Configuring advanced authorization

You can determine which users and groups are allowed to access Che.

Prerequisites
  • An active kubectl session with administrative permissions to the destination Kubernetes cluster. See Overview of kubectl.

Procedure
  1. Configure the CheCluster Custom Resource. See Using the CLI to configure the CheCluster Custom Resource.

    spec:
      networking:
        auth:
          advancedAuthorization:
            allowUsers:
              - <allow_users> (1)
            allowGroups:
              - <allow_groups> (2)
            denyUsers:
              - <deny_users> (3)
            denyGroups:
              - <deny_groups> (4)
    1 List of users allowed to access Eclipse Che.
    2 List of groups of users allowed to access Eclipse Che (for OpenShift Container Platform only).
    3 List of users denied access to Eclipse Che.
    4 List of groups of users denied to access Eclipse Che (for OpenShift Container Platform only).
  2. Wait for the rollout of the Che server components to be completed.

To allow a user to access Che, add them to the allowUsers list. Alternatively, choose a group the user is a member of and add the group to the allowGroups list. To deny a user access to Che, add them to the denyUsers list. Alternatively, choose a group the user is a member of and add the group to the denyGroups list. If the user is on both allow and deny lists, they are denied access to Che.

If allowUsers and allowGroups are empty, all users are allowed to access Che except the ones on the deny lists. If denyUsers and denyGroups are empty, only the users from allow lists are allowed to access Che.

If both allow and deny lists are empty, all users are allowed to access Che.