IAM resources

This section contains descriptions and examples of the IAM resources for Mirantis Container Cloud. For management details, see Manage user roles through Container Cloud API.


IAMUser

IAMUser is the Cluster (non-namespaced) object. Its objects are synced from Keycloak that is they are created upon user creation in Keycloak and deleted user upon deletion in Keycloak. The IAMUser is exposed as read-only to all users. It contains the following fields:

  • apiVersion

    API version of the object that is iam.mirantis.com/v1alpha1

  • kind

    Object type that is IAMUser

  • metadata

    Object metadata that contains the following field:

    • name

      Sanitized user name without special characters with first 8 symbols of the user UUID appended to the end

  • displayName

    Name of the user as defined in the Keycloak database

  • externalID

    ID of the user as defined in the Keycloak database

Configuration example:

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMUser
metadata:
  name: userone-f150d839
displayName: userone
externalID: f150d839-d03a-47c4-8a15-4886b7349791

IAMRole

IAMRole is the read-only cluster-level object that can have global, namespace, or cluster scope. It contains the following fields:

  • apiVersion

    API version of the object that is iam.mirantis.com/v1alpha1.

  • kind

    Object type that is IAMRole.

  • metadata

    Object metadata that contains the following field:

    • name

      Role name. Possible values are: global-admin, cluster-admin, operator, bm-pool-operator, user, member, stacklight-admin, management-admin.

      For details on user role assignment, see Manage user roles through Container Cloud API.

      Note

      The management-admin role is available since Container Cloud 2.25.0 (Cluster releases 17.0.0, 16.0.0, 14.1.0).

  • description

    Role description.

  • scope

    Role scope.

Configuration example:

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRole
metadata:
  name: global-admin
description: Gives permission to manage IAM role bindings in the Container Cloud deployment.
scope: global

IAMGlobalRoleBinding

IAMGlobalRoleBinding is the Cluster (non-namespaced) object that should be used for global role bindings in all namespaces. This object is accessible to users with the global-admin IAMRole assigned through the IAMGlobalRoleBinding object. The object contains the following fields:

  • apiVersion

    API version of the object that is iam.mirantis.com/v1alpha1.

  • kind

    Object type that is IAMGlobalRoleBinding.

  • metadata

    Object metadata that contains the following field:

    • name

      Role binding name. If the role binding is user-created, user can set any unique name. If a name relates to a binding that is synced by user-controller from Keycloak, the naming convention is <username>-<rolename>.

  • role

    Object role that contains the following field:

    • name

      Role name.

  • user

    Object name that contains the following field:

    • name

      Name of the iamuser object that the defined role is provided to. Not equal to the user name in Keycloak.

  • legacy

    Defines whether the role binding is legacy. Possible values are true or false.

  • legacyRole

    Applicable when the legacy field value is true. Defines the legacy role name in Keycloak.

  • external

    Defines whether the role is assigned through Keycloak and is synced by user-controller with the Container Cloud API as the IAMGlobalRoleBinding object. Possible values are true or false.

Caution

If you create the IAM*RoleBinding, do not set or modify the legacy, legacyRole, and external fields unless absolutely necessary and you understand all implications.

Configuration example:

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
  name: userone-global-admin
role:
  name: global-admin
user:
  name: userone-f150d839
external: false
legacy: false
legacyRole: “”

IAMRoleBinding

IAMRoleBinding is the namespaced object that represents a grant of one role to one user in all clusters of the namespace. It is accessible to users that have either of the following bindings assigned to them:

  • IAMGlobalRoleBinding that binds them with the global-admin, operator, or user iamRole. For user, the bindings are read-only.

  • IAMRoleBinding that binds them with the operator or user iamRole in a particular namespace. For user, the bindings are read-only.

  • apiVersion

    API version of the object that is iam.mirantis.com/v1alpha1.

  • kind

    Object type that is IAMRoleBinding.

  • metadata

    Object metadata that contains the following fields:

    • namespace

      Namespace that the defined binding belongs to.

    • name

      Role binding name. If the role is user-created, user can set any unique name. If a name relates to a binding that is synced from Keycloak, the naming convention is <userName>-<roleName>.

  • legacy

    Defines whether the role binding is legacy. Possible values are true or false.

  • legacyRole

    Applicable when the legacy field value is true. Defines the legacy role name in Keycloak.

  • external

    Defines whether the role is assigned through Keycloak and is synced by user-controller with the Container Cloud API as the IAMGlobalRoleBinding object. Possible values are true or false.

Caution

If you create the IAM*RoleBinding, do not set or modify the legacy, legacyRole, and external fields unless absolutely necessary and you understand all implications.

  • role

    Object role that contains the following field:

    • name

      Role name.

  • user

    Object user that contains the following field:

    • name

      Name of the iamuser object that the defined role is granted to. Not equal to the user name in Keycloak.

Configuration example:

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRoleBinding
metadata:
  namespace: nsone
  name: userone-operator
external: false
legacy: false
legacyRole: “”
role:
  name: operator
user:
  name: userone-f150d839

IAMClusterRoleBinding

IAMClusterRoleBinding is the namespaced object that represents a grant of one role to one user on one cluster in the namespace.This object is accessible to users that have either of the following bindings assigned to them:

  • IAMGlobalRoleBinding that binds them with the global-admin, operator, or user iamRole. For user, the bindings are read-only.

  • IAMRoleBinding that binds them with the operator or user iamRole in a particular namespace. For user, the bindings are read-only.

The IAMClusterRoleBinding object contains the following fields:

  • apiVersion

    API version of the object that is iam.mirantis.com/v1alpha1.

  • kind

    Object type that is IAMClusterRoleBinding.

  • metadata

    Object metadata that contains the following fields:

    • namespace

      Namespace of the cluster that the defined binding belongs to.

    • name

      Role binding name. If the role is user-created, user can set any unique name. If a name relates to a binding that is synced from Keycloak, the naming convention is <userName>-<roleName>-<clusterName>.

  • role

    Object role that contains the following field:

    • name

      Role name.

  • user

    Object user that contains the following field:

    • name

      Name of the iamuser object that the defined role is granted to. Not equal to the user name in Keycloak.

  • cluster

    Object cluster that contains the following field:

    • name

      Name of the cluster on which the defined role is granted.

  • legacy

    Defines whether the role binding is legacy. Possible values are true or false.

  • legacyRole

    Applicable when the legacy field value is true. Defines the legacy role name in Keycloak.

  • external

    Defines whether the role is assigned through Keycloak and is synced by user-controller with the Container Cloud API as the IAMGlobalRoleBinding object. Possible values are true or false.

Caution

If you create the IAM*RoleBinding, do not set or modify the legacy, legacyRole, and external fields unless absolutely necessary and you understand all implications.

Configuration example:

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMClusterRoleBinding
metadata:
  namespace: nsone
  name: userone-clusterone-admin
role:
  name: cluster-admin
user:
  name: userone-f150d839
cluster:
  name: clusterone
legacy: false
legacyRole: “”
external: false