Bug 1391812

Summary:	[DOCS] Missing steps and configurations for RequestHeaderIdentityProvider with login proxy server or LDAP authentication
Product:	OpenShift Container Platform	Reporter:	Takayoshi Tanaka <tatanaka>
Component:	Documentation	Assignee:	Traci Morrison <tmorriso>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Johnny Liu <jialiu>
Severity:	urgent	Docs Contact:	Vikram Goyal <vigoyal>
Priority:	high
Version:	3.3.0	CC:	aos-bugs, jialiu, jokerman, mmccomas, tatanaka
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	3.7-release-plan
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-10-03 15:35:48 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Takayoshi Tanaka 2016-11-04 05:39:44 UTC

Document URL: 
https://docs.openshift.com/container-platform/3.3/install_config/configuring_authentication.html#RequestHeaderIdentityProvider

Section Number and Name: 
Example 9. Apache Authentication Using RequestHeaderIdentityProvider

Describe the issue: 
This section "Example 9" describes how to setup apache as an authentication proxy. However, the apache is located on the same host on OpenShift master. When users want to setup the apache on a different host than OpenShift master, some steps and configurations are missing.

Suggestions for improvement: 
1) Adding how to generates certificates for other hostname.

# mkdir -p /etc/origin/proxy/
# oadm ca create-server-cert \
    --cert='/etc/origin/proxy/proxy.example.com.crt' \
    --key='/etc/origin/proxy/proxy.example.com.key' \
    --hostnames=proxy.example.com \
    --signer-cert=/etc/origin/master/ca.crt \
    --signer-key='/etc/origin/master/ca.key' \
    --signer-serial='/etc/origin/master/ca.serial.txt'

# oadm ca create-signer-cert \
  --cert='/etc/origin/proxy/proxyca.crt' \
  --key='/etc/origin/proxy/proxyca.key' \
  --name='openshift-proxy-signer@UNIQUESTRING' \ 
  --serial='/etc/origin/proxy/proxyca.serial.txt'

# oadm create-api-client-config \
    --certificate-authority='/etc/origin/proxy/proxyca.crt' \
    --client-dir='/etc/origin/proxy' \
    --signer-cert='/etc/origin/proxy/proxyca.crt' \
    --signer-key='/etc/origin/proxy/proxyca.key' \
    --signer-serial='/etc/origin/proxy/proxyca.serial.txt' \
    --user='system:proxy'

# cat /etc/origin/proxy/system\:proxy.crt \
      /etc/origin/proxy/system\:proxy.key \
      > /etc/origin/proxy/authproxy.pem

# scp /etc/origin/master/ca.crt \
      root.com:/etc/pki/CA/certs/

# scp /etc/origin/proxy/proxy.example.com.crt \
      /etc/origin/proxy/authproxy.pem \
      root.com:/etc/pki/tls/certs/

# scp /etc/origin/proxy/proxy.example.com.key \
      root.com:/etc/pki/tls/private/

2) Adding example configuration to use LDAP server for authentication.
```
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule session_module modules/mod_session.so
LoadModule request_module modules/mod_request.so

# Nothing needs to be served over HTTP.  This virtual host simply redirects to
# HTTPS.
<VirtualHost *:80>
  DocumentRoot /var/www/html
  RewriteEngine              On
  RewriteRule     ^(.*)$     https://%{HTTP_HOST}$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
  # This needs to match the certificates you generated.  See the CN and X509v3
  # Subject Alternative Name in the output of:
  # openssl x509 -text -in /etc/pki/tls/certs/localhost.crt
  ServerName proxy.example.com

  DocumentRoot /var/www/html
  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/proxy.example.com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/proxy.example.com.key
  SSLCACertificateFile /etc/pki/CA/certs/ca.crt

  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt
  # It's critical to enforce client certificates on the Master.  Otherwise
  # requests could spoof the X-Remote-User header by accessing the Master's
  # /oauth/authorize endpoint directly.
  SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem

  # Send all requests to the console
  RewriteEngine              On
  RewriteRule     ^/console(.*)$     https://%{HTTP_HOST}:8443/console$1 [R,L]

  # In order to using the challenging-proxy an X-Csrf-Token must be present.
  RewriteCond %{REQUEST_URI} ^/challenging-proxy
  RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
  RewriteRule ^.* - [F,L]

  <Location /challenging-proxy/oauth/authorize>
    # Insert your backend server name/ip here.
    ProxyPass https://master.example.com:8443/oauth/authorize
    AuthType basic
  </Location>

  <Location /login-proxy/oauth/authorize>
    # Insert your backend server name/ip here.
    ProxyPass https://master.example.com:8443/oauth/authorize

    # mod_auth_form providers are implemented by mod_authn_dbm, mod_authn_file,
    # mod_authn_dbd, mod_authnz_ldap and mod_authn_socache.
    AuthFormProvider ldap
    AuthType form
    AuthName openshift
    ErrorDocument 401 /login.html
  </Location>

  <ProxyMatch /oauth/authorize>
    # For ldap:
    AuthUserFile /dev/null
    AuthBasicProvider 
    # == Please replase with your ldap configuration ==
    AuthLDAPURL "ldap://ldap.example.com:389/ou=users,dc=example,dc=com?mail?"
    AuthLDAPBindDN cn=Admins,dc=example,dc=com
    AuthLDAPBindPassword password
    AuthName openshift
    Require valid-user
    RequestHeader set X-Remote-User %{REMOTE_USER}s
  </ProxyMatch>

</VirtualHost>

RequestHeader unset X-Remote-User
```

Additional information: 
Users may find another document to set up login proxy server with form based authentication. I quoted some steps from this document. In addition, this document has a bug I reported as 1391809

[1] https://docs.openshift.com/container-platform/3.3/install_config/advanced_ldap_configuration/configuring_form_based_authentication.html

Comment 3 Traci Morrison 2017-09-21 18:08:10 UTC

Hi, should this change be for Example 8, which is Apache Authentication Using RequestHeaderIdentityProvider

or Example 9, which is Example 9. Master Configuration Using GitHubIdentityProvider

Please clarify. Thanks.

Comment 4 Takayoshi Tanaka 2017-09-21 23:04:34 UTC

H,

I'm sorry this is about "Example 8. Apache Authentication Using ". However, this is an old bug, so something has changed.

Comment 5 Traci Morrison 2017-09-25 15:45:43 UTC

Thanks. Can you please confirm if this document still needs to be updated? There is a section on LDAP Configuration here: https://docs.openshift.com/container-platform/3.3/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider

Also, the "Configure Apache per the following:" section has the example configuration to use LDAP server for authentication.

Comment 6 Takayoshi Tanaka 2017-10-03 03:24:56 UTC

It seems the required example is described in the current document. I think this BZ can be closed as fixed.