[OSDOCS-12792]More Secure Auth Flows in ROSA CLIs #90006
Conversation
openshift-ci
bot
added
the
size/S
mletalie
changed the title
openshift-ci
bot
added
size/M
modules/rosa-configure.adoc
Outdated
| @@ -10,8 +10,50 @@ Use the following commands to configure the {product-title} (ROSA) CLI, `rosa`. | |||
|
|
|||
| [id="rosa-login_{context}"] | |||
| == login | |||
| There are several methods you can use to log into your Red{nbsp}Hat account using the {product-title} (ROSA) CLI (`rosa`).These methods are described in detail below. | |||
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'log in to' rather than 'log into'. For more information, see RedHat.TermsErrors.
| === login with single sign-on (SSO) authorization code | ||
| If your system supports a web-based browser, you can log in to the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on (SSO) authorization code. | ||
|
|
||
| . To log into the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on authorization code, run the following command: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'log in to' rather than 'log into'. For more information, see RedHat.TermsErrors.
mletalie
force-pushed
the
OSDOCS-12792
branch
2 times, most recently
from
c15b7c9 to
39681d5
Compare
openshift-ci
bot
added
size/L
mletalie
force-pushed
the
OSDOCS-12792
branch
5 times, most recently
from
a94ead7 to
e00887d
Compare
modules/rosa-configure.adoc
Outdated
| [id="rosa-login-token_{context}"] | ||
| === login with an offline token | ||
|
|
||
| Log in to your Red{nbsp}Hat account, saving the credentials to the `rosa` configuration file. To use offline tokens for automation or other purposes, you can download the OpenShift Cluster Manager API token from the link:https://console.redhat.com/openshift/token/rosa[OpenShift Cluster Manager API Token] page. |
There was a problem hiding this comment.
🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cluster-manager}' rather than the plain text product term 'OpenShift Cluster Manager', unless your use case is an exception.
modules/rosa-configure.adoc
Outdated
| [id="rosa-login-token_{context}"] | ||
| === login with an offline token | ||
|
|
||
| Log in to your Red{nbsp}Hat account, saving the credentials to the `rosa` configuration file. To use offline tokens for automation or other purposes, you can download the OpenShift Cluster Manager API token from the link:https://console.redhat.com/openshift/token/rosa[OpenShift Cluster Manager API Token] page. |
There was a problem hiding this comment.
🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cluster-manager}' rather than the plain text product term 'OpenShift Cluster Manager', unless your use case is an exception.
|
@yuwang-RH |
|
|
||
| Log in to your Red{nbsp}Hat account, saving the credentials to the `rosa` configuration file. | ||
|
|
||
| To use offline tokens for automation purposes, you can download the OpenShift Cluster Manager API token from the link:https://console.redhat.com/openshift/token/rosa[OpenShift Cluster Manager API Token] page. |
There was a problem hiding this comment.
🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cluster-manager}' rather than the plain text product term 'OpenShift Cluster Manager', unless your use case is an exception.
|
|
||
| Log in to your Red{nbsp}Hat account, saving the credentials to the `rosa` configuration file. | ||
|
|
||
| To use offline tokens for automation purposes, you can download the OpenShift Cluster Manager API token from the link:https://console.redhat.com/openshift/token/rosa[OpenShift Cluster Manager API Token] page. |
There was a problem hiding this comment.
🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cluster-manager}' rather than the plain text product term 'OpenShift Cluster Manager', unless your use case is an exception.
|
/lgtm |
|
/label peer-review-in-progress |
openshift-ci
bot
added
the
peer-review-in-progress
| $ ocm login --use-auth-code | ||
| ---- | ||
| + | ||
| Running this command will redirect you to the Red Hat SSO login. |
There was a problem hiding this comment.
Wonder if it's of any benefit to add something like ' Log in with your Red{nbsp}Hat login or email' or is that overkill?
| ---- | ||
| $ ocm login --use-device-code | ||
| ---- | ||
| Running this command will redirect you to the Red Hat SSO login and provide a log in code. |
There was a problem hiding this comment.
| Running this command will redirect you to the Red Hat SSO login and provide a log in code. | |
| Running this command will redirect you to the Red{nbsp}Hat SSO login and provide a log in code. |
|
|
||
| + | ||
|
|
||
| To switch accounts, logout from https://sso.redhat.com and run the `ocm logout` command before attempting to login again. |
There was a problem hiding this comment.
| To switch accounts, logout from https://sso.redhat.com and run the `ocm logout` command before attempting to login again. | |
| To switch accounts, logout from https://sso.redhat.com and run the `ocm logout` command in your terminal before attempting to login again. |
modules/rosa-configure.adoc
Outdated
| @@ -10,8 +10,91 @@ Use the following commands to configure the {product-title} (ROSA) CLI, `rosa`. | |||
|
|
|||
| [id="rosa-login_{context}"] | |||
| == login | |||
| There are several methods you can use to log into your Red{nbsp}Hat account using the {product-title} (ROSA) CLI (`rosa`).These methods are described in detail below. | |||
There was a problem hiding this comment.
| There are several methods you can use to log into your Red{nbsp}Hat account using the {product-title} (ROSA) CLI (`rosa`).These methods are described in detail below. | |
| There are several methods you can use to log into your Red{nbsp}Hat account using the {product-title} (ROSA) CLI (`rosa`). These methods are described in detail below. |
modules/rosa-configure.adoc
Outdated
| Log in to your Red{nbsp}Hat account, saving the credentials to the `rosa` configuration file. You must provide a token when logging in. You can copy your token from link:https://console.redhat.com/openshift/token/rosa[the ROSA token page]. | ||
| [IMPORTANT] | ||
| ==== | ||
| An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. Alternatively, the Red{nbsp}Hat secure browser-based single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and the Red{nbsp}Hat recommended method of authentication. |
There was a problem hiding this comment.
| An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. Alternatively, the Red{nbsp}Hat secure browser-based single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and the Red{nbsp}Hat recommended method of authentication. | |
| An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. Alternatively, the Red{nbsp}Hat secure browser-based single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and is the Red{nbsp}Hat recommended method of authentication. |
modules/rosa-configure.adoc
Outdated
| $ rosa login --use-auth-code | ||
| ---- | ||
| + | ||
| Running this command will redirect you to the Red{nbsp}Hat SSO login. |
There was a problem hiding this comment.
Maybe a line similar to the one above about logging in with Red Hat login and email?
modules/rosa-configure.adoc
Outdated
|
|
||
| |=== | ||
| + | ||
| To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.com] and run the command `$ rosa logout` before attempting to login again. |
There was a problem hiding this comment.
| To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.com] and run the command `$ rosa logout` before attempting to login again. | |
| To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.com] and run the `rosa logout` command in your terminal before attempting to login again. |
modules/rosa-configure.adoc
Outdated
|
|
||
| |=== | ||
| + | ||
| To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.com] and run `rosa logout` before attempting to login again. |
There was a problem hiding this comment.
| To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.com] and run `rosa logout` before attempting to login again. | |
| To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.com] and run the `rosa logout` command in your terminal before attempting to login again. |
modules/rosa-configure.adoc
Outdated
| [NOTE] | ||
| ==== | ||
| Red{nbsp}Hat recommends using service accounts for automation purposes. | ||
| ==== | ||
|
|
||
| The ROSA CLI (`rosa`) looks for a token in the following priority order: |
There was a problem hiding this comment.
This is out of scope but I have read this sentence and the 4 directly after it many times and I am still unsure what exactly is being said and how useful it is for the user to know this info.
Also out of scope, but could you edit the final login option so it matches the rest of the methods .' To log in to ROSA CLI (rosa) with a Red{nbsp}Hat offline token, run the following command:'
There was a problem hiding this comment.
To make point #2 work going to remove the info proceeding as not needed.
openshift-ci
bot
added
peer-review-done
|
Hey @mletalie great job. Just a few nit picks and suggestions. |
| @@ -10,22 +10,107 @@ Use the following commands to configure the {product-title} (ROSA) CLI, `rosa`. | |||
|
|
|||
| [id="rosa-login_{context}"] | |||
| == login | |||
| There are several methods you can use to log into your Red{nbsp}Hat account using the {product-title} (ROSA) CLI (`rosa`). These methods are described in detail below. | |||
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'log in to' rather than 'log into'. For more information, see RedHat.TermsErrors.
|
/lgtm |
|
New changes are detected. LGTM label has been removed. |
|
@mletalie: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/cherrypick enterprise-4.18 |
|
@bmcelvee: new pull request created: #91092 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cherrypick enterprise-4.19 |
|
@bmcelvee: new pull request created: #91093 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Version(s):
4.18+
Issue:
https://issues.redhat.com/browse/OSDOCS-12792
Link to docs preview:
OSD Docs: https://90006--ocpdocs-pr.netlify.app/openshift-dedicated/latest/osd_planning/gcp-ccs.html#ccs-gcp-customer-procedure-wif_gcp-ccs
https://90006--ocpdocs-pr.netlify.app/openshift-rosa/latest/cli_reference/rosa_cli/rosa-get-started-cli.html#rosa-login_rosa-getting-started-cli
QE review:
Additional information: