Verify if kubeadmin can be a regular OAuth user with latest Keycloak and OpenShift

[l0rd]

Is your enhancement related to a problem? Please describe.

We currently do not support using OpenShift OAuth when kubeadmin is the only user of the cluster. That's because we assume that Keycloak doesn't support it. But that's something we verfied 1 year ago. And things may have changed.

Describe the solution you'd like

Verify if latest versions of Keycloak and OpenShift allow to use kubeadmin as a valid OAuth identity.

[davidfestal]

I justed tested on a 4.3.9 OpenShift cluster, and the JSON profile returned for the kube:admin user is the following:

╰─ curl -k -H "Authorization: Bearer xxxxxxxxx" "https://api.test-ocp43.codereadyqe.com:6443/apis/user.openshift.io/v1/users/~"
{
  "kind": "User",
  "apiVersion": "user.openshift.io/v1",
  "metadata": {
    "name": "kube:admin",
    "selfLink": "/apis/user.openshift.io/v1/users/kube%3Aadmin",
    "creationTimestamp": null
  },
  "identities": null,
  "groups": [
    "system:authenticated",
    "system:cluster-admins"
  ]
}                                                                                                                                                                                                                                            

Note that there is no "identity", since the kube:admin user is a hard-coded internal user that is not linked to any OAuth identity provider: it exists by default before installing any identity provider.

As a comparison, here is the profile of a user created with the htpasswd identity provider:

╰─ curl -k -H "Authorization: Bearer xxxxxxx" "https://api.test-ocp43.codereadyqe.com:6443/apis/user.openshift.io/v1/users/~"
{
  "kind": "User",
  "apiVersion": "user.openshift.io/v1",
  "metadata": {
    "name": "user",
    "selfLink": "/apis/user.openshift.io/v1/users/user",
    "uid": "e01e78aa-50d9-482e-8bb4-3442a5247313",
    "resourceVersion": "5462325",
    "creationTimestamp": "2020-04-17T09:47:59Z"
  },
  "identities": [
    "htpasswd:user"
  ],
  "groups": [
    "system:authenticated",
    "system:authenticated:oauth"
  ]
}

Now here is why the limitation is still there in the latest Keycloak: The openshift-v4 Keycloak identity provider requires a non-null uid in order to be able to link the openshift user to the Keycloak user, as shown here:

• https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProvider.java#L94
• https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java#L52

In the case of the user kubeadmin, the user profile metadata doesn't contain such a uid.
If we could either:

• return an uid in the user profile OS endpoint
• or use a hard-coded, kubeadmin-dedicated uid in the Keycloak code shown above,
  I assume this could allow releasing this limitation from the Keycloak-Openshift integration.

To summarize: For now the kubeadmin user still cannot be linked to a Keycloak user with the openshift-v4 Keycloak indentity provider. And it seems this can be fixed only by one of the 2 solutions mentioned above.

cc @slaskawi

[davidfestal]

On the Openshift side, I created the following issue: openshift/origin#24950

[che-bot]

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

[l0rd]

Closing this issue since the verification has been done.

[iam-veeramalla]

Just to update here ... This is now posible.
@l0rd

[l0rd]

@iam-veeramalla this is possible since Che v7.42. If you are testing on CRW it will be possible starting with CRW 2.16.

[iam-veeramalla]

I am not using CRW. I was waiting for Keycloak to support this feature, I saw previously that you were also waiting for this feature like me.

I just thought of updating that it's possible now but looks like you guys already knew it :)

[l0rd]

Oh sorry, I didn't know about Keycloak. What we did is that we removed it as a Che dependency: on OpenShift we use the embedded OAuth service.