Skip to content

OSDOCS-14108: Review-Authentication & Authorization #96304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 25, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions modules/authentication-authorization-common-terms.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,10 @@ manual mode::
In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO).
endif::openshift-dedicated,openshift-rosa[]

ifndef::openshift-dedicated,openshift-rosa[]
ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
mint mode::
Mint mode is the default and recommended best practice setting for the Cloud Credential Operator (CCO) to use on the platforms for which it is supported. In this mode, the CCO uses the provided administrator-level cloud credential to create new credentials for components in the cluster with only the specific permissions that are required.
endif::openshift-dedicated,openshift-rosa[]
endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]

namespace::
A namespace isolates specific system resources that are visible to all processes. Inside a namespace, only processes that are members of that namespace can see those resources.
Expand Down
7 changes: 7 additions & 0 deletions modules/config-github-idp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,16 @@ https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp
+
For example:
+
ifndef::openshift-rosa-hcp[]
----
https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/github
----
endif::openshift-rosa-hcp[]
ifdef::openshift-rosa-hcp[]
----
https://oauth.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
----
endif::openshift-rosa-hcp[]

. link:https://docs.github.com/en/developers/apps/creating-an-oauth-app[Register an application on GitHub].

Expand Down
7 changes: 7 additions & 0 deletions modules/config-gitlab-idp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis
. Enter a unique name for the identity provider. This name cannot be changed later.
** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to GitLab.
+
ifndef::openshift-rosa-hcp[]
----
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
----
endif::openshift-rosa-hcp[]
ifdef::openshift-rosa-hcp[]
----
https://oauth.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
----
endif::openshift-rosa-hcp[]
+
For example:
+
Expand Down
7 changes: 7 additions & 0 deletions modules/config-google-idp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis
. Enter a unique name for the identity provider. This name cannot be changed later.
** An *OAuth callback URL* is automatically generated in the provided field. You will provide this URL to Google.
+
ifndef::openshift-rosa-hcp[]
----
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
----
endif::openshift-rosa-hcp[]
ifdef::openshift-rosa-hcp[]
----
https://oauth.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
----
endif::openshift-rosa-hcp[]
+
For example:
+
Expand Down
7 changes: 7 additions & 0 deletions modules/config-openid-idp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,16 @@ You can also click the *Add Oauth configuration* link in the warning message dis
. Enter a unique name for the identity provider. This name cannot be changed later.
** An *OAuth callback URL* is automatically generated in the provided field.
+
ifndef::openshift-rosa-hcp[]
----
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
----
endif::openshift-rosa-hcp[]
ifdef::openshift-rosa-hcp[]
----
https://oauth.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
----
endif::openshift-rosa-hcp[]
+
For example:
+
Expand Down
13 changes: 3 additions & 10 deletions modules/ldap-syncing-nesting.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,7 @@
== LDAP nested membership sync example

Groups in {product-title} do not nest. The LDAP server must flatten group
membership before the data can be consumed. Microsoft's Active Directory Server
supports this feature via the
link:https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`]
rule, which has the OID `1.2.840.113556.1.4.1941`. Furthermore, only explicitly
membership before the data can be consumed. Microsoft's Active Directory Server supports this feature via the `LDAP_MATCHING_RULE_IN_CHAIN` rule, which has the OID `1.2.840.113556.1.4.1941`. Furthermore, only explicitly
whitelisted groups can be synced when using this matching rule.

This section has an example for the augmented Active Directory schema, which
Expand Down Expand Up @@ -86,10 +83,7 @@ with which to represent them in the internal {product-title} group records.
Furthermore, certain changes are required in this configuration:

- The `oc adm groups sync` command must explicitly whitelist groups.
- The user's `groupMembershipAttributes` must include
`"memberOf:1.2.840.113556.1.4.1941:"` to comply with the
https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`]
rule.
- The user's `groupMembershipAttributes` must include `"memberOf:1.2.840.113556.1.4.1941:"` to comply with the `LDAP_MATCHING_RULE_IN_CHAIN` rule.
- The `groupUIDAttribute` must be set to `dn`.
- The `groupsQuery`:
* Must not set `filter`.
Expand Down Expand Up @@ -130,8 +124,7 @@ values are ignored. `groupsQuery` must set a valid `derefAliases`.
<3> The attribute to use as the name of the group.
<4> The attribute to use as the name of the user in the {product-title} group
record. `mail` or `sAMAccountName` are preferred choices in most installations.
<5> The attribute on the user that stores the membership information. Note the use
of https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx[`LDAP_MATCHING_RULE_IN_CHAIN`].
<5> The attribute on the user that stores the membership information. Note the use of `LDAP_MATCHING_RULE_IN_CHAIN`.

.Prerequisites

Expand Down
2 changes: 1 addition & 1 deletion modules/oauth-server-overview.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
[id="oauth-server-overview_{context}"]
= {product-title} OAuth server

The {product-title} master includes a built-in OAuth server. Users obtain OAuth
The {product-title} Control Plane includes a built-in OAuth server. Users obtain OAuth
access tokens to authenticate themselves to the API.

When a person requests a new OAuth token, the OAuth server uses the configured
Expand Down
2 changes: 2 additions & 0 deletions modules/oauth-token-requests.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,13 @@ cannot display interactive login pages, such as the CLI. Therefore,
{product-title} supports authenticating using a `WWW-Authenticate`
challenge in addition to interactive login flows.

ifndef::openshift-rosa-hcp[]
If an authenticating proxy is placed in front of the
`<namespace_route>/oauth/authorize` endpoint, it sends unauthenticated,
non-browser user-agents `WWW-Authenticate` challenges rather than
displaying an interactive login page or redirecting to an interactive
login flow.
endif::openshift-rosa-hcp[]

[NOTE]
====
Expand Down
2 changes: 2 additions & 0 deletions modules/rosa-create-cluster-admins.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ cluster-admins rh-rosa-test-user
dedicated-admins rh-rosa-test-user
----
+
ifndef::openshift-rosa-hcp[]
. Enter the following command to verify that your user now has `cluster-admin` access. A cluster administrator can run this command without errors, but a dedicated administrator cannot.
+
[source,terminal]
Expand All @@ -62,3 +63,4 @@ service/api ClusterIP 172.30.23.241 <none> 443/TCP 18h
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/apiserver 3 3 3 3 3 node-role.kubernetes.io/master= 18h
----
endif::openshift-rosa-hcp[]
2 changes: 1 addition & 1 deletion modules/setting-up-an-aws-iam-role-a-service-account.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ In {product-title} with STS clusters, the OIDC provider is created during instal
]
}
----
<1> Replace `<oidc_provider_arn>` with the ARN of your OIDC provider, for example `arn:aws:iam::<aws_account_id>:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`.
<1> Replace `<oidc_provider_arn>` with the ARN of your OIDC provider, for example, `arn:aws:iam::<aws_account_id>:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. You can retrieve the ARN by using the `rosa describe cluster` CLI command.
<2> Limits the role to the specified project and service account. Replace `<oidc_provider_name>` with the name of your OIDC provider, for example `rh-oidc.s3.us-east-1.amazonaws.com/1v3r0n44npxu4g58so46aeohduomfres`. Replace `<project_name>:<service_account_name>` with your project name and service account name, for example `my-project:test-service-account`.
+
[NOTE]
Expand Down