Federation¶
MOSK integrates with Mirantis Container Cloud Identity and Access Management (IAM) subsystem to allow centralized management of users and their permissions across multiple clouds.
The core component of Container Cloud IAM is Keycloak, the open-source identity and access management software. Its primary function is to perform secure authentication of cloud users against its built-in or various external identity databases, such as LDAP directories, OpenID Connect or SAML compatible identity providers.
By default, every MOSK cluster is integrated with the
Keycloak running in the Container Cloud management cluster. The integration
automatically provisions the necessary configuration on the
MOSK and Container Cloud IAM sides, such as the os
client object in Keycloak. However, for the federated users to get proper
permissions after logging in, the cloud operator needs to define the role
mapping rules specific to each MOSK environment.
See also
Connecting to Keycloak¶
MOSK enables you to connect to the Keycloak identity
provider through the following structure in the OpenStackDeployment
custom resource:
spec:
features:
keystone:
keycloak:
enabled: true
url: https://keycloak.it.just.works
oidc:
OIDCSSLValidateServer: false
OIDCOAuthSSLValidateServer: false
OIDCScope: "openid email profile groups"
Connecting to external identity provider¶
Available since MOSK 24.3 TechPreview
MOSK enables you to connect external identity
provider to Keystone directly through the following structure in the
OpenStackDeployment
custom resource:
spec:
features:
keystone:
federations:
openid:
enabled: true
oidc_auth_type: oauth2
providers:
keycloak:
issuer: https://keycloak.it.just.works/auth/realms/iam
mapping:
- local:
- user:
email: '{1}'
name: '{0}'
- domain:
name: Default
groups: '{2}'
remote:
- type: OIDC-iam_username
- type: OIDC-email
- type: OIDC-iam_roles
metadata:
client:
client_id: os
conf:
response_type: id_token
scope: openid email profile
ssl_validate_server: false
provider:
value_from:
from_url:
url: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration
okta:
description: OKTA provider
enabled: true
issuer: https://dev-68495932.okta.com/oauth2/default
mapping:
- local:
- user:
email: '{1}'
name: '{0}'
- domain:
name: Default
groups: m:os@admin
remote:
- type: OIDC-name
- type: OIDC-email
metadata:
client:
client_id: 0oaixfwyqcAkCbC335d7
client_secret: aKOtnqHwu37ricQJfOD9ShECqj7DY7SVHgh8nm1NwlAhGbQjGqREHencsGagyfmQ
conf: {}
provider:
value_from:
from_url:
url: https://dev-68495932.okta.com/oauth2/default/.well-known/openid-configuration
oauth2:
OAuth2TokenVerify: jwks_uri https://dev-68495932.okta.com/oauth2/default/v1/keys
token_endpoint: https://dev-68495932.okta.com/oauth2/default/v1/token
The oidc_auth_type
parameter specifies the Apache module to use:
oauth20
or oauth2
. The oauth20
functionality is deprecated
and superseded by a new oauth2
module. You can configure two and more
identity providers only with the oauth2
module.