourceConfig [operators.coreos.com/v1]
- CatalogSource [operators.coreos.com/v1alpha1]
- ClusterServiceVersion [operators.coreos.com/v1alpha1]
- InstallPlan [operators.coreos.com/v1alpha1]
- OperatorGroup [operators.coreos.com/v1]
- OperatorSource [operators.coreos.com/v1]
- PackageManifest [packages.operators.coreos.com/v1]
- Subscription [operators.coreos.com/v1alpha1]
- Policy APIs
- Project APIs
- RBAC APIs
- Role APIs
- Schedule and quota APIs
- Security APIs
- About Security APIs
- CertificateSigningRequest [certificates.k8s.io/v1beta1]
- CredentialsRequest [cloudcredential.openshift.io/v1]
- PodSecurityPolicyReview [security.openshift.io/v1]
- PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- PodSecurityPolicySubjectReview [security.openshift.io/v1]
- RangeAllocation [security.openshift.io/v1]
- Secret [core/v1]
- SecurityContextConstraints [security.openshift.io/v1]
- ServiceAccount [core/v1]
- Storage APIs
- About Storage APIs
- CSIDriver [storage.k8s.io/v1beta1]
- CSINode [storage.k8s.io/v1]
- PersistentVolumeClaim [core/v1]
- StorageClass [storage.k8s.io/v1]
- VolumeAttachment [storage.k8s.io/v1]
- VolumeSnapshot [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotClass [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotContent [snapshot.storage.k8s.io/v1beta1]
- Template APIs
- User and group APIs
- Workloads APIs
- About Workloads APIs
- BuildConfig [build.openshift.io/v1]
- Build [build.openshift.io/v1]
- CronJob [batch/v1beta1]
- DaemonSet [apps/v1]
- Deployment [apps/v1]
- DeploymentConfig [apps.openshift.io/v1]
- Job [batch/v1]
- Pod [core/v1]
- ReplicationController [core/v1]
- PersistentVolume [core/v1]
- ReplicaSet [apps/v1]
- StatefulSet [apps/v1]
- Service Mesh
- Service Mesh 1.x
- Service Mesh 1.x release notes
- Service Mesh architecture
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing Service Mesh
- Customizing the installation
- Deploying applications on Service Mesh
- Data visualization and observability
- Security
- Traffic management
- Using the 3scale Istio adapter
- Removing Service Mesh
- Service Mesh 1.x
- Jaeger
- Container-native virtualization
- About container-native virtualization
- Container-native virtualization release notes
- Container-native virtualization installation
- Upgrading container-native virtualization
- Using the CLI tools
- Virtual machines
- Creating virtual machines
- Editing virtual machines
- Editing boot order
- Deleting virtual machines
- Deleting virtual machine instances
- Controlling virtual machine states
- Accessing virtual machine consoles
- Installing VirtIO driver on an existing Windows virtual machine
- Installing VirtIO driver on a new Windows virtual machine
- Advanced virtual machine management
- Importing virtual machines
- Cloning virtual machines
- Virtual machine networking
- Virtual machine disks
- Configuring local storage for virtual machines
- Uploading local disk images by using the virtctl tool
- Uploading a local disk image to a block storage DataVolume
- Moving a local virtual machine disk to a different node
- Expanding virtual storage by adding blank disk images
- Storage defaults for DataVolumes
- Preparing CDI scratch space
- Deleting DataVolumes
- Virtual machine templates
- Live migration
- Node maintenance
- Node networking
- Logging, events, and monitoring
- Serverless applications
×
Configuring an HTPasswd identity provider
- About identity providers in OpenShift Container Platform
- Creating an HTPasswd file using Linux
- Creating an HTPasswd file using Windows
- Creating the HTPasswd Secret
- Sample HTPasswd CR
- Adding an identity provider to your clusters
- Updating users for an HTPasswd identity provider
- Configuring identity providers using the web console
About identity providers in OpenShift Container Platform
By default, only a kubeadmin user exists on your cluster. To specify an
identity provider, you must create a Custom Resource (CR) that describes
that identity provider and add it to the cluster.
|
OpenShift Container Platform user names containing |
To define an HTPasswd identity provider you must perform the following steps:
-
Create an
htpasswdfile to store the user and password information. Instructions are provided for Linux and Windows. -
Create an OpenShift Container Platform secret to represent the
htpasswdfile.
Creating an HTPasswd file using Linux
To use the HTPasswd identity provider, you must generate a flat file that
contains the user names and passwords for your cluster by using
htpasswd.
Prerequisites
-
Have access to the
htpasswdutility. On Red Hat Enterprise Linux this is available by installing thehttpd-toolspackage.
Procedure
-
Create or update your flat file with a user name and hashed password:
The command generates a hashed version of the password.
For example:
$ htpasswd -c -B -b users.htpasswd user1 MyPassword! Adding password for user user1
-
Continue to add or update credentials to the file:
$ htpasswd -B -b </path/to/users.htpasswd> <user_name> <password>
Creating an HTPasswd file using Windows
To use the HTPasswd identity provider, you must generate a flat file that
contains the user names and passwords for your cluster by using
htpasswd.
Prerequisites
-
Have access to
htpasswd.exe. This file is included in the\bindirectory of many Apache httpd distributions.
Procedure
-
Create or update your flat file with a user name and hashed password:
> htpasswd.exe -c -B -b <\path\to\users.htpasswd> <user_name> <password>
The command generates a hashed version of the password.
For example:
> htpasswd.exe -c -B -b users.htpasswd user1 MyPassword! Adding password for user user1
-
Continue to add or update credentials to the file:
> htpasswd.exe -b <\path\to\users.htpasswd> <user_name> <password>
Creating the HTPasswd Secret
To use the HTPasswd identity provider, you must define a secret that contains the HTPasswd user file.
Prerequisites
-
Create an HTPasswd file.
Procedure
-
Create an OpenShift Container Platform
Secretobject that contains the HTPasswd users file.$ oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config
The secret key containing the users file for the
--from-fileargument must be namedhtpasswd, as shown in the above command.
Sample HTPasswd CR
The following custom resource (CR) shows the parameters and acceptable values for an HTPasswd identity provider.
HTPasswd CR
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: my_htpasswd_provider (1)
mappingMethod: claim (2)
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret (3)| 1 | This provider name is prefixed to provider user names to form an identity name. |
| 2 | Controls how mappings are established between this provider’s identities and User objects. |
| 3 | An existing secret containing a file generated using
htpasswd. |
Adding an identity provider to your clusters
After you install your cluster, add an identity provider to it so your users can authenticate.
Prerequisites
-
Create an OpenShift Container Platform cluster.
-
Create the custom resource (CR) for your identity providers.
-
You must be logged in as an administrator.
Procedure
-
Apply the defined CR:
$ oc apply -f </path/to/CR>
If a CR does not exist,
oc applycreates a new CR and might trigger the following warning:Warning: oc apply should be used on resources created by either oc create --save-config or oc apply. In this case you can safely ignore this warning. -
Log in to the cluster as a user from your identity provider, entering the password when prompted.
$ oc login -u <username>
-
Confirm that the user logged in successfully, and display the user name.
$ oc whoami
Updating users for an HTPasswd identity provider
You can add or remove users from an existing HTPasswd identity provider.
Prerequisites
-
You have created a
Secretobject that contains the HTPasswd user file. This procedure assumes that it is namedhtpass-secret. -
You have configured an HTPasswd identity provider. This procedure assumes that it is named
my_htpasswd_provider. -
You have access to the
htpasswdutility. On Red Hat Enterprise Linux this is available by installing thehttpd-toolspackage. -
You have cluster administrator privileges.
Procedure
-
Retrieve the HTPasswd file from the
htpass-secretSecretobject and save the file to your file system:$ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 -d > users.htpasswd -
Add or remove users from the
users.htpasswdfile.-
To add a new user:
$ htpasswd -bB users.htpasswd <username> <password> Adding password for user <username>
-
To remove an existing user:
$ htpasswd -D users.htpasswd <username> Deleting password for user <username>
-
-
Replace the
htpass-secretSecretobject with the updated users in theusers.htpasswdfile:$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run -o yaml -n openshift-config | oc replace -f -
-
If you removed one or more users, you must additionally remove existing resources for each user.
-
Delete the
Userobject:$ oc delete user <username> user.user.openshift.io "<username>" deleted
Be sure to remove the user, otherwise the user can continue using their token as long as it has not expired.
-
Delete the
Identityobject for the user:$ oc delete identity my_htpasswd_provider:<username> identity.user.openshift.io "my_htpasswd_provider:<username>" deleted
-
Configuring identity providers using the web console
Configure your identity provider (IDP) through the web console instead of the CLI.
Prerequisites
-
You must be logged in to the web console as a cluster administrator.
Procedure
-
Navigate to Administration → Cluster Settings.
-
Under the Global Configuration tab, click OAuth.
-
Under the Identity Providers section, select your identity provider from the Add drop-down menu.
|
You can specify multiple IDPs through the web console without overwriting existing IDPs. |