Mapping of Keycloak roles to IAM*RoleBinding objects

Starting from Container Cloud 2.14.0, the Container Cloud role naming has changed. The old role names logic has been reworked and new role names are introduced.

Old-style role mappings are reflected in the Container Cloud API with the new roles and the legacy: true and legacyRole: “<oldRoleName>” fields set. If you remove the legacy flag, user-controller automatically performs the following update in Keycloak:

  • Grants the new-style role

  • Removes the old-style role mapping

Note

  • You can assign the old-style roles using Keycloak only. These roles will be synced into the Container Cloud API as the corresponding IAM*RoleBinding objects with the external: true, legacy: true, and legacyRole: “<oldRoleName>” fields set.

  • If you assign new-style roles using Keycloak, they will be synced into the Container Cloud API with the external: true field set.

Mapping of new-style Keycloak roles to IAM*RoleBinding objects

The following table describes how the IAM*RoleBinding objects in the Container Cloud API map to roles in Keycloak.

Container Cloud new role names

global-admin

bm-pool-operator

operator

user

cluster-admin

stacklight-admin

m:kaas@global-admin

1

m:kaas:{ns}@bm-pool-operator

2

m:kaas:{ns}@operator

2

m:kaas:{ns}@user

2

m:k8s:{ns}:{cluster}@cluster-admin

3

m:sl:{ns}:{cluster}@stacklight-admin

3

1

IAMGlobalRoleBinding

2(1,2,3)

IAMRoleBinding

3(1,2)

IAMClusterRoleBinding

Mapping of old-style Keycloak roles to IAM*RoleBinding objects

The following table describes how the role names available before the Container Cloud 2.14.0 map with the current IAM*RoleBinding objects in the Container Cloud API map:

Container Cloud new role names

global-admin

bm-pool-operator

operator

user

cluster-admin

stacklight-admin

m:kaas@writer

4

4

m:kaas@reader

4

m:kaas@operator

4

m:kaas:{ns}@writer

5

m:kaas:{ns}@reader

5

m:k8s:{ns}:{cluster}@cluster-admin

6

m:sl:{ns}:{cluster}@admin

6

4(1,2,3,4)

IAMGlobalRoleBinding

5(1,2)

IAMRoleBinding

6(1,2)

IAMClusterRoleBinding

Examples of mapping between Keycloak roles and IAM*RoleBinding objects

The following tables contain several examples of role assignment either through Keycloak or the Container Cloud IAM objects with the corresponding role mappings for each use case.

Examples of roles assigned through IAM objects

Use case

Namespace operator role binding

IAM*RoleBinding example

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRoleBinding
metadata:
  namespace: ns1
  name: user1-operator
role:
  name: operator
user:
  name: user1-f150d839

Mapped role in Keycloak

The role m:kaas:ns1@operator assigned to user1.

Use case

Cluster-admin role assigned globally

IAM*RoleBinding example

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
  name: user1-global-cluster-admin
role:
  name: cluster-admin
user:
  name: user1-f150d839

Mapped role in Keycloak

For example, if you have two namespaces (ns1, ns2) and two clusters in each namespace, the following roles are created in Keycloak:

  • m:k8s:ns1:cluster1@cluster-admin

  • m:k8s:ns1:cluster2@cluster-admin

  • m:k8s:ns2:cluster3@cluster-admin

  • m:k8s:ns2:cluster4@cluster-admin

If you create a new cluster5 in ns2, the user is automatically assigned a new role in Keycloak: m:k8s:ns2:cluster5@cluster-admin.

The following table provides the new-style and old-style examples on how a role assigned to a user through Keycloak will be translated into IAM objects.

Examples of roles assigned through Keycloak

Role type

New-style role

Role example in Keycloak

The role m:kaas:ns1@operator is assigned to user1.

The external: true flag defines the role that was assigned through Keycloak and only after that synced with the Container Cloud API object.

Mapped IAM*RoleBinding example

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRoleBinding
metadata:
  namespace: ns1
  name: user1-f150d839-operator
external: true
role:
  name: operator
user:
  name: user1-f150d839

Role type

Old-style role

Role example in Keycloak

The role m:kaas@writer assigned to user1.

Creation of this role through Keycloak triggers creation of two IAMGlobalRoleBindings: global-admin and operator.


To migrate the old-style m:kaas@writer role to the new-style roles, remove the legacy: true flag in two API objects.

For example, if you have two namespaces (ns1 and ns2) and remove the legacy: true flag from both IAMGlobalRoleBindings mentioned above, the old-style m:kaas@writer role will be substituted by the following roles in Keycloak:

  • m:kaas@global-admin

  • m:kaas:ns1@operator

  • m:kaas:ns2@operator

If you create a new ns3, user1 is automatically assigned a new role m:kaas:ns3@operator.

If you do not remove the legacy flag from IAMGlobalRoleBindings, only one role remains in Keycloak - m:kaas@writer.

Mapped IAM*RoleBinding example

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
  name: user1-f150d839-global-admin
external: true
legacy: true
legacyRole: m:kaas@writer
role:
  name: global-admin
user:
  name: user1-f150d839
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
  name: user1-f150d839-operator
external: true
legacy: true
legacyRole: m:kaas@writer
role:
  name: operator
user:
  name: user1-f150d839