Federation

MOSK integrates with Mirantis Container Cloud Identity and Access Management (IAM) subsystem to allow centralized management of users and their permissions across multiple clouds.

The core component of Container Cloud IAM is Keycloak, the open-source identity and access management software. Its primary function is to perform secure authentication of cloud users against its built-in or various external identity databases, such as LDAP directories, OpenID Connect or SAML compatible identity providers.

By default, every MOSK cluster is integrated with the Keycloak running in the Container Cloud management cluster. The integration automatically provisions the necessary configuration on the MOSK and Container Cloud IAM sides, such as the os client object in Keycloak. However, for the federated users to get proper permissions after logging in, the cloud operator needs to define the role mapping rules specific to each MOSK environment.

Connecting to Keycloak

MOSK enables you to connect to the Keycloak identity provider through the following structure in the OpenStackDeployment custom resource:

spec:
  features:
    keystone:
      keycloak:
        enabled: true
        url: https://keycloak.it.just.works
        oidc:
          OIDCSSLValidateServer: false
          OIDCOAuthSSLValidateServer: false
          OIDCScope: "openid email profile groups"

Connecting to external identity provider

Available since MOSK 24.3 TechPreview

MOSK enables you to connect external identity provider to Keystone directly through the following structure in the OpenStackDeployment custom resource:

spec:
  features:
    keystone:
     federations:
       openid:
         enabled: true
         oidc_auth_type: oauth2
         providers:
           keycloak:
             issuer: https://keycloak.it.just.works/auth/realms/iam
             mapping:
             - local:
               - user:
                   email: '{1}'
                   name: '{0}'
               - domain:
                   name: Default
                 groups: '{2}'
               remote:
               - type: OIDC-iam_username
               - type: OIDC-email
               - type: OIDC-iam_roles
             metadata:
               client:
                 client_id: os
               conf:
                 response_type: id_token
                 scope: openid email profile
                 ssl_validate_server: false
               provider:
                 value_from:
                   from_url:
                     url: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration
           okta:
             description: OKTA provider
             enabled: true
             issuer: https://dev-68495932.okta.com/oauth2/default
             mapping:
             - local:
               - user:
                   email: '{1}'
                   name: '{0}'
               - domain:
                   name: Default
                 groups: m:os@admin
               remote:
               - type: OIDC-name
               - type: OIDC-email
             metadata:
               client:
                 client_id: 0oaixfwyqcAkCbC335d7
                 client_secret: aKOtnqHwu37ricQJfOD9ShECqj7DY7SVHgh8nm1NwlAhGbQjGqREHencsGagyfmQ
               conf: {}
               provider:
                 value_from:
                   from_url:
                     url: https://dev-68495932.okta.com/oauth2/default/.well-known/openid-configuration
             oauth2:
               OAuth2TokenVerify: jwks_uri https://dev-68495932.okta.com/oauth2/default/v1/keys
             token_endpoint: https://dev-68495932.okta.com/oauth2/default/v1/token

The oidc_auth_type parameter specifies the Apache module to use: oauth20 or oauth2. The oauth20 functionality is deprecated and superseded by a new oauth2 module. You can configure two and more identity providers only with the oauth2 module.