openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
bbb545cb0fcaa08f95e0853d83a491c841bbb333
openshift-docs/post_installation_configuration/preparing-for-users.adoc
Shubha Narayanan 7287c53dac Migration of mirroring content
2024-09-24 15:14:15 +05:30

156 lines
7.4 KiB
Plaintext
Raw Blame History

:_mod-docs-content-type: ASSEMBLY
:context: post-install-preparing-for-users
[id="post-install-preparing-for-users"]
= Preparing for users
include::_attributes/common-attributes.adoc[]
toc::[]
After installing {product-title}, you can further expand and customize your
cluster to your requirements, including taking steps to prepare for users.
[id="post-install-understanding-identity-provider"]
== Understanding identity provider configuration
The {product-title} control plane includes a built-in OAuth server. Developers and
administrators obtain OAuth access tokens to authenticate themselves to the API.
As an administrator, you can configure OAuth to specify an identity provider
after you install your cluster.
include::modules/identity-provider-overview.adoc[leveloffset=+2]
[id="post-install-supported-identity-providers"]
=== Supported identity providers
// This section is sourced from authentication/understanding-identity-provider.adoc
You can configure the following types of identity providers:
[cols="2a,8a",options="header"]
|===
|Identity provider
|Description
|xref:../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#configuring-htpasswd-identity-provider[htpasswd]
|Configure the `htpasswd` identity provider to validate user names and passwords
against a flat file generated using
link:http://httpd.apache.org/docs/2.4/programs/htpasswd.html[`htpasswd`].
|xref:../authentication/identity_providers/configuring-keystone-identity-provider.adoc#configuring-keystone-identity-provider[Keystone]
|Configure the `keystone` identity provider to integrate
your {product-title} cluster with Keystone to enable shared authentication with
an OpenStack Keystone v3 server configured to store users in an internal
database.
|xref:../authentication/identity_providers/configuring-ldap-identity-provider.adoc#configuring-ldap-identity-provider[LDAP]
|Configure the `ldap` identity provider to validate user names and passwords
against an LDAPv3 server, using simple bind authentication.
|xref:../authentication/identity_providers/configuring-basic-authentication-identity-provider.adoc#configuring-basic-authentication-identity-provider[Basic authentication]
|Configure a `basic-authentication` identity provider for users to log in to
{product-title} with credentials validated against a remote identity provider.
Basic authentication is a generic backend integration mechanism.
|xref:../authentication/identity_providers/configuring-request-header-identity-provider.adoc#configuring-request-header-identity-provider[Request header]
|Configure a `request-header` identity provider to identify users from request
header values, such as `X-Remote-User`. It is typically used in combination with
an authenticating proxy, which sets the request header value.
|xref:../authentication/identity_providers/configuring-github-identity-provider.adoc#configuring-github-identity-provider[GitHub or GitHub Enterprise]
|Configure a `github` identity provider to validate user names and passwords
against GitHub or GitHub Enterprise's OAuth authentication server.
|xref:../authentication/identity_providers/configuring-gitlab-identity-provider.adoc#configuring-gitlab-identity-provider[GitLab]
|Configure a `gitlab` identity provider to use
link:https://gitlab.com/[GitLab.com] or any other GitLab instance as an identity
provider.
|xref:../authentication/identity_providers/configuring-google-identity-provider.adoc#configuring-google-identity-provider[Google]
|Configure a `google` identity provider using
link:https://developers.google.com/identity/protocols/OpenIDConnect[Google's OpenID Connect integration].
|xref:../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[OpenID Connect]
|Configure an `oidc` identity provider to integrate with an OpenID Connect
identity provider using an
link:http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow].
|===
After you define an identity provider, you can
xref:../authentication/using-rbac.adoc#authorization-overview_using-rbac[use
RBAC to define and apply permissions].
include::modules/identity-provider-parameters.adoc[leveloffset=+2]
include::modules/identity-provider-default-CR.adoc[leveloffset=+2]
[id="post-install-using-rbac-to-define-and-apply-permissions"]
== Using RBAC to define and apply permissions
Understand and apply role-based access control.
include::modules/rbac-overview.adoc[leveloffset=+2]
include::modules/rbac-projects-namespaces.adoc[leveloffset=+2]
include::modules/rbac-default-projects.adoc[leveloffset=+2]
include::modules/rbac-viewing-cluster-roles.adoc[leveloffset=+2]
include::modules/rbac-viewing-local-roles.adoc[leveloffset=+2]
include::modules/rbac-adding-roles.adoc[leveloffset=+2]
include::modules/rbac-creating-local-role.adoc[leveloffset=+2]
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
include::modules/rbac-creating-cluster-role.adoc[leveloffset=+2]
endif::[]
include::modules/rbac-local-role-binding-commands.adoc[leveloffset=+2]
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
include::modules/rbac-cluster-role-binding-commands.adoc[leveloffset=+2]
include::modules/rbac-creating-cluster-admin.adoc[leveloffset=+2]
endif::[]
include::modules/unauthenticated-users-cluster-role-binding-con.adoc[leveloffset=+2]
include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+2]
include::modules/authentication-kubeadmin.adoc[leveloffset=+1]
include::modules/authentication-remove-kubeadmin.adoc[leveloffset=+2]
[id="post-install-mirrored-catalogs"]
== Populating OperatorHub from mirrored Operator catalogs
If you mirrored Operator catalogs for use with disconnected clusters, you can populate OperatorHub with the Operators from your mirrored catalogs. You can use the generated manifests from the mirroring process to create the required `ImageContentSourcePolicy` and `CatalogSource` objects.
[id="prerequisites_post-install-mirrored-catalogs"]
=== Prerequisites
* xref:../disconnected/mirroring/installing-mirroring-installation-images.adoc#olm-mirror-catalog_installing-mirroring-installation-images[Mirroring Operator catalogs for use with disconnected clusters]
include::modules/olm-mirroring-catalog-icsp.adoc[leveloffset=+3]
include::modules/olm-creating-catalog-from-index.adoc[leveloffset=+3]
[role="_additional-resources"]
.Additional resources
* xref:../operators/admin/olm-managing-custom-catalogs.adoc#olm-accessing-images-private-registries_olm-managing-custom-catalogs[Accessing images for Operators from private registries]
* xref:../operators/understanding/olm/olm-understanding-olm.adoc#olm-catalogsource-image-template_olm-understanding-olm[Image template for custom catalog sources]
* xref:../openshift_images/managing_images/image-pull-policy.adoc#image-pull-policy[Image pull policy]
include::modules/olm-installing-operators-from-operatorhub.adoc[leveloffset=+1]
ifdef::openshift-origin[]
include::modules/olm-installing-operators-from-operatorhub-configure.adoc[leveloffset=+2]
endif::[]
include::modules/olm-installing-from-operatorhub-using-web-console.adoc[leveloffset=+2]
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
include::modules/olm-installing-from-operatorhub-using-cli.adoc[leveloffset=+2]
[role="_additional-resources"]
.Additional resources
* xref:../operators/understanding/olm/olm-understanding-operatorgroups.adoc#olm-operatorgroups-about_olm-understanding-operatorgroups[About OperatorGroups]
endif::[]
View Git Blame Copy Permalink