Che: Do not allow users to change username when logging for the first time
Is your enhancement related to a problem? Please describe.
We have a Che operator 7.14.2 installed an OCP cluster with the following configuration:
auth:
externalIdentityProvider: false
openShiftoAuth: true
server:
customCheProperties:
CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT: <username>-code
allowUserDefinedWorkspaceNamespaces: false
Each user has <openshift-username>-code namespace pre-created.
When a user is trying to login into Che Dashboard the very first time Che's Keycloak shows the following form:
And now if the user edit the username and use another username (not OpenShift username) then he won't be able to start a workspace because Che tries to use not-existing namespace to create a workspace: <che-username>-code instead of `
Describe the solution you'd like
Ideally, user should not be asked to re-enter username, email, names when loging to Che at all. Che just should use the user from OpenShift. Email and Name is not available in OpenShift, but why Che needs them? If it needs them for Git commits or something then it should ask it when/if actually needed. Not in advance.
But at least we should have an option to forbid users to change usernames during Che login because it breaks users.
alexeykazakov
All 28 comments
it's even worse if the user has an autofill plugin that will tend to set the fields with real names, including spaces. This is what I did by mistake, and now I have the following error message when trying to create a workspace on Hosted Toolchain:
The workspace would be started in a namespace/project 'xavier coulon-code', which is not a valid namespace/project name.
xcoulon
on 29 Jun 2020
I agree on the username. email/name are a different story and can be discussed in a different issue.
l0rd
on 29 Jun 2020
@tolusha will you be able to prioritize the issue for the upcoming sprint. This is a fairly important integration issue for Hosted Toolchain
ibuziuk
on 27 Jul 2020
@ibuziuk
I haven't investigated yet, that's why I am not sure if something can be done on deployment level.
Is it something related to dashboard ?
Maybe @skabashnyuk knows
tolusha
on 27 Jul 2020
@ibuziuk
I see. We can improve it.
I will plan for the next sprint.
tolusha
on 27 Jul 2020
@tolusha thanks a lot this is yet another issue that is important for Hosted Toolchain, hopefully, it will be possible to have a fix for CRW 2.4
ibuziuk
on 29 Jul 2020
I thought having editUsernameAllowed: false in che realm would solve the issue.
But it doesn't work at review profile config stage
tolusha
on 10 Aug 2020
There is mixing up with usernames.
When OpenShift user is logged in the corresponding keycloak user is created. The keycloak username can be different from the OpenShift one. The problem is that we use the keycloak username instead of OpenShift username for namespace name.
tolusha
on 19 Aug 2020
For keycloak user there is a provider username which is supposed to be taken instead of Keycloak username.
tolusha
on 19 Aug 2020
@tolusha looks like the issue was moved out from the sprint, but we absolutely need a solution for it. Can we simply make the username field uneditable?
ibuziuk
on 2 Sep 2020
@ibuziuk
I can introduce a non default theme where username will be a readonly field.
It will require configuring keycloak to select appropriate theme. Does it work for you?
tolusha
on 2 Sep 2020
Please leave some way for the user to choose the username if needed.
Example: If OAuth is used, the user will have OpenShift username. But OpenShift allows some names that CRW does not handle well (i.e. myuser@mycompany).
In this case, it is a useful workaround to allow the user to choose a username of their choosing (one without the '@' character that CRW forbids.)
Perhaps we could just provide the default username pre-populated in the form? This will encourage users to accept this value, if they change it they should be assumed to know what they are doing. (If they break things by choosing a username that won't have a namespace, it is their own fault).
RickJWagner
on 2 Sep 2020
It's pre-populated right now. And doesn't work well. The form also requires to provide Name & email (not sure why, but it's a different issue). And it's usual for auto-fill in browser, suggest Name, email. But by using the auto-fill the username can be automatically changed too! So users don't even notice that they username is changed. We experience this issue with every other user. So it's very common.
alexeykazakov
on 2 Sep 2020
Maybe this option (disable changing usernames) can be in a Che configuration option? In Hosted Toolchain we don't have the issue with invalid usernames. All openshift usernames are guaranteed to be be valid for Che.
alexeykazakov
on 2 Sep 2020
For me disabling username is kind of hack.
The long term solution should be https://github.com/eclipse/che/issues/15323
@RickJWagner
If I introduce something then it won't be a default behavior. There won't be impact on CRW customers.
tolusha
on 3 Sep 2020
@tolusha as a quickfix before #15323 I would propose having a username input field readonly / uneditable on the registration level. Another option would be making the username editable but have the validation in place to make it k8s DNS compatible.
ibuziuk
on 3 Sep 2020
@ibuziuk @alexeykazakov
Keeps username field editable but adds validation:
https://github.com/eclipse/che/pull/17780/
@RickJWagner
No impact on customers since CRW uses another identity provide image.
tolusha
on 3 Sep 2020
@tolusha validation is a good compromise and should be ported to CRW as well. Is there any reason why we should not port the upstream PR to the CRW identity provider image?
l0rd
on 3 Sep 2020
Just for clarification. In Hosted Toolchain the problem is not that users can set Che username to a not DNS complaint one. The problem is that users can set Che username which won't match the OpenShift username.
We pre-create namespaces for Che workspaces. Users don't have permissions to create namespaces. So, if some user sets the Che username to a different username then the workspace namespace won't match the pre-created one: <openshift-username>-code and Che won't work for this user at all.
All OpenShift usernames in Hosted Toolchain are DNS complaint.
alexeykazakov
on 3 Sep 2020
@alexeykazakov
I will introduce a new theme for your case..
tolusha
on 3 Sep 2020
@l0rd
I don't think that we are the only one who use image registry.redhat.io/rh-sso-7/sso74-openshift-rhel8:7.4 for authentication and adding limitation might not be acceptable in general.
tolusha
on 8 Sep 2020
@l0rd I don't think that we are the only one who use image registry.redhat.io/rh-sso-7/sso74-openshift-rhel8:7.4 for authentication and adding limitation might not be acceptable in general.
I don't think neither. But that doesn't justify the fact that a feature is available upstream but not downstream.
l0rd
on 9 Sep 2020
@l0rd I see. I will check what we can do here.
tolusha
on 10 Sep 2020
I've created issue to add changed to CRW as well.
https://github.com/eclipse/che/issues/17827
tolusha
on 10 Sep 2020
That new theme will be available in Che operator 7.19, right?
alexeykazakov
on 15 Sep 2020
@alexeykazakov
yes, 7.19
tolusha
on 16 Sep 2020
@tolusha could you please clarify how to enable the theme for making the username uneditable in 7.19.0 ?
ibuziuk
on 2 Oct 2020
@ibuziuk
By default 7.19.0 adds check if username complies DNS naming convention.
If you would like make username uneditable then you have to login into keycloak and change login theme to che-username-readonly
tolusha
on 2 Oct 2020
Related issues
amisevsk
路
3Comments
sleshchenko
路
3Comments
sleshchenko
路
3Comments
skabashnyuk
路
3Comments
sleshchenko
路
3Comments
Most helpful comment
@ibuziuk
I see. We can improve it.
I will plan for the next sprint.