Mapping of Keycloak roles to IAM*RoleBinding objects¶
Starting from Container Cloud 2.14.0, the Container Cloud role naming has changed. The old role names logic has been reworked and new role names are introduced.
Old-style role mappings are reflected in the Container Cloud API with the new
roles and the legacy: true
and legacyRole: “<oldRoleName>”
fields set.
If you remove the legacy
flag, user-controller
automatically performs
the following update in Keycloak:
Grants the new-style role
Removes the old-style role mapping
Note
You can assign the old-style roles using Keycloak only. These roles will be synced into the Container Cloud API as the corresponding
IAM*RoleBinding
objects with theexternal: true
,legacy: true
, andlegacyRole: “<oldRoleName>”
fields set.If you assign new-style roles using Keycloak, they will be synced into the Container Cloud API with the
external: true
field set.
Mapping of new-style Keycloak roles to IAM*RoleBinding objects¶
The following table describes how the IAM*RoleBinding
objects in the
Container Cloud API map to roles in Keycloak.
Container Cloud new role names |
global-admin |
bm-pool-operator |
operator |
user |
cluster-admin |
stacklight-admin |
---|---|---|---|---|---|---|
m:kaas@global-admin |
||||||
m:kaas@management-admin Since 2.25.0 (17.0.0, 16.0.0, 14.1.0) |
||||||
m:kaas:{ns}@bm-pool-operator |
||||||
m:kaas:{ns}@operator |
||||||
m:kaas:{ns}@user |
||||||
m:k8s:{ns}:{cluster}@cluster-admin |
||||||
m:sl:{ns}:{cluster}@stacklight-admin |
Mapping of old-style Keycloak roles to IAM*RoleBinding objects¶
The following table describes how the role names available before the
Container Cloud 2.14.0 map with the current IAM*RoleBinding
objects in the
Container Cloud API map:
Container Cloud new role names |
global-admin |
bm-pool-operator |
operator |
user |
cluster-admin |
stacklight-admin |
---|---|---|---|---|---|---|
m:kaas@writer |
||||||
m:kaas@reader |
||||||
m:kaas@operator |
||||||
m:kaas:{ns}@writer |
||||||
m:kaas:{ns}@reader |
||||||
m:k8s:{ns}:{cluster}@cluster-admin |
||||||
m:sl:{ns}:{cluster}@admin |
Examples of mapping between Keycloak roles and IAM*RoleBinding objects¶
The following tables contain several examples of role assignment either through Keycloak or the Container Cloud IAM objects with the corresponding role mappings for each use case.
Use case |
Namespace operator role binding |
IAM*RoleBinding example |
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRoleBinding
metadata:
namespace: ns1
name: user1-operator
role:
name: operator
user:
name: user1-f150d839
|
Mapped role in Keycloak |
The role |
Use case |
Cluster-admin role assigned globally |
IAM*RoleBinding example |
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
name: user1-global-cluster-admin
role:
name: cluster-admin
user:
name: user1-f150d839
|
Mapped role in Keycloak |
For example, if you have two namespaces (
If you create a new |
The following table provides the new-style and old-style examples on how a role assigned to a user through Keycloak will be translated into IAM objects.
Role type |
New-style role |
Role example in Keycloak |
The role The |
Mapped IAM*RoleBinding example |
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMRoleBinding
metadata:
namespace: ns1
name: user1-f150d839-operator
external: true
role:
name: operator
user:
name: user1-f150d839
|
Role type |
Old-style role |
Role example in Keycloak |
The role Creation of this role through Keycloak triggers creation of two
To migrate the old-style For example, if you have two namespaces (
If you create a new If you do not remove the |
Mapped IAM*RoleBinding example |
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
name: user1-f150d839-global-admin
external: true
legacy: true
legacyRole: m:kaas@writer
role:
name: global-admin
user:
name: user1-f150d839
apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
name: user1-f150d839-operator
external: true
legacy: true
legacyRole: m:kaas@writer
role:
name: operator
user:
name: user1-f150d839
|