Google Git
Sign in
eclipse / gerrit / www.eclipse.org / che / b993f5a7f72382a37d8cb07e9b24a0a36e27b1b3 / . / docs / che-7 / administration-guide / configuring-authorization / index.html
blob: 0e02d022313c950561c77a275204c3ac1295e5e8 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Configuring authorization :: Eclipse Che Documentation</title>
<link rel="canonical" href="https://www.eclipse.org/che/docs/che-7/administration-guide/configuring-authorization/">
<meta name="keywords" content="administration-guide, configuring-authorization">
<meta name="generator" content="Antora 2.3.4">
<link rel="stylesheet" href="../../../_/css/site.css">
<link rel="stylesheet" href="../../../_/css/extra.css">
<link rel="stylesheet" href="../../../_/font-awesome-4.7.0/css/font-awesome.min.css">
<link rel="icon" href="../../../favicon.ico" type="image/x-icon">
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-37306001-2"></script>
<script>function gtag(){dataLayer.push(arguments)};window.dataLayer=window.dataLayer||[];gtag('js',new Date());gtag('config','UA-37306001-2')</script>
<script>var uiRootPath = '../../../_'</script>
</head>
<body class="article">
<header class="header" role="banner">
<nav class="navbar">
<div class="navbar-brand">
<div class="navbar-item">
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
<img src="../../../_/img/icon-eclipse-che.svg" class="navbar-logo" alt="Eclipse Che logo">
<a href="https://www.eclipse.org/che/docs">Eclipse Che Documentation</a>
</div>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item hide-for-print">
<script async src="https://cse.google.com/cse.js?cx=002898025167115630151:gnr5edrg2eo"></script>
<div class="gcse-searchbox" enableAutoComplete="true"></div>
</div>
<a class="navbar-item" href="https://www.eclipse.org/che/docs">Home</a>
<a class="navbar-item" href="https://che.eclipse.org/">Blog</a>
<a class="navbar-item" href="https://github.com/eclipse/che">Source Code</a>
</div>
</div>
</nav>
<div class="gcse-searchresults"></div>
</header><div class="body">
<div class="nav-container" data-component="che-7" data-version="master">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<h3 class="title"><a href="../../overview/introduction-to-eclipse-che/">Documentation</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../overview/introduction-to-eclipse-che/">Introduction to Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../overview/che-architecture/">Che architecture</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../hosted-che/hosted-che/">Eclipse Che hosted by Red Hat</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">End-user Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/navigating-che/">Navigating Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/navigating-che-using-the-dashboard/">Navigating Che: dashboard</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/importing-certificates-to-browsers/">Importing certificates to browsers</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/accessing-che-from-openshift-developer-perspective/">Navigating Che from OpenShift Developer Perspective</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/che-theia-ide-basics/">Che-Theia IDE basics</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/defining-custom-commands-for-che-theia/">Defining custom commands for Che-Theia</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/version-control/">Version Control</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/che-theia-troubleshooting/">Che-Theia Troubleshooting</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/differences-in-how-che-theia-webview-works-on-a-single-host-mode-comparing-to-a-multi-host-mode/">Differences in how Che-Theia Webview works on a single-host mode comparing to a multi-host mode</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/workspaces-overview/">Using developer workspaces</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-a-workspace-from-code-sample/">Creating a workspace from code sample</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-a-workspace-from-remote-devfile/">Creating a workspace from a remote devfile using the dashboard</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-a-workspace-from-local-devfile-using-chectl/">Creating a workspace from local devfile using chectl</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-a-workspace-by-importing-the-source-code-of-a-project/">Creating a workspace by importing the source code of a project</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/configuring-a-workspace-with-dashboard/">Configuring a workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/running-a-workspace-with-dashboard/">Running a workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/importing-kubernetes-applications-into-a-workspace/">Importing Kubernetes applications into a workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/remotely-accessing-workspaces/">Remotely accessing workspaces</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/mounting-a-secret-as-a-file-or-an-environment-variable-into-a-workspace-container/">Mounting a secret as a file or an environment variable into a workspace container</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/">Authenticating on SCM Server with a personal access token</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/authoring-devfiles/">Authoring devfiles</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/authoring-devfiles-version-1/">Authoring devfiles version 1</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/authoring-devfiles-version-2/">Authoring devfiles version 2</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/customizing-developer-environments/">Customizing developer environments</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/what-is-a-che-theia-plug-in/">What is a Che-Theia plug-in</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/adding-a-vs-code-extension-to-a-workspace/">Adding a VS Code extension to a workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/adding-a-vs-code-extension-to-the-che-plugin-registry/">Adding a VS Code extension to the Che plug-ins registry</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/publishing-metadata-for-a-vs-code-extension/">Publishing a VS Code extension</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/testing-a-visual-studio-code-extension-in-che/">Testing a VS Code extension in Che</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/using-alternative-ides-in-che/">Using alternative IDEs in Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/support-for-jetbrains-ides/">JetBrains IDEs</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../end-user-guide/using-jetbrains-intellij-idea-community-edition/">Using IntelliJ Idea Community Edition</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../end-user-guide/using-jetbrains-intellij-idea-ultimate-edition/">Using IntelliJ Idea Ultimate Edition</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../end-user-guide/configuring-an-existing-workspace-to-use-intellij-idea/">Configuring an existing workspace to use IntelliJ IDEA</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../end-user-guide/using-jetbrains-webstorm/">Using WebStorm</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../end-user-guide/provisioning-jetbrains-activation-code-for-offline-use/">Provisioning activation code for offline use</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../end-user-guide/support-for-theia-based-ides/">Theia-based IDEs</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/adding-tools-to-che-after-creating-a-workspace/">Adding tools to Che after creating a workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-private-container-registries/">Using private container registries</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/using-artifact-repositories-in-a-restricted-environment/">Using artifact repositories in a restricted environment</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-maven-artifact-repositories/">Using Maven artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-gradle-artifact-repositories/">Using Gradle artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-python-artifact-repositories/">Using Python artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-go-artifact-repositories/">Using Go artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-nuget-artifact-repositories/">Using NuGet artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-npm-artifact-repositories/">Using npm artifact repositories</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/troubleshooting-che/">Troubleshooting Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/viewing-che-workspaces-logs/">Viewing Che workspaces logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/investigating-failures-at-a-workspace-start-using-the-verbose-mode/">Troubleshooting workspace start failures</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/troubleshooting-slow-workspaces/">Troubleshooting slow workspaces</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/troubleshooting-network-problems/">Troubleshooting network problems</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Installation Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../installation-guide/supported-platforms/">Supported platforms</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../installation-guide/configuring-the-che-installation/">Configuring the Che installation</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/installing-che/">Installing Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/installing-che-in-cloud/">Installing Che in cloud</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-openshift-4-using-operatorhub/">Installing Che on OpenShift 4 using OperatorHub</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-openshift-4-using-cli/">Installing Che on OpenShift 4 using CLI</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-openshift-3-using-the-operator/">Installing Che on OpenShift 3</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-kubespray/">Installing Che on Kubespray</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-aws/">Installing Che on AWS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-google-cloud-platform/">Installing Che on Google Cloud</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-microsoft-azure/">Installing Che on Microsoft Azure</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/installing-che-locally/">Installing Che locally</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-codeready-containers/">Installing Che on CodeReady Containers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-docker-desktop/">Installing Che on Docker Desktop</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-minikube/">Installing Che on Minikube</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-minishift/">Installing Che on Minishift</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-kind/">Installing Che on Kind</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/using-the-chectl-management-tool/">Using the chectl management tool</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/installing-che-in-a-restricted-environment/">Installing Che in restricted environment</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/advanced-configuration/">Advanced configuration</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/advanced-configuration-options-for-the-che-server-component/">Advanced configuration options for Che server</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-namespace-strategies/">Configuring workspace target namespace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-storage-strategies/">Configuring storage strategies</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-storage-types/">Configuring storage types</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-the-number-of-workspaces-that-a-user-can-run/">Configuring the number of workspaces that a user can run</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-the-number-of-workspaces-that-a-user-can-create/">Configuring the number of workspaces that a user can create</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-workspace-exposure-strategies/">Configuring workspace exposure strategies</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-workspaces-nodeselector/">Configuring workspaces nodeSelector</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-che-hostname/">Configuring Che hostname</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-ingresses/">Configuring Kubernetes Ingress</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-routes/">Configuring OpenShift Route</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/">Deploying Che with support for Git repositories with self-signed certificates</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/installing-che-using-storage-classes/">Installing Che using storage classes</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/importing-untrusted-tls-certificates/">Importing untrusted TLS certificates to Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/switching-between-external-and-internal-communication/">Switching between external and internal ways in inter-component communication</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/setting-up-the-keycloak-che-username-readonly-theme-for-the-eclipse-che-login-page/">Setting up the Keycloak che-username-readonly theme for the Eclipse Che login page</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/mounting-a-secret-as-a-file-or-an-environment-variable-into-a-container/">Mounting a Secret or a ConfigMap as a file or an environment variable into a Eclipse&#160;Che container</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/enabling-dev-workspace-engine/">Enabling Dev Workspace engine</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/upgrading-che/">Upgrading Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/upgrading-che-using-operatorhub/">Upgrading Che using OperatorHub</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/upgrading-che-using-the-cli-management-tool/">Upgrading Che using the CLI management tool</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/upgrading-che-using-the-cli-management-tool-in-restricted-environment/">Upgrading Che in restricted environment</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/upgrading-che-namespace-strategies-other-than-per-user/">Updating Che namespace strategies other than 'per user'</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/uninstalling-che/">Uninstalling Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/uninstalling-che-after-operatorhub-installation-using-openshift-web-console/">Using the OpenShift web console</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/uninstalling-che-after-operatorhub-installation-using-openshift-cli/">Using OpenShift CLI</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/uninstalling-che-after-chectl-installation/">Using chectl</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Administration Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../che-architecture-overview/">Che architecture</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../che-workspace-controller/">Che workspace controller</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../che-workspaces-architecture/">Che workspaces architecture</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../calculating-che-resource-requirements/">Calculating Che resource requirements</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../customizing-the-registries/">Customizing the registries</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../building-custom-registry-images/">Building custom registry images</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../running-custom-registries/">Running custom registries</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../retrieving-che-logs/">Retrieving Che logs</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../configuring-server-logging/">Configuring server logging</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-kubernetes-events/">Accessing Kubernetes events on OpenShift</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-operator-events/">Viewing the Operator events on OpenShift</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-che-server-logs/">Viewing Che server logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-external-service-logs/">Viewing external service logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-plug-in-broker-logs/">Viewing Plug-in broker logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../collecting-logs-using-chectl/">Collecting logs using chectl</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../monitoring-che/">Monitoring Che</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../tracing-che/">Tracing Che</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../backup-and-disaster-recovery/">Backup and disaster recovery</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../external-database-setup/">External database setup</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../persistent-volumes-backups/">Persistent Volumes backups</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../caching-images-for-faster-workspace-start/">Caching images for faster workspace start</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../defining-the-list-of-images-to-pull/">Defining the list of images</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../defining-the-memory-parameters-for-the-image-puller/">Defining the memory settings</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-image-puller-using-che-operator/">Installing using the Che Operator</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-image-puller-on-kubernetes-using-the-image-puller-operator/">Installing using the Kubernetes Image Puller Operator</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-image-puller-on-openshift-using-operatorhub/">Installing on OpenShift 4</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-image-puller-on-openshift-using-openshift-templates/">Installing on OpenShift 3</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../installing-image-puller-on-kubernetes-using-helm/">Installing using Helm</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../managing-identities-and-authorizations/">Managing identities and authorizations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../authenticating-users/">Authenticating users</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../authorizing-users/">Authorizing users</a>
</li>
<li class="nav-item is-current-page" data-depth="2">
<a class="nav-link" href="./">Configuring authorization</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../configuring-openshift-oauth/">Configuring OpenShift OAuth</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../removing-user-data/">Removing user data</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Contributor Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/branding-che-theia/">Branding Che-Theia</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/developing-che-theia-plug-ins/">Developing Che-Theia plug-ins</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/testing-che-theia-plug-ins/">Testing Che-Theia plug-ins</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/publishing-che-theia-plug-ins/">Publishing Che-Theia plug-ins</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/adding-support-for-a-new-language/">Adding support for a new language</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/adding-support-for-a-new-debugger/">Adding support for a new debugger</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../contributor-guide/che-extensibility-reference/">Che extensibility reference</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/che-extension-points/">Che extension points</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/che-theia-plug-in-api/">Che-Theia plug-in API</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/debug-adapter-protocol/">Debug Adapter Protocol</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/language-server-protocol/">Language Server Protocol</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Extensions</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../extensions/eclipse-che4z/">Eclipse Che4z</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../extensions/openshift-connector-overview/">OpenShift Connector</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/features-of-openshift-connector/">Features of OpenShift Connector</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/installing-openshift-connector-in-che/">Installing OpenShift Connector in Eclipse Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/authenticating-with-openshift-connector-from-che/">Authenticating with OpenShift Connector from Eclipse Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/creating-components-with-openshift-connector-in-che/">Creating Components with OpenShift Connector in Eclipse Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/connecting-source-code-from-github-to-a-openshift-component-using-openshift-connector/">Connecting source code from GitHub to a OpenShift Component</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../extensions/telemetry/">Telemetry</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/creating-a-telemetry-plugin/">Creating A Telemetry Plugin</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/the-woopra-telemetry-plugin/">The Woopra Telemetry Plugin</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../extensions/java-lombok/">Java Lombok</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../glossary/che-glossary/">Che glossary</a>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">Documentation</span>
<span class="version">master</span>
</div>
<ul class="components">
<li class="component is-current">
<a class="title" href="../../overview/introduction-to-eclipse-che/">Documentation</a>
<ul class="versions">
<li class="version is-current is-latest">
<a href="../../overview/introduction-to-eclipse-che/">master</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<a href="../../overview/introduction-to-eclipse-che/" class="home-link"></a>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="../../overview/introduction-to-eclipse-che/">Documentation</a></li>
<li>Administration Guide</li>
<li><a href="../managing-identities-and-authorizations/">Managing identities and authorizations</a></li>
<li><a href="./">Configuring authorization</a></li>
</ul>
</nav>
<div class="edit-this-page"><a href="https://github.com/eclipse/che-docs/edit/master/modules/administration-guide/pages/configuring-authorization.adoc">Edit this Page</a></div>
</div>
<div class="content">
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
<article class="doc">
<h1 class="page">Configuring authorization</h1>
<div class="sect1">
<h2 id="authorization-and-user-management_che"><a class="anchor" href="#authorization-and-user-management_che"></a>Authorization and user management</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Eclipse&#160;Che uses <a href="https://www.keycloak.org/">Keycloak</a> to create, import, manage, delete, and authenticate users. Keycloak uses built-in authentication mechanisms and user storage. It can use third-party identity management systems to create and authenticate users. Eclipse&#160;Che requires a Keycloak token when you request access to Che resources.</p>
</div>
<div class="paragraph">
<p>Local users and imported federation users must have an email address in their profile.</p>
</div>
<div class="paragraph">
<p>The default Keycloak credentials are <code>admin:admin</code>. You can use the <code>admin:admin</code> credentials when logging into Eclipse&#160;Che for the first time. It has system privileges.</p>
</div>
<div class="dlist">
<div class="title">Identifying the Keycloak URL</div>
<dl>
<dt class="hdlist1">Che running on Kubernetes</dt>
<dd>
<p>Go to <code>$CHE_HOST:5050/auth</code>.</p>
</dd>
<dt class="hdlist1">Che is running on OpenShift</dt>
<dd>
<p>Go to the OpenShift web console and to the <strong>Keycloak</strong> project.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-che-to-work-with-keycloak_che"><a class="anchor" href="#configuring-che-to-work-with-keycloak_che"></a>Configuring Che to work with Keycloak</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The deployment script configures Keycloak. It creates a <code>che-public</code> client with the following fields:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>Valid Redirect URIs</strong>: Use this URL to access Che.</p>
</li>
<li>
<p><strong>Web Origins</strong></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The following are common errors when configuring Che to work with Keycloak:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">Invalid <code>redirectURI</code> error</dt>
<dd>
<p>Occurs when you access Che at <code>myhost</code>, which is an alias, and your original <code>CHE_HOST</code> is <code>1.1.1.1</code>. If this error occurs, go to the Keycloak administration console and ensure that the valid redirect URIs are configured.</p>
</dd>
<dt class="hdlist1">CORS error</dt>
<dd>
<p>Occurs when you have an invalid web origin.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-keycloak-tokens_che"><a class="anchor" href="#configuring-keycloak-tokens_che"></a>Configuring Keycloak tokens</h2>
<div class="sectionbody">
<div class="paragraph">
<p>A user token expires after 30 minutes by default.</p>
</div>
<div class="paragraph">
<p>You can change the following Keycloak token settings:</p>
</div>
<div class="imageblock">
<div class="content">
<a class="image" href="../_images/keycloak/keycloak_realm.png"><img src="../_images/keycloak/keycloak_realm.png" alt="keycloak realm"></a>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="setting-up-user-federation_che"><a class="anchor" href="#setting-up-user-federation_che"></a>Setting up user federation</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Keycloak federates external user databases and supports LDAP and Active Directory. You can test the connection and authenticate users before choosing a storage provider.</p>
</div>
<div class="paragraph">
<p>See the <a href="https://www.keycloak.org/docs/6.0/server_admin/index.html#_user-storage-federation">User storage federation</a> page in Keycloak documentation to learn how to add a provider.</p>
</div>
<div class="paragraph">
<p>See the <a href="https://www.keycloak.org/docs/6.0/server_admin/index.html#_ldap">LDAP and Active Directory</a> page in Keycloak documentation to specify multiple LDAP servers.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="enabling-authentication-with-social-accounts-and-brokering_che"><a class="anchor" href="#enabling-authentication-with-social-accounts-and-brokering_che"></a>Enabling authentication with social accounts and brokering</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Keycloak provides built-in support for GitHub, OpenShift, and most common social networks such as Facebook and Twitter.
See Keycloak documentation to learn how to <a href="https://www.keycloak.org/docs/6.0//server_admin/#github">enable Login with GitHub</a>.</p>
</div>
<div class="sect2">
<h3 id="configuring-github-oauth_che"><a class="anchor" href="#configuring-github-oauth_che"></a>Configuring GitHub OAuth</h3>
<div class="paragraph">
<p>OAuth for GitHub allows for automatic SSH key upload to GitHub.</p>
</div>
<div class="ulist">
<div class="title">Prerequisites</div>
<ul>
<li>
<p>The <code>kubectl</code> tool is available.</p>
</li>
</ul>
</div>
<div class="ulist">
<div class="title">Procedure</div>
<ul>
<li>
<p>Create a <a href="https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app">OAuth application in GitHub</a> using Che URL as the value for the application <code>Homepage URL</code> and Keycloak GitHub endpoint URL as the value for Authorization callback URL. The default values are <code>https://che-eclipse-che.<em>&lt;DOMAIN&gt;</em>/</code> and <code>https://keycloak-eclipse-che.<em>&lt;DOMAIN&gt;</em>/auth/realms/che/broker/github/endpoint</code> respectively, where <code><em>&lt;DOMAIN&gt;</em></code> is Kubernetes cluster domain.</p>
</li>
<li>
<p>For Che deployed in multi-user mode:</p>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Create a new secret in the namespace where Che is deployed.</p>
<div class="listingblock">
<div class="content">
<pre>$ kubectl apply -f - &lt;&lt;EOF
kind: Secret
apiVersion: v1
metadata:
name: github-oauth-config
namespace: &lt;...&gt; <i class="conum" data-value="1"></i><b>(1)</b>
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: oauth-scm-configuration
annotations:
che.eclipse.org/oauth-scm-server: github
type: Opaque
data:
id: &lt;...&gt; <i class="conum" data-value="2"></i><b>(2)</b>
secret: &lt;...&gt; <i class="conum" data-value="3"></i><b>(3)</b>
EOF</pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>Che namespace. The default is eclipse-che</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td>base64 encoded GitHub OAuth Client ID</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>base64 encoded GitHub OAuth Client Secret</td>
</tr>
</table>
</div>
</li>
<li>
<p>If Che was already installed wait until rollout of Keycloak component finishes.</p>
</li>
</ol>
</div>
</li>
<li>
<p>For Che deployed in single-user mode:</p>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>On Kubernetes or OpenShift, update the deployment configuration (see <a href="../../installation-guide/configuring-the-che-installation/" class="page">Configuring the Che installation</a> and <a href="../../installation-guide/advanced-configuration-options-for-the-che-server-component/#authentication-parameters" class="page">installation-guide:advanced-configuration-options-for-the-che-server-component.adoc#authentication-parameters</a>).</p>
<div class="listingblock">
<div class="content">
<pre>CHE_OAUTH_GITHUB_CLIENTID=<em>&lt;your-github-client-ID&gt;</em>
CHE_OAUTH_GITHUB_CLIENTSECRET=<em>&lt;your-github-secret&gt;</em></pre>
</div>
</div>
</li>
<li>
<p>In the <strong>Authorization callback URL</strong> field of the GitHub OAuth application, enter <code><em>&lt;prod-url</em>/api/oauth/callback</code>.</p>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="ulist">
<ul>
<li>
<p>Substitute <code><em>&lt;prod-url&gt;</em></code> with the URL and port of the Che installation.</p>
</li>
<li>
<p>Substitute <code><em>&lt;your-github-client-ID&gt;</em></code> and <code><em>&lt;your-github-secret&gt;</em></code> with your GitHub client ID and secret.</p>
</li>
<li>
<p>This configuration only applies to single-user deployments of Che.</p>
</li>
</ul>
</div>
</td>
</tr>
</table>
</div>
</li>
</ol>
</div>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="configuring_bitbucket_servers_che"><a class="anchor" href="#configuring_bitbucket_servers_che"></a>Configuring Bitbucket servers</h3>
<div class="paragraph">
<p>To make it possible to use the Bitbucket server as a project sources supplier,
Bitbucket server URL should be registered on Eclipse&#160;Che using the <code>CHE_INTEGRATION_BITBUCKET_SERVER__ENDPOINTS</code> property.
Value of the property must contain the hostname of the server to register.
Examples on how to change configuration options using Helm or the Operator can be found here:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="../../installation-guide/advanced-configuration-options-for-the-che-server-component/" class="page">Advanced configuration options for the Che server component</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="proc_configuring-bitbucket-server-oauth1_che"><a class="anchor" href="#proc_configuring-bitbucket-server-oauth1_che"></a>Configuring Bitbucket Server OAuth 1</h3>
<div class="paragraph">
<p>This procedure describes how to activate OAuth 1 for Bitbucket Server to:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Use devfiles hosted on a Bitbucket Server.</p>
</li>
<li>
<p><a href="../../end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/" class="page">Authenticating users on private repositories of SCM servers</a>.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>It enables Che to obtain and renew <a href="https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html">Bitbucket Server Personal access tokens</a>.</p>
</div>
<div class="ulist">
<div class="title">Prerequisites</div>
<ul>
<li>
<p>The <code>kubectl</code> tool is available.</p>
</li>
<li>
<p>Bitbucket Server is available from Che server.</p>
</li>
</ul>
</div>
<div class="olist arabic">
<div class="title">Procedure</div>
<ol class="arabic">
<li>
<p>Generate a RSA key pair and a stripped down version of the public key:</p>
<div class="listingblock">
<div class="content">
<pre>openssl genrsa -out <em>&lt;private.pem&gt;</em> 2048
openssl rsa -in <em>&lt;private.pem&gt;</em> -pubout &gt; <em>&lt;public.pub&gt;</em>
openssl pkcs8 -topk8 -inform pem -outform pem -nocrypt -in <em>&lt;private.pem&gt;</em> -out <em>&lt;privatepkcs8.pem&gt;</em>
cat <em>&lt;public.pub&gt;</em> | sed 's/-----BEGIN PUBLIC KEY-----//g' | sed 's/-----END PUBLIC KEY-----//g' | tr -d '\n' &gt; <em>&lt;public-stripped.pub&gt;</em></pre>
</div>
</div>
</li>
<li>
<p>Generate a consumer key and a shared secret.</p>
<div class="listingblock">
<div class="content">
<pre>openssl rand -base64 24 &gt; <em>&lt;bitbucket_server_consumer_key&gt;</em>
openssl rand -base64 24 &gt; <em>&lt;bitbucket_shared_secret&gt;</em></pre>
</div>
</div>
</li>
<li>
<p>Create a Kubernetes Secret in Che namespace containing the consumer and private keys.</p>
<div class="listingblock">
<div class="content">
<pre>$ kubectl apply -f - &lt;&lt;EOF
kind: Secret
apiVersion: v1
metadata:
name: bitbucket-oauth-config
namespace: &lt;...&gt; <i class="conum" data-value="1"></i><b>(1)</b>
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: oauth-scm-configuration
annotations:
che.eclipse.org/oauth-scm-server: bitbucket
che.eclipse.org/scm-server-endpoint: &lt;...&gt; <i class="conum" data-value="2"></i><b>(2)</b>
type: Opaque
data:
private.key: &lt;...&gt; <i class="conum" data-value="3"></i><b>(3)</b>
consumer.key: &lt;...&gt; <i class="conum" data-value="4"></i><b>(4)</b>
EOF</pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>Che namespace. The default is eclipse-che</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td>Bitbucket Server URL</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>base64 encoded content of the <em>&lt;privatepkcs8.pem&gt;</em> file without first and last lines.</td>
</tr>
<tr>
<td><i class="conum" data-value="4"></i><b>4</b></td>
<td>base64 encoded content of the <code><em>&lt;bitbucket_server_consumer_key&gt;</em></code> file.</td>
</tr>
</table>
</div>
</li>
<li>
<p>Configure an <a href="https://confluence.atlassian.com/adminjiraserver/using-applinks-to-link-to-other-applications-938846918.html">Application Link</a> in Bitbucket to enable the communication from Che to Bitbucket Server.</p>
<div class="olist loweralpha">
<ol class="loweralpha" type="a">
<li>
<p>In Bitbucket Server, click the cog in the top navigation bar to navigate to <strong>Administration</strong> &gt; <strong>Application Links</strong>.</p>
</li>
</ol>
</div>
</li>
</ol>
</div>
<div class="paragraph">
<p><!-- vale IBM.Usage = NO --></p>
</div>
<div class="olist loweralpha">
<ol class="loweralpha" type="a">
<li>
<p>Enter the application URL: <code>https://che-host:che-port</code> and click the <b class="button">Create new link</b> button.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p><!-- vale IBM.Usage = YES --></p>
</div>
<div class="paragraph">
<p><!-- vale IBM.PassiveVoice = NO --></p>
</div>
<div class="olist loweralpha">
<ol class="loweralpha" type="a">
<li>
<p>On the warning message stating "No response was received from the URL" click the <b class="button">Continue</b> button.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p><!-- vale IBM.PassiveVoice = YES --></p>
</div>
<div class="olist loweralpha">
<ol class="loweralpha" type="a">
<li>
<p>Fill-in the <strong>Link Applications</strong> form and click the <b class="button">Continue</b> button.</p>
<div class="dlist">
<dl>
<dt class="hdlist1">Application Name</dt>
<dd>
<p><code><em>&lt;Che&gt;</em></code></p>
</dd>
<dt class="hdlist1">Application Type</dt>
<dd>
<p>Generic Application.</p>
</dd>
<dt class="hdlist1">Service Provider Name</dt>
<dd>
<p><code><em>&lt;Che&gt;</em></code></p>
</dd>
<dt class="hdlist1">Consumer Key</dt>
<dd>
<p>Paste the content of the <code><em>&lt;bitbucket_server_consumer_key&gt;</em></code> file.</p>
</dd>
<dt class="hdlist1">Shared secret</dt>
<dd>
<p>Paste the content of the <code><em>&lt;bitbucket_shared_secret&gt;</em></code> file.</p>
</dd>
<dt class="hdlist1">Request Token URL</dt>
<dd>
<p><code><em>&lt;Bitbucket Server URL&gt;</em>/plugins/servlet/oauth/request-token</code></p>
</dd>
<dt class="hdlist1">Access token URL</dt>
<dd>
<p><code><em>&lt;Bitbucket Server URL&gt;</em>/plugins/servlet/oauth/access-token</code></p>
</dd>
<dt class="hdlist1">Authorize URL</dt>
<dd>
<p><code><em>&lt;Bitbucket Server URL&gt;</em>/plugins/servlet/oauth/access-token</code></p>
</dd>
<dt class="hdlist1">Create incoming link</dt>
<dd>
<p>Enabled.</p>
</dd>
</dl>
</div>
</li>
<li>
<p>Fill-in the <strong>Link Applications</strong> form and click the <b class="button">Continue</b> button.</p>
<div class="dlist">
<dl>
<dt class="hdlist1">Consumer Key</dt>
<dd>
<p>Paste the content of the <code><em>&lt;bitbucket_server_consumer_key&gt;</em></code> file.</p>
</dd>
<dt class="hdlist1">Consumer name</dt>
<dd>
<p><code><em>&lt;Che&gt;</em></code></p>
</dd>
<dt class="hdlist1">Public Key</dt>
<dd>
<p>Paste the content of the <code><em>&lt;public-stripped.pub&gt;</em></code> file.</p>
</dd>
</dl>
</div>
</li>
</ol>
</div>
<div class="ulist">
<div class="title">Additional resources</div>
<ul>
<li>
<p><a href="https://bitbucket.org/product/enterprise">Bitbucket Server overview</a></p>
</li>
<li>
<p><a href="https://bitbucket.org/product/download">Download Bitbucket Server</a></p>
</li>
<li>
<p><a href="https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html">Bitbucket Server Personal access tokens</a></p>
</li>
<li>
<p><a href="https://confluence.atlassian.com/jirakb/how-to-generate-public-key-to-application-link-3rd-party-applications-913214098.html">How to generate public key to application link 3rd party applications</a></p>
</li>
<li>
<p><a href="https://confluence.atlassian.com/adminjiraserver/using-applinks-to-link-to-other-applications-938846918.html">Using AppLinks to link to other applications</a></p>
</li>
<li>
<p><a href="../../end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/" class="page">Authenticating users on private repositories of SCM servers</a>.</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="configuring_gitlab_servers_che"><a class="anchor" href="#configuring_gitlab_servers_che"></a>Configuring GitLab servers</h3>
<div class="paragraph">
<p>To use a GitLab server as a project sources supplier, register the GitLab server URL with Che using the <code>CHE_INTEGRATION_GITLAB_SERVER__ENDPOINTS</code> property and specify the hostname of the server to register.</p>
</div>
<div class="listingblock">
<div class="title">Example</div>
<div class="content">
<pre>https://gitlab.apps.cluster-2ab2.2ab2.example.opentlc.com/</pre>
</div>
</div>
<div class="paragraph">
<p>For additional examples of configuring GitLab servers using:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Operator - see, <a href="../../installation-guide/advanced-configuration-options-for-the-che-server-component/#understanding-che-server-advanced-configuration-using-the-operator_che" class="page">Understanding Che server advanced configuration using the Operator</a></p>
</li>
<li>
<p>Helm - see, <a href="../../installation-guide/advanced-configuration-options-for-the-che-server-component/#understanding-che-server-advanced-configuration-not-using-the-operator_che" class="page">Understanding Che server advanced configuration not using the Operator</a></p>
</li>
</ul>
</div>
<div class="ulist">
<div class="title">Additional resources</div>
<ul>
<li>
<p><a href="../../installation-guide/advanced-configuration-options-for-the-che-server-component/" class="page">Advanced configuration options for the Che server component</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="configuring-gitlab-oauth2_che"><a class="anchor" href="#configuring-gitlab-oauth2_che"></a>Configuring GitLab OAuth2</h3>
<div class="paragraph">
<p>OAuth2 for GitLab allows accepting factories from private GitLab repositories.</p>
</div>
<div class="ulist">
<div class="title">Prerequisites</div>
<ul>
<li>
<p>GitLab server is running and available from Che</p>
</li>
</ul>
</div>
<div class="ulist">
<div class="title">Procedure</div>
<ul>
<li>
<p>Create a <a href="https://docs.gitlab.com/ee/integration/oauth_provider.html#authorized-applications">Authorized OAuth2 application in GitLab</a> using Che as the application <code>Name</code> and Keycloak GitLab endpoint URL as the value for <code>Redirect URI</code>. The callback URL default value is <code>https://keycloak-eclipse-che.<em>&lt;DOMAIN&gt;</em>/auth/realms/che/broker/gitlab/endpoint</code>, where <code><em>&lt;DOMAIN&gt;</em></code> is Kubernetes cluster domain. Store the <code>Application ID</code> and <code>Secret</code> values.
All three types of GitLab OAuth 2 applications are supported: User owned, Group owned and Instance-wide.</p>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Create a custom OIDC provider link on Keycloak pointing to GitLab server. Fill the following fields:</p>
<div class="exampleblock">
<div class="content">
<div class="dlist">
<dl>
<dt class="hdlist1">Client ID</dt>
<dd>
<p>a value from the <code>Application ID</code> field provided by GitLab server in previous step;</p>
</dd>
<dt class="hdlist1">Client Secret</dt>
<dd>
<p>a value from <code>Secret</code> field provided by GitLab server in previous step;</p>
</dd>
<dt class="hdlist1">Authorization URL</dt>
<dd>
<p>a URL which have a <code>https://<em>&lt;GITLAB_DOMAIN&gt;</em>/oauth/authorize</code> format;</p>
</dd>
<dt class="hdlist1">Token URL</dt>
<dd>
<p>a URL which have a <code>https://<em>&lt;GITLAB_DOMAIN&gt;</em>/oauth/token</code> format;</p>
</dd>
<dt class="hdlist1">Scopes</dt>
<dd>
<p>set of scopes which must contain (but not limited to) the following set: <code>api write_repository openid</code>;</p>
</dd>
<dt class="hdlist1">Store Tokens</dt>
<dd>
<p>needs to be enabled;</p>
</dd>
<dt class="hdlist1">Store Tokens Readable</dt>
<dd>
<p>needs to be enabled</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="ulist">
<ul>
<li>
<p>Substitute <code><em>&lt;GITLAB_DOMAIN&gt;</em></code> with the URL and port of the GitLab installation.</p>
</li>
</ul>
</div>
</td>
</tr>
</table>
</div>
</li>
<li>
<p>Register the GitLab instance URL with the enabled OAuth 2 support in Che using the <code>CHE_INTEGRATION_GITLAB_OAUTH__ENDPOINT</code> property.</p>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
<div class="ulist">
<ul>
<li>
<p>The GitLab instance URL must be present in the list of configured GitLab integration endpoints, set by the <code>CHE_INTEGRATION_GITLAB_SERVER__ENDPOINTS</code> property.</p>
</li>
</ul>
</div>
</td>
</tr>
</table>
</div>
</li>
</ol>
</div>
</li>
</ul>
</div>
<div class="paragraph">
<div class="title">Additional resources</div>
<p>In case of having issues Che accessing GitLab related to TLS keys, consult with the following docs:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="../../installation-guide/importing-untrusted-tls-certificates/" class="page">Importing untrusted TLS certificates to Che</a>.</p>
</li>
<li>
<p><a href="../../installation-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/" class="page">Deploying Che with support for Git repositories with self-signed certificates</a>.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="using-protocol-based-providers_che"><a class="anchor" href="#using-protocol-based-providers_che"></a>Using protocol-based providers</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Keycloak supports <a href="https://www.keycloak.org/docs/6.0/server_admin/#saml-v2-0-identity-providers">SAML v2.0</a> and <a href="https://www.keycloak.org/docs/6.0/server_admin/#_oidc">OpenID Connect v1.0</a> protocols.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="managing-users-using-keycloak_che"><a class="anchor" href="#managing-users-using-keycloak_che"></a>Managing users using Keycloak</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can add, delete, and edit users in the user interface. See <a href="https://www.keycloak.org/docs/latest/server_admin/index.html#user-management">Keycloak User Management</a> for more information.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-che-to-use-external-keycloak_che"><a class="anchor" href="#configuring-che-to-use-external-keycloak_che"></a>Configuring Che to use an external Keycloak installation</h2>
<div class="sectionbody">
<div class="paragraph">
<p>By default, Che installation includes the deployment of a dedicated Keycloak instance. However, using an external Keycloak is also possible. This option is useful when a user has an existing Keycloak instance with already-defined users, for example, a company-wide Keycloak server used by several applications.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
A dedicated Keycloak instance is only deployed with Che installed in multiuser mode.
</td>
</tr>
</table>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 1. Placeholders used in examples</caption>
<colgroup>
<col style="width: 33.3333%;">
<col style="width: 66.6667%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code><em>&lt;provider-realm-name&gt;</em></code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Keycloak realm name intended for use by Che</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code><em>&lt;oidc-client-name&gt;</em></code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of the <code>oidc</code> client defined in <code><em>&lt;provider-realm-name&gt;</em></code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code><em>&lt;auth-base-url&gt;</em></code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Base URL of the external Keycloak server</p></td>
</tr>
</tbody>
</table>
<div class="ulist">
<div class="title">Prerequisites</div>
<ul>
<li>
<p>This procedure is only applicable to Che installations done using the Che Operator. When using the <code>chectl</code> management tool and Helm to install Che, no supported method is available to use an external Keycloak instance.</p>
</li>
<li>
<p>In the administration console of the external installation of Keycloak, define a <a href="https://www.keycloak.org/docs/latest/server_admin/#_create-realm">realm</a> containing the users intended to connect to Che:</p>
<div class="imageblock">
<div class="content">
<a class="image" href="../_images/keycloak/external_keycloak_realm.png"><img src="../_images/keycloak/external_keycloak_realm.png" alt="External Keycloak realm"></a>
</div>
</div>
</li>
<li>
<p>In this <code>realm</code>, define an <a href="https://www.keycloak.org/docs/latest/server_admin/#oidc-clients">OIDC client</a> that Che will use to authenticate the users. This is an example of such a client with the correct settings:</p>
<div class="imageblock">
<div class="content">
<a class="image" href="../_images/keycloak/external_keycloak_public_client.png"><img src="../_images/keycloak/external_keycloak_public_client.png" alt="External Keycloak public client"></a>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="ulist">
<ul>
<li>
<p><strong>Client Protocol</strong> must be <code>openid-connect</code>.</p>
</li>
<li>
<p><strong>Access Type</strong> must be <code>public</code>. Che only supports the <code>public</code> access type.</p>
</li>
<li>
<p><strong>Valid Redirect URIs</strong> must contain at least two URIs related to the Che server, one using the <code>http</code> protocol and the other <code>https</code>. These URIs must contain the base URL of the Che server, followed by <code>/*</code> wildcards.</p>
</li>
<li>
<p><strong>Web Origins</strong> must contain at least two URIs related to the Che server, one using the <code>http</code> protocol and the other <code>https</code>. These URIs must contain the base URL of the Che server, without any path after the host.</p>
<div class="paragraph">
<p>The number of URIs depends on the number of installed product tools.</p>
</div>
</li>
</ul>
</div>
</td>
</tr>
</table>
</div>
</li>
<li>
<p>With Che
installed on OpenShift
that uses the default OpenShift OAuth support, user authentication relies on the integration of Keycloak with OpenShift OAuth. This allows users to log in to Che with their OpenShift login and have their workspaces created under personal OpenShift projects.</p>
<div class="paragraph">
<p>This requires setting up an OpenShift Identity Provider (Keycloak or RH-SSO). When using an external Keycloak, configure the Keycloak manually. For instructions, see the appropriate Keycloak documentations for either <a href="https://www.keycloak.org/docs/latest/server_admin/#openshift-3">OpenShift 3</a> or <a href="https://www.keycloak.org/docs/latest/server_admin/#openshift-4">OpenShift 4</a>.</p>
</div>
</li>
<li>
<p>The configured Keycloak has the options <strong>Store Tokens</strong> and <strong>Stored Tokens Readable</strong> enabled.</p>
</li>
</ul>
</div>
<div class="olist arabic">
<div class="title">Procedure</div>
<ol class="arabic">
<li>
<p>Set the following properties in the <code>CheCluster</code> Custom Resource (CR):</p>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-yaml hljs" data-lang="yaml">spec:
auth:
externalIdentityProvider: true
identityProviderURL: &lt;auth-base-url&gt;
identityProviderRealm: &lt;provider-realm-name&gt;
identityProviderClientId: &lt;oidc-client-name&gt;</code></pre>
</div>
</div>
</li>
<li>
<p>When installing Che
on OpenShift
with OpenShift OAuth support enabled, set the following properties in the <code>CheCluster</code> Custom Resource (CR):</p>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-yaml hljs" data-lang="yaml">spec:
auth:
openShiftoAuth: true
# Note: only if the OpenShift Identity Provider (Keycloak or RH-SSO) alias is different from 'openshift-v3' or 'openshift-v4'
server:
customCheProperties:
CHE_INFRA_OPENSHIFT_OAUTH<em>IDENTITY</em>PROVIDER: &lt;OpenShift Identity Provider (Keycloak or RH-SSO) alias&gt;</code></pre>
</div>
</div>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-prod-short-to-work-without-identity-provider_che"><a class="anchor" href="#configuring-prod-short-to-work-without-identity-provider_che"></a>Configuring Che to work without Keycloak</h2>
<div class="sectionbody">
<div class="paragraph">
<p>By default, Che is deployed in multiuser mode where Keycloak and PostgreSQL are enabled by default. However, it is possible to deploy it in the single-user mode too, by changing the <code>CHE_MULTIUSER</code> value to <code>false</code>. In that case, neither Keycloak nor PostgreSQL is installed.</p>
</div>
<div class="ulist">
<div class="title">Prerequisites</div>
<ul>
<li>
<p>The <code>chectl</code> management tool is available. See the <a href="../../installation-guide/using-the-chectl-management-tool/" class="page">Using the chectl management tool</a> section. Alternatively, the OpenShift command line tool, <code>oc</code>, can be used.</p>
</li>
</ul>
</div>
<div class="olist arabic">
<div class="title">Procedure</div>
<ol class="arabic">
<li>
<p>Prepare the <code>cr-patch.yaml</code> file with the following content:</p>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-yaml hljs" data-lang="yaml">spec:
server:
customCheProperties:
CHE_MULTIUSER: false</code></pre>
</div>
</div>
</li>
<li>
<p>Install Che in the single-user mode:</p>
<div class="listingblock">
<div class="content">
<pre>$ chectl server:deploy --platform <em>&lt;platform&gt;</em> --installer operator --che-operator-cr-patch-yaml cr-patch.yaml</pre>
</div>
</div>
<div class="paragraph">
<p>Depending on the strategy used, replace the <code><em>&lt;platform&gt;</em></code> option in the above example with <code>crc</code>, <code>minishift</code>, or <code>openshift</code>.
Kubernetes-native platforms such as <code>minikube</code>, <code>microk8s</code>, <code>k8s</code>, and <code>docker-desktop</code> are also available.</p>
</div>
</li>
</ol>
</div>
<div class="olist arabic">
<div class="title">Verification</div>
<ol class="arabic">
<li>
<p>Wait for the console log output to display the <code>Command server:deploy has completed successfully.</code> message:</p>
<div class="listingblock">
<div class="content">
<pre>✔ Retrieving Eclipse&#160;Che server URL...&lt;ECLIPSE_CHE_URL&gt;
✔ Eclipse&#160;Che status check
Command server:deploy has completed successfully.</pre>
</div>
</div>
</li>
<li>
<p>Use the following command for correct boolean verification:</p>
<div class="listingblock">
<div class="content">
<pre>$ {prod-cli} get checluster -o=jsonpath='{.items[0].spec.server.customCheProperties.CHE_MULTIUSER}'</pre>
</div>
</div>
<div class="paragraph">
<p>If the output of the command is <code>false</code>, Che has been successfully configured in single-user mode.</p>
</div>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-smtp-and-email-notifications_che"><a class="anchor" href="#configuring-smtp-and-email-notifications_che"></a>Configuring SMTP and email notifications</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Eclipse&#160;Che does not provide any pre-configured MTP servers.</p>
</div>
<div class="paragraph">
<p>To enable SMTP servers in Keycloak:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Go to <code>che realm settings &gt; Email</code>.</p>
</li>
<li>
<p>Specify the host, port, username, and password.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>Eclipse&#160;Che uses the default theme for email templates for registration, email confirmation, password recovery, and failed login.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="enabling-self-registration_che"><a class="anchor" href="#enabling-self-registration_che"></a>Enabling self-registration</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Self-registration allows users to register themselves in a Che instance by accessing the Che server URL.</p>
</div>
<div class="paragraph">
<p>For Che installed without OpenShift OAuth support, self-registration is disabled by default, therefore the option to register a new user is not available on the login page.</p>
</div>
<div class="ulist">
<div class="title">Prerequisites</div>
<ul>
<li>
<p>You are logged in as an administrator.</p>
</li>
</ul>
</div>
<div class="paragraph">
<div class="title">Procedure</div>
<p>To enable self-registration of users:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Navigate to the <strong>Realm Settings</strong> menu on the left and open the <strong>Login</strong> tab.</p>
</li>
<li>
<p>Set <strong>User registration</strong> option to <strong>On</strong>.</p>
</li>
</ol>
</div>
</div>
</div>
</article>
</div>
</main>
</div>
<footer class="footer">
<div><a href="https://www.eclipse.org" target="_blank">Eclipse Foundation</a> |
<a href="https://www.eclipse.org/legal/privacy.php" target="_blank">Privacy Policy</a> |
<a href="https://www.eclipse.org/legal/termsofuse.php" target="_blank">Terms of Use</a> |
<a href="https://www.eclipse.org/legal/epl-2.0/" target="_blank">Eclipse Public License</a> |
<a href="https://www.eclipse.org/legal" target="_blank">Legal Resources</a></div>
</footer>
<script src="../../../_/js/site.js"></script>
<script async src="../../../_/js/vendor/highlight.js"></script>
</body>
</html>