The Stackable Platform uses the AuthenticationClass as a central mechanism to handle user authentication across supported products. The authentication mechanism needs to be configured only in the AuthenticationClass which is then referenced in the product. Multiple different authentication providers are supported.
The AuthenticationClass is a resource describing a generic authentication method like LDAP or Kerberos.
cluster scope, so it does not belong to a specific namespace.
Multiple operators use this CRD as a way to express and configure the authentication methods of their respective product.
The following authentication providers are supported:
A very simple AuthenticationClass with LDAP Authentication looks like this:
apiVersion: authentication.stackable.tech/v1alpha1 kind: AuthenticationClass metadata: name: ldap-simple spec: provider: ldap: hostname: my.ldap.server (1) port: 389 (2) searchBase: ou=users,dc=example,dc=org (3) bindCredentials: secretClass: openldap-bind-credentials (4)
|1||The hostname of the LDAP server without any protocol or port|
|2||The port of the LDAP server. If TLS is used it defaults to
|3||An optional searchBase where the users should be searched|
|4||The reference to the SecretClass for the bind credentials|
In a diagram it would look like this:
|For more details, look at the AuthenticationClass reference as well as the OpenLDAP tutorial.|
TLS provider configures a product to authenticate users using TLS certificates.
When establishing a connection the client will first validate the certificate of the server.
This step is not influenced by this
AuthenticationClass, it only affects the next step:
Afterwards the server checks the validity of the certificate the client has provided.
This includes the usual checks - such as checking that it hasn’t expired and matches the hostname of the client.
Additionally the client certificate needs to be signed with the
ca certificate, which is provided by the
SecretClass specified in
A sample TLS provider looks as follows:
apiVersion: authentication.stackable.tech/v1alpha1 kind: AuthenticationClass metadata: name: client-auth-tls spec: provider: tls: clientCertSecretClass: client-auth-tls
static provider is used to represent a simple - static - set of users.
Users are identified by a username and a password.
AuthenticationClass needs to be defined as follows:
apiVersion: authentication.stackable.tech/v1alpha1 kind: AuthenticationClass metadata: name: simple-users spec: provider: static: userCredentialsSecret: name: simple-users-credentials (1)
|1||The name of the
Afterwards the referenced
Secret needs to be created:
apiVersion: v1 kind: Secret metadata: name: simple-users-credentials (1) namespace: default (2) type: kubernetes.io/opaque stringData: admin: admin alice: superpass bob: secret
|1||The name of the
|2||The namespace of the
Authentication with OpenLDAP tutorial