Azure Red Hat OpenShift — Deleting a user in a proper way

Ever deleted a user from OpenShift and the user is unable to log in now? In this post, you will see how we can resolve this issue

Recently while experimenting with RBAC in OpenShift, one of our cluster admins, accidentally deleted a user using a web console.

When the user (who shouldn’t have been deleted in the first place) tried to log in to the cluster, it would prompt for credentials and authenticate successfully against the identity provider — our OpenShift cluster is Azure Active Directory (AAD) integrated, but then would give the error An authentication error occurred.

Cause

The reason for this error is, it all depends on how users are authenticated using configured identity provider in Open Shift. In our case, it is Azure Active Directory.

So, when the user logs in the credentials are submitted to the identity provider and successfully validated, however, the user’s identity validation is dependent on mappingMethod property (docs), whose value wasclaim in our case. If you remember my previous post about setting up single sign-on using Azure AD, you would know we mapped user identity against email and upn

So when user logs in using the same email, OpenShift sees user’s username and email (claims) and sees that it already has an identity with that upn/email and errors out.

Reason

This is because, when the user is added, user information (RBAC, group membership) is stored in multiple places within OpenShift regardless of which Identity Provider you use.

So even if you change identity provider, if the username and email (or any claims match) another identity, you will get this error.

Solution

So to correctly delete a user, you first delete the user either via Web Console or using the CLI.

oc delete user <username>

You then delete the identity associated with the user as well. Notice, when you get the identity it will also show the IDP (Identity Provider) name, so make sure you delete the identity against the corresponding identity provider.

$ oc delete identity AAD:kXCabddbadbabfu90nsdo90u9_-jifdas
identity.user.openshift.io "AAD:kXCabddbadbabfu90nsdo90u9_-jifdas" deleted

Once done, user will be able to log back in again.

Hope it helps!