►
From YouTube: OpenShift Commons Briefing #93: DevOps Identity Management for OpenShift with Marc Boorshtein
Description
How do you securely create OpenShift projects? How do you manage access to those projects? How do you make your developers, stakeholders, and auditors all happy without manually creating accounts, policies, and bindings in OpenShift?
In this briefing Tremolo Security’s CTO, Marc Boorshtein, walks through OpenShift’s options for managing access to projects and describes what pitfalls you may run into in the modern enterprise. Marc will show how their open source solution, OpenUnison, can give you a self-service portal for onboarding and managing access to projects and clusters. Marc will demo OpenUnison, running on OpenShift, providing:
* SAML2 Authentication with the corporate identity provider
* Self-service creation of projects via a request/approval workflow, including the creation of policies, bindings, and approval workflows
* Self-service requests for roles in OpenShift projects
* Self-service reporting for auditors and stakeholders
A
Hello,
everybody
and
welcome
again
to
another
openshift
Commons
briefing,
this
time
like
the
friend
Mark
from
tremelo
security
is
going
to
talk
again
about
Identity
Management,
a
problem
that
keeps
popping
up
in
the
cloud
negative
space
and
they've
done
some
wonderful
open-source
projects
that
help
with
this
and
we've
done
one
previously.
You
can
look
up
on
those
in
unison,
which
I
think
is
bit
of
the
talk
today
too
so
I'm
gonna,
let
mark
introduce
the
topic
and
we're
gonna
do
Q&A
in
the
chat
and
then
we'll
open
it
up
for
live
Q&A
at
the
end.
B
Thanks
Diane
so,
like
Diane,
said
we're
gonna
be
talking
about
Identity,
Management
and
open
shift,
and
primarily
we're
gonna
be
talking
about
how
you
manage
identities
inside
of
OpenShift.
So
we're
going
to
talk
about
the
challenges
around
identity
management.
Why
it's
something
important
that
you
want
to
think
about
and
then
ultimately
how
openshift
manages
identity.
So
we
hope
that
we're
covering
useful
information
here
even
outside
of
our
own
project
and
then
finally,
we're
debuting
a
new
identity
management
project,
specifically
for
OpenShift.
B
They
will
make
this
process
easier,
so
real,
quick
who
are
we
we've
been
around
for
a
little
while
we're
founded
back
in
2010
myself
and
my
co-founder
Brian,
and
we're
really
built
on
experience.
I
started
off
as
a
software
engineer
at
a
company
called
octet
strings
not
owned
by
Oracle
if
you're
familiar
at
all
with
Oracle
virtual
directory.
That
was
kind
of
my
baby.
Back
at
octet
string
and
I've
been
an
open
source
developer.
Pretty
much
my
entire
career
once
I
left
full-time
software
engineering,
I
became
a
consultant
and
contractor
Brian
had
similar
track.
B
He
comes
from
more
of
the
classic.
What
we
used
to
call
threatened
vulnerability
management
security,
says
70
on
its
PCI
out
its
attack
penetration
testing,
and
so
we
came
together
and
we
said
you
know
we
can
do
this
better
between
our
20
years
of
experience
and
if
you
take
a
cross-section
of
vendors
and
industries,
there's
a
pretty
good
chance.
One
or
both
of
us
have
done
implementation
with
it.
B
So
what
we
learned
out
of
that
is,
we
want
small
lightweight
rapid
deployments,
anybody
who
is
familiar
with
cloud
native
methodologies,
that's
gonna,
sound,
really
really
familiar,
and
then
the
other
thing
is.
We
want
to
integrate
a
virtual
directory.
That's
a
big
technical
differentiator.
For
us.
We
want
to
make
it
very
easy
to
integrate
multiple
different
types
of
data,
because,
as
we'll
talk
about
here
in
a
minute,
the
easier
it
is
to
integrate
with
systems,
the
faster
you're
gonna
be
a
deploy
and
then
finally,
this
is
an
open
source
solution,
we're
an
open
source
company.
B
B
So
why
is
this
important?
What's
good
about
identity
management,
especially
when
you
combine
it
with
DevOps?
Well,
this
is
my
kind
of
math
equation
here,
where
you
know,
if
you
add
DevOps
and
identity
management,
you
get
love
from
both
your
suits
and
your
developers
and
your
suits
can
be
executive
management
all
the
way
down
to
users.
You
know
often
the
first
thing
people
interact
with
is
that
login
screen,
if
that
login
screen
doesn't
work
regardless
of
what's
going
on.
B
In
the
background
people
say
the
systems
not
working,
so
even
if
there
is
a
breakdown
in
the
connection
to
AD
or
some
other
system
that
you
don't
own,
that
login
screen.
That's
the
first
impression
people
get
of
your
system
so
that
that
becomes
really
important
and
then,
if
users
can't
do
what
they
want
to
do
or
what
they're
trying
to
do
it
can
often
be
because
they
don't
have
the
right.
Permissions
becomes
very
difficult
to
manage
very
frustrating
as
well,
and
then
you've
got
your
developers.
B
You
know
I,
maybe
it's
just
me.
I
just
hate
doing
things
manually,
I
hate
manually,
adding
users
to
groups
and
going
into
gooeys
and
clicking
buttons
if
I
can
avoid
it
and
I
suspect
most
developers
are
that
way,
and
so
the
last
thing
developers
really
want
to
do
is
be
in
this
process
of
having
to
manually,
add
users
to
groups
and
respond
to
ticket.
B
You
know
I
know
with
DevOps.
We
talked
about
you
know
this
utopia
of
you
know
Devon
Ops,
coming
together
as
one
and
harmony
a
lot
of
times
that
actually
ends
up
being
an
excuse
by
management
to
say
we're,
not
gonna
buy
multiple
teams,
so
we're
gonna.
Have
our
developers
do
everything
the
developers
are
expensive
resources,
the
resources
you
want
to
keep
happy
as
well,
because
you
want
to
keep
them
around.
You
made
a
lot
of
investment
in
them,
so
let's
keep
them
from
having
to
do
things
they
really
just
don't
want
to
do.
B
Why
is
this
so
hard?
I
mean
you
know.
I
daily
management
is
not
new.
This
is
not
a
new
concept.
You
know
back
from
time
sharing
I
mean
whenever
multiple
people
had
to
sit
down
at
a
computer,
yet
to
figure
out
who's
hip,
and
so
there
are
technical
aspects.
The
things
just
need
to
be
able
to
talk
to
each
other,
which
isn't
always
that
easy
I
mean
it's
2017
and
I
still
hear
often
people
say
well.
I
want
an
API
on
top
of
LDAP,
even
though
LDAP
hasn't
changed
in
20-something
years.
B
You
know
they'll
never
be
an
LDAP
v4,
so
there
are
technology
issues,
but
what
really
makes
it
hard
is
the
non
technology
aspect
of,
especially
when
you're
talking
about
enterprises.
Enterprises
are
very
siloed
from
an
organizational
standpoint,
so
here
we
have
a
chart
where,
on
the
Left
we
have
a
director.
This
director
said
you
know
what
we're
going
with
OpenShift
we're
going
to
cloud
native,
we're
gonna,
deploy
this
our
apps
are
all
gonna
work,
wonderfully
we're
going
to
automate
everything.
B
Now
we
could
get
into
an
entire.
You
know
long
discussion
about
the
differ
between
security
and
compliance,
but
one
thing:
that's
really
important,
especially
as
somebody
is
trying
to
bring
in
a
new
technology
to
understand,
is
that
compliance
is
often
used
as
a
weapon
against
you
by
people
who
don't
want
to
change
the
status
quo,
whether
they
simply
don't
understand
the
value
of
what
OpenShift
or
other
new
technologies
are
bringing,
or
they
see
it
as
a
threat
to
the
way
that
they
operate.
B
So
it's
important
to
understand
that
the
policies
in
place
need
to
be,
if
not
followed
to
the
letter
of
the
law
at
least
know
what
might
be
used
in
discussion
and
then
from
a
security
standpoint.
This
becomes
very
difficult
because
all
right,
you're
deploying
OpenShift
and
you
can
probably
get
a
read-only
account
to
Active
Directory.
That's
usually
pretty
easy,
but
you
need
to
store
who
has
access
to
what
and
where
and
we'll
talk
about
the
technical
specifics
of
how
openshift
handles
that
particular
use
case
in
a
moment.
B
But
for
the
sake
of
argument,
let's
say
you
say
we're
going
to
keep
all
of
our
users
and
groups
inside
of
Active
Directory.
That
seems
to
make
sense
you
own
OpenShift,
you
don't
own
directory
experts
and
you
don't
want
to
get
into
the
directory
management
game.
So
now
the
question
becomes
okay,
we
need
to
be
able
to
write
into
Active
Directory.
Well,
Microsoft
doesn't
really
have
great
access
controls
on
Active
Directory.
B
For
those
types
you
use
cases,
that's
flexible
is
what
you
would
think
of
from
maybe
a
more
generic
LDAP
directory,
and
so
that
becomes
very
hard
to
do.
The
other
issue
is
Active
Directory,
that's
the
keys
of
the
kingdom
that
goes
down.
People
can't
log
into
their
workstations,
their
MDM
systems
go
down.
You
know
dogs
and
cats
living
together,
it's
mass
hysteria,
so
it
becomes
really
important
to
make
sure
that
you
understand
that
there.
B
There
is
a
reason
why
this
is
so
well
guarded,
so
trying
to
cross
these
boundaries
can
be
really
hard
and
if
you
say,
okay,
we're
going
to
go
without
crossing
these
boundaries.
That
now
means
we're
managing
our
own
directory,
we're
managing
local
users.
Maybe
we're
doing
things
manually
and
now
you're
opening
the
door
for
attack.
It
becomes
a
security
issue.
You
might
be
compliant
by
the
letter
of
the
law,
but
if
you
have
unmanaged
accounts
that
can
then
be
leveraged
in
a
complex
attack,
you
now
are
opening
yourself
up.
B
You
know
maybe
adds
the
user
to
a
group
in
a
directory
and
a
database
3uy
says
a
little
prayer
that
they
did
it
right,
no
wrong
spaces,
etc
and
then
stores
the
email
someplace
if
they're
well
organized
for
a
rainy
day
and
then
tells
the
user
yep
you're
on
your
way.
Now
this
might
be.
You
know
automated
through
a
ticketing
system
somewhat,
so
it
might
not
necessarily
be
the
email
shuffle,
but
still
the
there
are
people
involved,
namely
the
admin
of
nothing.
B
To
do
with
the
business
reason
of
why
this
user
is
requesting
access
to
a
project.
And
then
you
know
every
six
months
to
a
year,
you
might
have
to
go
through
an
audit,
whether
you
know
you're
in
the
government.
So
you're
talking
about
FISMA
audits.
You
know
private
sector,
you
go
through
your
audits.
Every
single
year
you
gotta
talk
about
PCI,
sarbanes-oxley,
etc.
B
The
auditors
come
to
town,
they
say,
okay,
tell
us
why
all
these
people
have
access
and
when
the
last
time
somebody
said
they
should
have
it
and
you
send
them
a
bunch
of
emails
that
makes
a
leaders
really
really
unhappy
and
I've
been
on
both
sides
of
that
table
and
unhappy.
Auditors
are
not
your
friend,
so
nobody
really
is
happy
at
all
of
us,
and
you
know
if,
if
for
some
reason,
somebody
made
a
mistake
along
the
way
the
users
not
happy
to
use
their
complaints
of
their
boss,
boss
complains
to
your
boss.
B
You
have
to
sit
through
meetings
where
somebody
asked
these
questions
and
it's
just
nobody
likes
nobody's
happy
with
the
state
affairs.
So
what's
our
happy
path?
User
logs
into
a
portal
says
give
me
access
to
the
project.
Project
owner
gets
a
message
that
says:
hey
somebody's
asking
for
access.
Please
respond,
approves
it
tracks,
it
provisions
it
and
there's
no
admin
anywhere
in
this
process.
It's
all
automated.
It's
all
consistent
and
at
the
end
of
the
day,
when
the
auditors
come
in
they're,
looking
at
reports,
they're
not
bugging
you
for
every
single
thing.
B
So
let's
talk
tech.
That's
my
favorite
part
right
and
I'm
sure.
That's
everyone
else's
too.
How
does
OpenShift
handle
Identity
Management
now
we're
stopped
talking
specifically
about
OpenShift
itself,
not
necessarily
the
applications
that
run
on
openshift
they're
all
going
to
handle
things
a
little
bit
differently,
so
I
break
out
I
to
any
management
into
three
separate
categories.
Who
what
why,
who
are
you?
What
can
you
do,
and
why
can
you
do
it?
B
B
Incidentally,
if
you're
coming
from
the
stock
kubernetes
world,
this
is
different
than
Cooper
neighs,
because
Gerber
neighs
does
not
track
individual
user
objects.
That's
an
open
chef
feature,
then
it
comes
to
authentication
and
you
have
a
lot
of
options
with
open
shift.
Ldap
works
really
well
out
of
the
box
connected
on
up.
Let's
say:
that's
your
Active
Directory
you
just
can
authenticate
right
in
and
open
shifts,
gonna
suck
that
object
right
into
a
CD,
so
you
don't
really
have
to
do.
A
lot
works
really
well
open,
ID
connect,
that's
my
personal
favorite!
B
That
gives
you
a
layer
of
separation
between
your
openshift
deployment
and
what
you're
authenticating
against
I
like
that.
Because
again,
if
we
went
back
to
our
silos,
it
keeps
you
in
control
of
what
you
can
control
so
from
a
management
standpoint
by
keeping
everything
inside
of
your
silo.
It
keeps
you
in
control
of
your
own
destiny,
I'm
a
security
standpoint.
It
lets
you
build
more
isolated
networks.
You
know
you
look
at
the
Google
beyond
Corp
and
you
trust
nobody
right.
B
That
idea
of
creating
an
isolated
Network
where
you
can't
trust
everybody,
that's
talking
to
you
and
then
reverse
proxy
and
header.
It's
useful!
It's
powerful
I'm,
not
a
huge
fan
of
it.
I've
been
doing
identity
management
implements
for
20
years
and
the
reverse
proxy
post
header
integration
has
always
given
me
heartburn,
it's
a
fairly
easy
integration,
but
the
problem:
is
you
can't
it's
nothing?
You
can't
it's
hard
to
correctly.
Lock
down
the
connection
between
your
reverse
proxy
and
your
application,
it
can
also
become
difficult
to
debug
issues
when
they
happen
with
a
reverse
proxy.
B
B
It's
a
triangulation
between
your
subject,
which
is
you
know
who
you
are
a
role
which
is
defined
inside
of
openshift
with
a
set
of
permissions
and
a
project
or
if
you're
talking
about
a
cluster,
the
cluster
level,
but
those
three
things
become
a
role
binding.
So
you
as
the
admin
need
to
be
able
to
supply
the
subject
now
the
subject
can
be
a
user.
It
can
also
be
a
group
personally,
doesn't
matter
the
application,
I
hate
manually,
adding
users
to
permissions
very
hard
to
manage
I'd.
Much
rather
have
that
layer
in
between
of
a
group.
B
So
for
me
typically
I,
add
the
user
to
a
group.
I
add
the
group
is
use
the
group
as
a
subject.
In
this
instance,
the
objects
are
stored
locally,
both
the
role
binding
and
the
groups
are
stored
locally
again.
This
is
a
little
bit
different
than
kubernetes,
where
kubernetes
doesn't
actually
store
group
information.
B
B
The
issue
that
I've
come
across
with
LDAP
sync
is
you
have
to
run
it
for
each
group
and
you
have
to
run
it
manually.
It's
it's
a
command-line
tool.
Basically,
so
you
could
probably
create
a
container
that
runs
it
you
maybe
every
hour
or
whatever
it
is.
But
you
know
if
you
think
about
an
open
shift
deployment.
You
know
got
one
project
that
one
project
has
two:
maybe
three
roles
not
big
deal.
You
have
two
projects.
B
Now
you
have
four
six
roles:
three
projects
you're,
seeing
the
linear
progression
here
of
how
unmanageable
that
could
be,
and
you
still
have
to
put
the
information
inside
the
directory.
So
you
still
have
the
potential
organizational
issues
where,
if
that
information
is
going
to
ad,
how
are
you
adding
that
info
to
ad?
If
you
have
to
store
it
in
your
own
directory
which
directory
admin?
Do
you
have
on
your
staff?
That's
going
to
manage
that.
So
that's
that
still
leads
to
some
other
issues.
B
You
can
use
the
OEM
command
or,
of
course,
web
services
now,
of
course,
API
world
I
like
web
services.
That's
what
open
unasyn
does
and
then
the
final
aspect
is
why
why
do
I?
Have
the
ability
to
manage
this
project
and
openshift
doesn't
provide
any
capability
for
answering?
That
question
have
to
use
some
kind
of
external
tool
to
do
that,
whether
you're
doing
things
manually
with
a
ticketing
system
like
remedy
or
service.
Now
the
email
shuffle
you
know
or
something
like
open,
unison.
B
You
open
shift
has
no
answer
for
that
particular
question,
so
I'm
going
to
go
ahead
and
break
out
of
the
presentation
here
for
a
second
and
introduce
our
open
shift,
identity
manager.
So
this
is
on
github
and
we
have
a
link
in
the
presentation
and
what
this
is
is.
This
is
a
starting
point.
That's
meant
to
be
a
semi
turnkey
approach
to
be
able
to
handle
identity
management
for
open
shift.
B
If
you
were
to
fork
this
repository,
you
could
edit
the
configuration
and
we'll
talk
about
some
things
that
you
can
do
with
it
one
after
the
demo
and
what's
great
about
it
is
you
can
use
our
source
image
builder
to
then
generate
a
lock
down
Tomcat
container
that
you
can
deploy
into
open
shift
if
you're
using
the
OpenShift
container
platform,
the
the
downstream
stuff
on
rel.
We
have
a
certified
image
inside
of
Red
Hat's
container
store
for
this.
B
So
it's
a
really
nice
approach
right
now,
it's
a
little
bit
of
a
manual
deploy,
but
we
do
take
you
through
step
by
step
of
generating
your
key
stores,
generating
your
different
trusts,
creating
your
service,
accounts,
etc.
I'm,
not
gonna,
walk
through
the
whole
thing
and
then
from
a
security
standpoint.
All
of
your
information
goes
into
a
secret
so
that
that
secret
file
gets
loaded
to
eat.
That's
why
we
published
this.
B
You
could
edit
this
file
generate
the
key
store
and
use
this
exactly
as
it
is
without
any
changes
and
still
tailor
it
to
your
environment.
So
let's
talk
about
the
fun
part,
the
demo,
so
the
demo
we're
going
to
do
for
you
today
is
running
our
openshift
identity
manager,
we're
running
on
AWS
on
top
of
a
rel
instance
and
we're
running
inside
of
the
container.
So
we
actually
wrote
a
deployment
which
I'm
going
to
have
to
deploy
here
in
a
second
and
OpenShift
is
integrated
for
SSO
and
it's
integrated
for
user
management.
B
So
if
we
go
back
to
our
silos,
we
draw
a
line
here.
You
own
everything
in
here.
You
have
full
control,
draw
a
line
here.
The
person
who
owns
a
Deion's
that
they
have
full
control,
we're
using
Aurora
DB,
because
we
wanted
to
just
get
something
up
and
running
quickly,
and
the
nice
thing
about
this
is
we're
storing
audit
data,
but
we're
also
storing
enrolling
from
so.
B
The
nice
thing
is,
is
that
you
don't
have
to
store
anything
external
to
what
you
as
the
OpenShift
admin
controls
and
we're
able
to
bridge
the
authentication
from
openshift
into
ad
using
ad
FS.
So
everything
runs
through
users,
browser
there's,
no
need
for
firewall
rules
or
anything
like
that.
So
it
keeps
it
nice
and
clean,
so
I'm
going
to
go
ahead
and
fire
up
that
deployment.
B
B
Here
and
now,
you'll
see
I'm
already
logged
in
as
a
user
J
solo
I'm,
a
big
Star
Wars,
not
so
I
tend
to
lie,
use
a
lot
of
Star
Wars
names.
If
you
are
as
big
of
a
Star
Wars,
not
as
I
am
you
will
notice
some
of
these
names
as
well,
so
I'm
gonna
go
ahead
and
log
out,
so
you
can
actually
see
the
login
process
now.
What
you
didn't
see
is
I'm
also
logged
out
of
a
DFS
that
all
happened
really
quickly.
B
This
is
scale
J.
Yes,
this
is
a
angularjs
application.
It's
hosted
inside
of
unasyn.
All
of
this
is
open
your
surround.
All
this
is
driven
by
the
open
unison
configuration
so
which
badges
you
see
what
roles
you
see,
etc.
Now
this
user,
J
solo,
doesn't
have
access
to
anything
right
now,
I'm,
just
a
standard
user
inside
of
open
years,
and
so
I
don't
even
have
any
roles
inside
of
open
shift
right
now.
B
So
when
we're
talking
about
requesting
access
inside
of
open
shift,
one
of
the
things
that
often
comes
up
is
new
project
creation.
There
is
a
button
inside
of
OpenShift,
you
know
if
I
click
on
the
open
shift
console
and
you
can
see
M
sson,
there's
Jason
solo
I
can
click
this
create
project
button,
but
you
know
in
a
managed
environment.
You
probably
don't
want
that
to
happen
without
some
kind
of
approval
process
so
and
even
openshift
has
a
real
straight
forward.
B
I've
also
seen
an
enterprise
folks
using
Jenkins
working
with
the
Web
Services.
Open
Unison
actually
provides
a
real,
interesting
capability
here,
where,
if
I
want
to
create
a
project,
I
can
do
so
via
a
workflow,
because
we're
directly
integrated
with
open
chef.
So
when
I
go
ahead
and
I
say
create
open
project,
if
you
think
about
what
are
the
things
that
you
need
when
you
create
a
project
needs
great
the
project
right,
that's
obvious,
but
then
you
need
to
create
group
bindings
into
roles.
B
So
here
where
we've
got
an
editor
role
and
a
viewer
role,
and
then
you
need
to
figure
out
how
do
you
approve
access
for
that?
You
know
if
we're
gonna
automate
this,
do
you
need
to
create
an
approval
role
now
that
you're
not
going
to
put
inside
of
OpenShift
that
you're
gonna
create
inside
of
the
open
unison
database
and
then
finally,
you
need
somebody
to
be
able
to
prove
it.
So
we're
gonna
say
that
whoever
requested
the
project
will
be
that
first
approver,
so
I'm
gonna
go
ahead
and
create
a
project
called
Jason's
project.
B
Or
Commons
that
Mouse
so
I've
submitted
this
request.
Now
the
nice
thing
about
having
a
workflow
based
solution
is
I
can
go
in
and
see.
Hey
I've
got
this
open
request,
and
this
guy
named
Matt
Mosley
is
sitting
on
it.
I,
don't
know
why,
and
you
know,
these
reports
are
all
customizable.
We
ship
inside
of
open
unison,
kind
of
a
standard
set
of
reports.
The
other
nice
thing
is:
if
you've
got
a
nice
business
intelligence
solution,
maybe
you're
using
Jasper,
Red,
Hat
reporting
or
whatnot
penta
ho
I
knows
another
popular
one.
B
B
B
I'm
going
to
approve
the
request,
so
at
this
point,
Jason's
return
received
an
email
saying:
hey,
go
ahead
and
log
into
your
project,
the
project's
created
and
as
an
auditor
and
a
sysadmin
I
can
now
go
ahead
in
and
let's
see
the
single
user
change,
log
and
you'll
see
that
associated
with
this
user
is
the
oh
sorry,
that's
actually
not
associated
with
this
user.
Let's
go
to
the
change
log
for
period.
B
B
B
B
B
B
B
And
I'm
going
to
request
access
now
when
I
say
I
want
to
be
a
project
administrator
and
I.
Click
on
this
link.
What's
actually
happening
is
open.
Unison
is
talking
directly
to
open
chef.
So
when
we
do
add
a
new
project,
it
gets
added
here
to
the
list.
Like
you
see
this
H
solo
project,
so
the
workflows
are
dynamic,
they're
driven
directly
off
of
OpenShift,
so
you
don't
need
to
create
a
new
workflow.
Every
time
you
create
a
new
project.
B
B
B
B
B
But
now
here's
the
important
part
of
identity
management
I'm
now
in
I,
can
do
my
work.
What
happens
when
I
leave
I'm
gonna
log
out
Jason
in
the
books
did
in
fact
go
to
the
dark
side.
Han
does
not
want
him
in
his
OpenShift
project
anymore,
so
I'm
gonna
log
out,
and
there
are
a
lot
of
different
ways
you
can
automate.
This
automating
de-provisioning
can
be
very
tricky
because
it's
a
lot
harder
to
prove
when
something
negative
should
happen
as
opposed
to
when
something
positive
should
happen.
B
So
you
know
you
don't
always
get
a
request
so
often,
so
you
can
base
this
off
of
changing
a
project,
changing
a
role
at
a
business
level.
I'm
generally
not
a
huge
fan
of
role
based
access
control
at
the
business
level,
but
sometimes
it
will
work
out.
In
this
instance,
Han
got
an
email,
hey
your
kid.
Just
went
to
the
dark
side,
so
he's
going
to
request
access
to
remove
him
as
an
administrator,
so
he's
going
to
add
it
to
his
card
as
if
he's
requesting
it
for
himself.
B
And
he's
gonna
check
this
little
request
for
someone
else,
so
we're
gonna
do
J
solo
at
and
2k12
that
domain,
actually
no
I,
think
just
J
solo
and
we're
going
to
attempt
the
pre-approval
denied
sis
so
what's
happening
here.
Is
we're
saying
all
right.
We're
gonna
request
this
for
someone
else
and
since
I
know,
I
can
approve
this
I'm
gonna
pre-approve
it.
So
this
will
short-circuit
the
whole
I'm
gonna
get
an
email
that
I'm
gonna
have
to
click
on
the
approval
step.
This
does
it
all
at
once.
B
This
will
not
bypass
any
security
controls
in
place.
So
if
I
am
not
the
actual
approver,
the
approval
will
fail
because
access
will
be
denied.
It's
recorded
that
Han
made
the
request
and
attempted
the
approval
and
failed,
and
also
it
will
go
to
the
actual
approver,
so
everything's
logged
audited.
You
can
control
who
gets
these
options
by
implementing
a
couple
of
simple
Java
classes,
so
I'm
gonna
go
ahead
and
say,
submit
the
request,
and
at
this
point,
if
I
go
to
the
reports.
B
So,
let's
go
ahead:
login
to
OpenShift
console
I
should
no
longer
have
that
project
which
I
don't
and
it's
all
auditable.
So
we
went
through
that
whole
lifecycle
there
of
showing
you
what
capabilities
there
are
of
onboarding
users,
off-boarding
users,
creating
projects.
If
you
want
to
see
the
project
creation
live
check
out
our
website,
we've
got
a
demo
video
of
what
we
did.
So
we
saw
that
whole
lifecycle.
B
What
else
can
I
do
with
this?
Let
me
go
to
presentation
so
multi-factor,
that's
always
a
question,
so
lots
of
different
authentication
ideas
that
you
can
do.
You
can
also
layer
authentication
so
right
now,
for
instance,
I've
got
a
customer
that
is
using
Pibb
smart
cards,
but
doesn't
get
enough
information
out
of
that.
So
we're
learning
together,
smart
cards
and
sam'l
to
be
able
to
build
a
user
profile,
and
then
you
can
also
add
on
additional
identity
sources.
So
let's
say
you
want
to
be
able
to
onboard
partners.
B
You
can
just
add
them
as
another
connection,
so
different
options
there
you
have
much
more
complex
workflows.
I
mean
these
are
very
simplified
workflows,
but
you
know
one
of
the
things
that
we
demoed
at
Red
Hat
summit
was
the
ability
to
do
privileged
access.
So
let's
say
you
didn't
even
want
somebody
to
be
able
to
get
into
open
unasyn
unless
they
had
some
kind
of
approval.
You
can
intercept
that
request
and
force
them
to
ask
for
access
first
and
then
recertification
automated
deep
revision.
B
Reappraising
the
integrated
scheduler,
you
can
kick
off
a
workflow
once
that
workflows
kicked
off.
If
the
user
gets
denied
access,
they
get
the
provision.
So
it
helps
you
automate
that
process
I've
got
another
customer
that
if
a
user
doesn't
log
in
because
they're
disconnected
it's
a
disconnected
cloud
for
I,
think
it's
like
six
months.
They
want
one
of
these
recertification
we're
close
to
kickoff.
B
That
says,
hey
make
sure
you
still
need
this,
because
if
you
don't
I'm
deleting
your
account
in
30
days,
so
lots
of
different
options-
all
you
got
to
do
is
fork
that
code
base,
and
you
know
you
can
start
tinkering
with
it
and
then,
of
course,
there's
the
rest
of
the
stack.
You
know.
Openshift
runs
on
top
of
an
OS
that
OS
has
to
be
locked
down,
so
you
know
I'm
assuming
for
the
sake
of
argument
using
right
at
Linux.
B
We
integrate
very
well
with
Red
Hat,
Identity,
Management,
aka,
free
IPA,
and
we
have
a
similar
to
the
OpenShift
identity
manager.
We
have
a
free,
IPA,
a
dandy
manager
where
it
gives
you
that
same
type
of
UI,
registration,
password,
reset
self
service,
etc
and
then
OpenStack.
We
don't
have
the
nice
package
like
we
do
for
open,
shaft,
OpenShift
and
free
IPA,
but
we
have
all
the
integration
in
there
to
integrate
with
Keystone's.
B
So
the
same
way
with
the
open
shift
you're
able
to
dynamically
request
access
to
projects,
we
can
do
the
same
thing
in
OpenStack
with
projects
or
tenants
pick
how
you
want
to
call
them
and
then
obviously
applications
need
their
own
identity
management.
So
it's
pretty
easy.
A
stand-up
open
unasyn
either
use
the
same
one
with
different
workflows
or
stand-up,
another
one,
because
it's
so
small
and
lightweight
specifically
for
your
apps.
If
you
want
to
have
a
little
bit
of
separation.
B
So
what's
next
here's
the
link
to
the
pre-release
I
guess:
I'll
call
it
of
the
openshift
identity
manager
it
it's
still
in
beta.
As
you
can
see,
it's
got
a
couple
of
kinks
that
were
still
working
out,
but
we're
hoping
to
do
a
final
release
here
in
the
next
few
weeks.
So
anybody
who
is
interested
please
open
an
issue
provide
feedback.
You
know
stuff
that
you
want
to
see,
don't
be
shy.
It's
open
source,
we'd
love
to
hear
from
folks.
You
can
find
us
on
the
web.
B
You
know,
apparently,
everybody's
got
a
website
these
days
and
we
got
a
bunch
of
different
demo.
Videos
is
about
a
ten
minute
video
that
takes
you
through
a
very
similar
provisioning
process,
except
with
the
commercial
product,
also
adding
in
u2f
and
privileged
access,
we're
on
the
Twitter,
the
corporate
account
tremelo
security
and
then
my
personal
account
MLB
I
am
I
love
talking
to
people
loved
hundred
and
forty
to
character.
Discussions
so
have
had
discussions
about
Python
and
IDs
in
the
last
couple
of
days.
B
A
Those
two
offerings
are
going
to
be
R
and
if
you're
coming
to
coop
con
in
December
of
this
year,
I'm
hoping
we
can
coerce
you
into
maybe
doing
a
session
in
one
of
the
dev
rooms
that
they're
gonna
have
on
identity
management.
I
think
that
would
be
really
good,
because
I
think
lots
of
people
are
still
working
on.
You
know
what
the
best
approach
to
identity
management
is
for
OpenShift
and
kubernetes
I.
B
Have
not
made
my
plans
yet
for
coop
con
it
most
likely
will
be
there
and
I
am
definitely
interested
in
doing
one
of
those
dev
sessions.
So
that's
the
easy
one.
So
the
great
question
on
the
difference
between
kubernetes
and
openshift
and
I
could
probably
fill
up
an
entire
briefing
just
on
that
when
it
comes
to
idea
management,
but
the
key
differences,
openshift
doors
identities
and
groups
internally,
whereas
Cooper
nays,
doesn't
you
have
to
assert
it
somehow
so,
whereas
an
open
shift,
we
actually
provision
the
identity
is
directly
into
open
shift
using
the
api's.
B
The
kubernetes
identity
manager
will
assert
everything
via
open
ID
connect.
So
when
you
sign
into
open
ID
connect
we're
not
going
to
provision
your
accounts
directly
in
Kerber
Nettie's
we're
going
to
include
it
in
the
claim
that
we
give
Cooper
nays.
So
instead
of
adding
you
to
the
openshift
group
of
you
know:
Han
Solo
app,
you
know,
project
admins
will
still
define
the
the
policy
bindings
for
you
in
kubernetes.
B
Now,
what
is
interesting,
I've
got
to
do
a
little
more
research
I,
see
that
the
latest
alpha
of
origin
supports
everything's,
now
built
on
top
of
kubernetes
our
back,
and
it
looks
like
some
of
that
same
thing
might
be
there,
so
it
might
actually
make
for
a
little
smoother
integration
so
from,
but
from
a
functional
standpoint,
from
what
the
user
sees
the
exact
same
process
you'll
be
able
to
find
a
workflow
that
creates
a
project,
creates
the
correct
approval
groups,
ads
users,
removes
them,
etc.
Yeah.
A
So
it'll
be
interesting
to
watch
the
evolution
of
the
two
different
identity
management
because
I
think
they're
not
really
that
different
and
as
open
ship
just
is
always
about
a
1:1
release
cycle
behind
because
we're
doing
that.
But
the
our
back
stuff
is
all
coming
in
the
next
round
of
open,
shipped
origin.
So
you
should
see
it
very,
very,
very
sorted.
B
A
It
is
it's.
We
really
are
trying
to
push
a
lot
of
the
open
ship
functionalities
then
into
and
make
it
available
in
kubernetes,
it's
just
nice.
More
people
will
be
maintaining
it
and
it'll
get
wider
youth
so,
and
it
should
be,
some
of
it
rightfully
should
be
in
in
kubernetes
and
moving
ship
origin
project.
So
it's
all.
It's
all
working
out
various
cities
like
cyclical
on
some
of
this
work.
Well,
I,
don't
see
any
more
questions
in
the
list
of
participants
in
the
chat,
though
I
think
we've
done
a
pretty
good
job.
A
You
want
to
put
up
that
last
screen
of
yours
again,
I'm
so
weird,
so
that
people
can
find
you
again
and,
as
he
said
this
is
this
project
isn't.
If
it
is
in
beta,
it's
the
launching.
We
will
really
soon
so
your
feedback
on
their
issues.
Page.
If
there's
questions
you
have
please
reach
out
to
mark
in
the
open,
unison
and
folks
and
give
them
your
feedback
sooner
than
later,
awesome.