Introduction
Datasance PoT integrates Keycloak as its identity and access management (IAM) solution to provide secure authentication and authorization across the platform. By leveraging Keycloak, PoT ensures a centralized and scalable approach to manage user identities, roles, and permissions. This integration enables robust Role-Based Access Control (RBAC) for users, ensuring secure access to critical edge infrastructure and applications. With Keycloak, Datasance PoT supports Single Sign-On (SSO) and identity federation, streamlining user management while enhancing security, making it an ideal solution for enterprises operating in dynamic and distributed environments.
Roles and permissions
By default preconfigured Datasance PoT realm comes with below Realm level roles:
- pot-Admin
- pot-SRE
- pot-Developer
- pot-Viewer
By default preconfigured Datasance PoT realm comes with two client pot-controller
and ecn-viewer
.
ecn-viewer
client comes with Standard Flow
, pot-controller
client comes with Direct access grants
and Service accounts roles
Both pot-controller
and ecn-viewer
client has tree roles: SRE
, Developer
and Viewer
Below you can find how realm Level roles are associated with Client level roles.
Realm Role | pot-controller | ecn-viewer |
---|---|---|
pot-Admin | SRE | SRE |
pot-SRE | SRE | SRE |
pot-Developer | Developer | Developer |
pot-Viewer | Viewer | Viewer |
Only users with pot-Admin
roles can access Keycloak console and add or remove users, configure realm settings.
It is important to note that you have never change the client level roles as Controller
's REST-API endpoints protected against user's associated client level roles.
SRE
's can deploy, manage and configure both Agents, System Applications, Applications and Microservices.Developer
's can deploy, manage and configure Applications and Microservices.Viewer
's can only view the cluster resources.
By default users with Developer
and Viewer
roles need to configure 2FA. If you want to force SRE
's to 2FA you need to configure settings on browser dynamic otp
flow on Authentication section.
We recommended going through the Keycloak Deployment Guide before continuing on here.
Download PreConfigured Realm Configuration for Datasance PoT
You can download preconfigured realm import json for Datasance PoT with below command. Replace newRealmValue
with the you would like to give for your realm.
wget -q -O - "https://raw.githubusercontent.com/Datasance/keycloak/refs/heads/main/datasance-realm_template.json" | sed 's/\$realm/newRealmValue/g' > datasance-pot-ralm.json
Example
wget -q -O - "https://raw.githubusercontent.com/Datasance/keycloak/refs/heads/main/datasance-realm_template.json" | sed 's/\$realm/test/g' > datasance-pot-realm.json
Import Realm
Import the preconfigured realm json you download in previous step.
Create User
Create user inside imported realm. Create user's password and assign role.
Get Client Secret
Create client secret for pot-controller
client. Copy and save it, you wil use it while preparing ControlPlane
yaml.
Get RealmKey
Get your realKey. Copy and save it, you wil use it while preparing ControlPlane
yaml.
Prepare ControlPlane yaml
Now you are ready to deploy ControlPlane
with the auth configuration generated on previous steps.
echo "---
apiVersion: datasance.com/v3
kind: KubernetesControlPlane
metadata:
name: albatros-1
spec:
iofogUser:
name: Foo
surname: Bar
email: foo@bar.com
password: testPasword12xlj
auth:
url: https://kc-url/
realm: $realm-name
realmKey: $realm-key
ssl: external
controllerClient: pot-controller
controllerSecret: $controller-client-secret
viewerClient: ecn-viewer
Configure ECN-Viewer URL
Once you deploy your Datasance PoT ControlPlane
, you need to configure ECN-Viewer redirect URL on Keycloak client setting.
Follow instructions on below images.
Only configure Root URL
and do not put /
at the end of Root URL