                    Remote User Auth Plugin for OpenShift
                   ----------------------------------
The Remote User Auth plugin is an optional plugin for OpenShift and it provides
authentication.  Authentication is delegated to a web server.  The Ruby code
trusts the REMOTE_USER environment variable.  This plugin defers the
node->broker authentication to the base AuthService class in
openshift-origin-controller.

This document describes how to register and authenticate an OpenShift user
using the Remote User Auth plugin.  This example will use Basic Authentication.

* Create the htpassd file:

    # Substitute the username as needed
    htpasswd -c /etc/openshift/htpasswd user1

* Create an Apache configuration.  A sample is provided:
    mv /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf{.sample,}

    NOTE: This file should be loaded by
    /var/www/openshift/broker/httpd/httpd.conf.  This is done
    automatically as part of the openshift-origin-broker package.

* Create the broker key
    /usr/bin/openssl genrsa -out /etc/openshift/server_priv.pem 2048
    /usr/bin/openssl rsa -in /etc/openshift/server_priv.pem -pubout > /etc/openshift/server_pub.pem

* Edit the configuration in /etc/openshift/plugins.d/openshift-origin-auth-remote-user.conf.

* Restart the openshift-broker service
    service openshift-broker restart

* Authenticate OpenShift Origin user
  Any REST api calls or CLI tools to OpenShift Origin will be processed only for the registered user-name/password
  Example:
    The below query fails with 'Access Denied' error.
    curl -k https://localhost/broker/rest/domains

    The below query succeeds for valid username/password.
    curl -k --user "<registered-user-name>:<password>" https://localhost/broker/rest/domains

    No auth is required for the following APIs:
    curl -k https://localhost/broker/rest/cartridges
    curl -k https://localhost/broker/rest/api
