Restrict access to specific users and groups

Restrict Che access to specific users and groups so that you can enforce access policies and limit the platform to authorized teams.

Prerequisites
  • An active kubectl session with administrative permissions to the destination Kubernetes cluster. See Overview of kubectl.

Procedure
  1. Configure the CheCluster Custom Resource. See Using the CLI to configure the CheCluster Custom Resource.

    spec:
      networking:
        auth:
          advancedAuthorization:
            allowUsers:
              - <allow_users> (1)
            allowGroups:
              - <allow_groups> (2)
            denyUsers:
              - <deny_users> (3)
            denyGroups:
              - <deny_groups> (4)
    1 List of users allowed to access Eclipse Che.
    2 List of groups of users allowed to access Eclipse Che (for OpenShift Container Platform only).
    3 List of users denied access to Eclipse Che.
    4 List of groups of users denied access to Eclipse Che (for OpenShift Container Platform only).

    If a user is on both allow and deny lists, access is denied. If allowUsers and allowGroups are empty, all users are allowed except the ones on the deny lists. If denyUsers and denyGroups are empty, only the users from allow lists are allowed. If both allow and deny lists are empty, all users are allowed.

  2. Wait for the rollout of the Che server components to complete.

Verification
  • Log in to the Che dashboard as a user on the allowUsers list and verify access to the dashboard.

  • Log in as a user on the denyUsers list and verify that Che returns a 403 Forbidden response.