Bug 1730609
| Summary: | [DOCS] Request Header based authentication will not work without mutual TLS in OpenShift 4.x | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Khizer Naeem <knaeem> |
| Component: | Documentation | Assignee: | Andrea Hoffer <ahoffer> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Chuan Yu <chuyu> |
| Severity: | medium | Docs Contact: | Vikram Goyal <vigoyal> |
| Priority: | medium | ||
| Version: | 4.1.0 | CC: | aos-bugs, chuyu, jokerman, mmccomas |
| Target Milestone: | --- | ||
| Target Release: | 4.1.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-05 13:14:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Document URL: https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-request-header-identity-provider.html#configuring-request-header-identity-provider Section Number and Name: "About request header authentication" Describe the issue / Suggestions for improvement: When using "Request Header" authentication provider in Openshift 4.x mutual TLS (mTLS) is required between the authentication proxy and Openshift's oauth server. This requirement was not enforced in OpenShift 3.x. If someone had setup Request Header without mTLS in OpenShift 3.x it will not work when they move to OpenShift 4.x. This needs to be clearly stated in the documentation. Additional information: Although the document does say: """If you expect unauthenticated requests to reach the OAuth server, a clientCA parameter MUST be set for this identity provider, so that incoming requests are checked for a valid client certificate before the request’s headers are checked for a user name. Otherwise, any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.""" However its the same in OpenShift 3.x and 4.x. Anyone moving from 3.x to 4.x will have no clue from the documentation that anything has changed. We need clearly mention that this rule is now enforced and that Request Header based authentication will not work without mTLS.