Manage user roles through Container Cloud API¶
You can manage IAM user role bindings through Container Cloud API. For the API reference of the IAM custom resources, see IAM resources. You can also manage user roles using the Container Cloud web UI.
Note
User management for the Mirantis OpenStack for Kubernetes m:os
roles is not
yet available through API or web UI. Therefore, continue managing these
roles using Keycloak.
You can use the following objects depending on the way you want the role to be assigned to the user:
IAMGlobalRoleBinding
for global role bindingsAny IAM role can be used in
IAMGlobalRoleBinding
and will be applied globally, not limited to a specific project or cluster. For example, theglobal-admin
role.
IAMRoleBinding
for project role bindingsAny role except the
global-admin
one apply. For example, using theoperator
anduser
IAM roles inIAMRoleBinding
of theexample
project corresponds to assigning ofm:kaas:example@operator/user
in Keycloak. You can also use these IAM roles inIAMGlobalRoleBinding
. In this case, the roles corresponding to every project will be assigned to a user in Keycloak.
IAMClusterRoleBinding
for cluster role bindingsOnly the
cluster-admin
andstacklight-admin
roles apply toIAMClusterRoleBinding
. Creation of such objects corresponds to the assignment ofm:k8s:namespace:cluster@cluster-admin/stacklight-admin
in Keycloak. You can also bind these roles to eitherIAMGlobalRoleBinding
orIAMRoleBinding
. In this case, the roles corresponding to all clusters and in all projects or one particular project will be assigned to a user.
This section describes available IAM roles with use cases and the Container
Cloud API IAM*RoleBinding
mapping with Keycloak.