2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. lrf1583447064969
|
|
|
|
|
.. _obtain-the-authentication-token-using-the-oidc-auth-shell-script:
|
|
|
|
|
|
|
|
|
|
================================================================
|
|
|
|
|
Obtain the Authentication Token Using the oidc-auth Shell Script
|
|
|
|
|
================================================================
|
|
|
|
|
|
|
|
|
|
You can obtain the authentication token using the **oidc-auth** shell script.
|
|
|
|
|
|
|
|
|
|
.. rubric:: |context|
|
|
|
|
|
|
|
|
|
|
You can use the **oidc-auth** script both locally on the active controller,
|
|
|
|
|
as well as on a remote workstation where you are running **kubectl** and
|
|
|
|
|
**helm** commands.
|
|
|
|
|
|
|
|
|
|
The **oidc-auth** script retrieves the ID token from Windows Active
|
|
|
|
|
Directory using the |OIDC| client, and **dex**, and updates the Kubernetes
|
|
|
|
|
credential for the user in the **kubectl** config file.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. _obtain-the-authentication-token-using-the-oidc-auth-shell-script-ul-kxm-qnf-ykb:
|
|
|
|
|
|
|
|
|
|
- On controller-0, **oidc-auth** is installed as part of the base |prod|
|
|
|
|
|
installation, and ready to use.
|
|
|
|
|
|
2022-01-04 14:10:02 -05:00
|
|
|
- On remote hosts, **oidc-auth** must be installed from |dnload-loc|.
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
.. xbooklink
|
|
|
|
|
|
|
|
|
|
- On a remote workstation using remote-cli container, **oidc-auth** is
|
|
|
|
|
installed within the remote-cli container, and ready to use. For more
|
|
|
|
|
information on configuring remote CLI access, see |sysconf-doc|:
|
|
|
|
|
:ref:`Configure Remote CLI Access <configure-remote-cli-access>`.
|
|
|
|
|
|
2022-01-04 14:10:02 -05:00
|
|
|
- On a remote host, when using directly installed **kubectl** and **helm**,
|
|
|
|
|
the following setup is required:
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
- Install "Python Mechanize" module using the following command:
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2022-01-04 14:10:02 -05:00
|
|
|
sudo pip2 install mechanize
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
**oidc-auth** script supports authenticating with a |prod|
|
|
|
|
|
**oidc-auth-apps** configured with single, or multiple **ldap**
|
|
|
|
|
connectors.
|
|
|
|
|
|
|
|
|
|
.. rubric:: |proc|
|
|
|
|
|
|
|
|
|
|
#. Run **oidc-auth** script in order to authenticate and update user
|
|
|
|
|
credentials in **kubectl** config file with the retrieved token.
|
|
|
|
|
|
|
|
|
|
|
2022-01-04 14:10:02 -05:00
|
|
|
- If **oidc-auth-apps** is deployed with a single backend **ldap**
|
|
|
|
|
connector, run the following command:
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
~(keystone_admin)]$ oidc-auth -c <ip> -u <username>
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
For example,
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
|
2020-08-31 11:01:56 -04:00
|
|
|
Password:
|
|
|
|
|
Login succeeded.
|
|
|
|
|
Updating kubectl config ...
|
|
|
|
|
User testuser set.
|
|
|
|
|
|
2022-01-04 14:10:02 -05:00
|
|
|
- If **oidc-auth-apps** is deployed with multiple backend **ldap**
|
|
|
|
|
connectors, run the following command:
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. note::
|
2022-01-04 14:10:02 -05:00
|
|
|
If you are running **oidc-auth** within the |prod| containerized remote
|
|
|
|
|
CLI, you must use the ``-p <password>`` option to run the command
|
2020-08-31 11:01:56 -04:00
|
|
|
non-interactively.
|
|
|
|
|
|
|
|
|
|
|
