eclipse-che · skabashnyuk · Feb 11, 2021 · Jan 22, 2021 · Jan 25, 2021 · Jan 25, 2021
diff --git a/...administration-guide/images/bitbucket/bitbucket_configure_application_links.png b/...administration-guide/images/bitbucket/bitbucket_configure_application_links.png
diff --git a/modules/administration-guide/images/bitbucket/bitbucket_link_applications.png b/modules/administration-guide/images/bitbucket/bitbucket_link_applications.png
diff --git a/...les/administration-guide/images/bitbucket/bitbucket_link_applications_step2.png b/...les/administration-guide/images/bitbucket/bitbucket_link_applications_step2.png
diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc
@@ -10,12 +10,6 @@
 ** xref:building-custom-registry-images.adoc[]
 ** xref:running-custom-registries.adoc[]
 
-* xref:managing-users.adoc[]
-** xref:authenticating-users.adoc[]
-** xref:authorizing-users.adoc[]
-** xref:configuring-authorization.adoc[]
-** xref:removing-user-data.adoc[]
-** xref:authenticating-users-3rd-party-services.adoc[]
 
 * xref:retrieving-che-logs.adoc[]
 ** xref:configuring-server-logging.adoc[]
@@ -41,3 +35,10 @@
 ** xref:installing-image-puller-on-openshift-using-operatorhub.adoc[]
 ** xref:installing-image-puller-on-openshift-using-openshift-templates.adoc[]
 ** xref:installing-image-puller-on-kubernetes-using-helm.adoc[]
+
+* xref:managing-identities-and-authorizations.adoc[]
+** xref:authenticating-users.adoc[]
+** xref:authorizing-users.adoc[]
+** xref:configuring-authorization.adoc[]
+** xref:removing-user-data.adoc[]
+** xref:configuring-openshift-oauth.adoc[]
diff --git a/modules/administration-guide/pages/authenticating-users-3rd-party-services.adoc b/modules/administration-guide/pages/authenticating-users-3rd-party-services.adoc
diff --git a/...de/pages/configuring-openshift-oauth.adoc → ...de/pages/configuring-openshift-oauth.adoc b/...de/pages/configuring-openshift-oauth.adoc → ...de/pages/configuring-openshift-oauth.adoc
diff --git a/modules/administration-guide/pages/managing-identities-and-authorizations.adoc b/modules/administration-guide/pages/managing-identities-and-authorizations.adoc
@@ -0,0 +1,7 @@
+[id="managing-identities-and-authorizations"]
+// = Managing identities and authorizations
+:navtitle: Managing identities and authorizations
+:keywords: end-user-guide, managing-identities-and-authorizations
+:page-aliases: .:managing-identities-and-authorizations
+
+include::partial$assembly_managing-identities-and-authorizations.adoc[]
diff --git a/modules/administration-guide/pages/managing-users.adoc b/modules/administration-guide/pages/managing-users.adoc
diff --git a/...tration-guide/partials/assembly_authenticating-users-on-3rd-party-services.adoc b/...tration-guide/partials/assembly_authenticating-users-on-3rd-party-services.adoc
diff --git a/modules/administration-guide/partials/assembly_configuring-authorization.adoc b/modules/administration-guide/partials/assembly_configuring-authorization.adoc
@@ -19,6 +19,8 @@ include::partial$proc_enabling-authentication-with-social-accounts-and-brokering
 
 include::partial$proc_configuring-github-oauth.adoc[leveloffset=+2]
 
+include::partial$proc_configuring-bitbucket-server-oauth1.adoc[leveloffset=+2]
+
 include::partial$proc_using-protocol-based-providers.adoc[leveloffset=+1]
 
 include::example$proc_{project-context}-managing-users-using-identity-provider.adoc[leveloffset=+1]

diff --git a/...inistration-guide/partials/assembly_managing-identities-and-authorizations.adoc b/...inistration-guide/partials/assembly_managing-identities-and-authorizations.adoc
@@ -0,0 +1,18 @@
+
+
+:parent-context-of-configuring-oauth-authorization: {context}
+
+[id="managing-identities-and-authorizations_{context}"]
+= Managing identities and authorizations
+
+:context: managing-identities-and-authorizations
+
+This section describes different aspects of managing identities and authorizations of {prod}
+
+* xref:authenticating-users.adoc[]
+* xref:authorizing-users.adoc[]
+* xref:configuring-authorization.adoc[]
+* xref:removing-user-data.adoc[]
+* xref:configuring-openshift-oauth.adoc[]
+
+:context: {parent-context-of-managing-identities-and-authorizations}
diff --git a/modules/administration-guide/partials/assembly_managing-users.adoc b/modules/administration-guide/partials/assembly_managing-users.adoc
diff --git a/...les/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc b/...les/administration-guide/partials/proc_configuring-bitbucket-server-oauth1.adoc
@@ -0,0 +1,118 @@
+// Module included in the following assemblies:
+//
+// Configuring Bitbucket server OAuth1
+
+
+[id="proc_configuring-bitbucket-server-oauth1_{context}"]
+= Configuring Bitbucket server OAuth1
+
+OAuth1 for Bitbucket server allows for automatic obtaining and renewing link:https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html[Personal access tokens]. These tokens {prod-short} used to resolve devfile in a factory flow or it  xref:end-user-guide:authentication-against-bitbucket-server-with-the-personal-access-token.adoc[can be used in place of passwords for Git over HTTPS].
+
+
+.Prerequisites
+
+* The `{orch-cli}` tool is available.
+* Bitbucket server installed and reachable from {prod-short} server.
+
+.Procedure
+
+. Generate RSA key pair as described below or follow this guide: link:https://confluence.atlassian.com/jirakb/how-to-generate-public-key-to-application-link-3rd-party-applications-913214098.html[How to generate public key to application link 3rd party applications]
++
+[subs="+quotes,+attributes"]
+----
+openssl genrsa -out private.pem 2048
+openssl rsa -in private.pem -pubout > public.pub
+openssl pkcs8 -topk8 -inform pem -outform pem -nocrypt -in private.pem -out privatepkcs8.pem
+----
+. Generate consumer key and shared secret.
++
+[subs="+quotes,+attributes"]
+----
+openssl rand -base64 24 > bitbucket_server_consumer_key
+openssl rand -base64 24 > bitbucket_shared_secret
+----
+.  Configure an link:https://confluence.atlassian.com/adminjiraserver/using-applinks-to-link-to-other-applications-938846918.html[Application Link] in Bitbucket to allow {prod-short} communicate with your enterprise Bitbucket server.
+.. To create the Application Link:
+  In Bitbucket Server, go to **Administration** (select the cog in the top navigation bar)  > **Application Links**.
++
+image::bitbucket/bitbucket_configure_application_links.png[link="../_images/bitbucket/bitbucket_configure_application_links.png"]
+..  Enter the application URL (see Application Link details page) and select **Create new link**.
+..  Select **Continue** on the warning message. This is not a problem.
+..  Complete the form:
+   - Application Name - Enter a name to help you identify this {prod-short} instance.
+   - Application Type - Leave as Generic Application.
+   - Service Provider Name - Enter the same name you used for Application Name.
+   - Consumer Key - Specify a consumer key. That is the content of `bitbucket_server_consumer_key` file.
+   - Shared secret - Specify shared secret. That is the content of `bitbucket_shared_secret` file.
+   - Request Token URL - `{your Bitbucket Server URL}/plugins/servlet/oauth/request-token`.
+   - Access token URL - `{your Bitbucket Server URL}/plugins/servlet/oauth/access-token`.
+   - Authorize URL - `{your Bitbucket Server URL}/plugins/servlet/oauth/access-token`.
+   - Create incoming link - Select this checkbox.
++
+[NOTE]
+====
+Bitbucket is not going to communicate with {prod-short}. There is no outgoing integration.
+It doesn't really matter what value is set as in `Request Token URL`, `Access token URL`, or `Authorize URL`.
+====
++
+image::bitbucket/bitbucket_link_applications.png[link="../_images/bitbucket/bitbucket_link_applications.png"]
+.. Select **Continue**.
+..  Complete the form:
+   - Consumer Key -  Specify a consumer key. That is the content of  `bitbucket_server_consumer_key` file.
+   - Consumer name - Enter the same name you used for Application Name.
+   - Public Key  - Provide the public key of your RSA key pair `public.pub`.
++
+[NOTE]
+====
+Value of public key should not include first `----BEGIN PUBLIC KEY-----` or last `-----END PUBLIC KEY-----` lines.
+[subs="+quotes,+attributes"]
+----
+cat public.pub | sed 's/-----BEGIN PUBLIC KEY-----//g' |  sed 's/-----END PUBLIC KEY-----//g' | tr -d '\n'
+----
+====
++
+image::bitbucket/bitbucket_link_applications_step2.png[link="../_images/bitbucket/bitbucket_link_applications_step2.png"]
+. Configure Bitbucket Server integration on {prod-short}
+.. Create a Kubernetes Secret in {prod-short} namespace
++
+[subs="+quotes,+attributes"]
+----
+$ {orch-cli} apply -f - <<EOF
+kind: Secret
+apiVersion: v1
+metadata:
+  name: github-oauth-credentials
+  namespace: <...> <1>
+  labels:
+    app.kubernetes.io/part-of: che.eclipse.org
+    app.kubernetes.io/component: che-secret
+  annotations:
+    che.eclipse.org/mount-path: /home/user/eclipse-che/conf/oauth1/bitbucket
+    che.eclipse.org/mount-as: file
+data:
+  private.key: <...> <2>
+  consumer.key: <...> <3>
+  shared_secret: <...> <4>
+type: Opaque
+EOF
+----
+<1> {prod-short} namespace. The default is {prod-namespace}
+<2> base64 encoded content of `privatepkcs8.pem` without first and last lines.
+<3> base64 encoded content of `bitbucket_server_consumer_key` file.
+<4> base64 encoded content of `bitbucket_shared_secret` file.
+.. Configure {prod-short} server environment variables:
++
+[subs="+quotes,macros"]
+----
+spec:
+ server:
+   customCheProperties:
+     pass:[CHE_OAUTH1_BITBUCKET_CONSUMERKEYPATH]: '/home/user/eclipse-che/conf/oauth1/bitbucket/consumer.key'
+     pass:[CHE_OAUTH1_BITBUCKET_SHAREDSECRETPATH]: '/home/user/eclipse-che/conf/oauth1/bitbucket/shared_secret'
+     pass:[CHE_OAUTH1_BITBUCKET_PRIVATEKEYPATH]: '/home/user/eclipse-che/conf/oauth1/bitbucket/private.key'
+     pass:[CHE_OAUTH1_BITBUCKET_ENDPOINT]: 'https://{your Bitbucket Server URL}'
+     pass:[CHE_INTEGRATION_BITBUCKET_SERVER__ENDPOINTS]: 'https://{your Bitbucket Server URL}'
+
+----
++
+
diff --git a/...als/proc_configuring-openshift-oauth.adoc → ...als/proc_configuring-openshift-oauth.adoc b/...als/proc_configuring-openshift-oauth.adoc → ...als/proc_configuring-openshift-oauth.adoc
diff --git a/...tbucket-personal-access-token-secret.adoc → ...tbucket-personal-access-token-secret.adoc b/...tbucket-personal-access-token-secret.adoc → ...tbucket-personal-access-token-secret.adoc
diff --git a/modules/end-user-guide/nav.adoc b/modules/end-user-guide/nav.adoc
@@ -19,6 +19,7 @@
 ** xref:creating-a-workspace-from-code-sample.adoc[]
 ** xref:creating-a-workspace-by-importing-source-code-of-a-project.adoc[]
 ** xref:mounting-a-secret-as-a-file-or-an-environment-variable-into-a-workspace-container.adoc[]
+** xref:authentication-against-bitbucket-server-with-the-personal-access-token.adoc[]
 * xref:customizing-developer-environments.adoc[]
 ** xref:what-is-a-che-theia-plug-in.adoc[]
 ** xref:adding-a-vs-code-extension-to-a-workspace.adoc[]
@@ -31,8 +32,6 @@
 **** xref:using-jetbrains-webstorm.adoc[]
 **** xref:provisioning-jetbrains-activation-code-for-offline-use.adoc[]
 ** xref:adding-tools-to-che-after-creating-a-workspace.adoc[]
-* xref:configuring-oauth-authorization.adoc[]
-** xref:configuring-openshift-oauth.adoc[]
 * xref:using-artifact-repositories-in-a-restricted-environment.adoc[]
 ** xref:using-maven-artifact-repositories.adoc[]
 ** xref:using-gradle-artifact-repositories.adoc[]

diff --git a/...ges/authentication-against-bitbucket-server-with-the-personal-access-token.adoc b/...ges/authentication-against-bitbucket-server-with-the-personal-access-token.adoc
@@ -0,0 +1,7 @@
+[id="authentication-against-bitbucket-server-with-the-personal-access-token"]
+// = Authentication against Bitbucket Server with the personal access token
+:navtitle: Authentication against Bitbucket Server with the personal access token
+:keywords: end-user-guide, authentication-against-bitbucket-server-with-the-personal-access-token
+:page-aliases: .:authentication-against-bitbucket-server-with-the-personal-access-token
+
+include::partial$proc_configuring_bitbucket_authentication.adoc[]
diff --git a/modules/end-user-guide/pages/configuring-oauth-authorization.adoc b/modules/end-user-guide/pages/configuring-oauth-authorization.adoc
diff --git a/modules/end-user-guide/partials/assembly_configuring-oauth-authorization.adoc b/modules/end-user-guide/partials/assembly_configuring-oauth-authorization.adoc
diff --git a/...configuring_bitbucket_authentication.adoc → ...configuring_bitbucket_authentication.adoc b/...configuring_bitbucket_authentication.adoc → ...configuring_bitbucket_authentication.adoc
diff --git a/.../extensions/partials/proc_authenticating-with-openshift-connector-from-che.adoc b/.../extensions/partials/proc_authenticating-with-openshift-connector-from-che.adoc
@@ -33,7 +33,7 @@ When using a local instance of OpenShift (such as CodeReady Containers or Minish
 * A running instance of {prod-short}. To install an instance of {prod-short}, see xref:installation-guide:installing-che.adoc[].
 * A {prod-short} workspace has been created.
 * The OpenShift Connector plug-in is available.
-* The OpenShift OAuth provider is configured (only for the auto-login to the OpenShift cluster where {prod-short} is deployed. See xref:end-user-guide:configuring-openshift-oauth.adoc[]).
+* The OpenShift OAuth provider is configured (only for the auto-login to the OpenShift cluster where {prod-short} is deployed. See xref:administration-guide:configuring-openshift-oauth.adoc[]).
 
 .Procedure