Skip to main content

Introduction

Datasance PoT integrates Keycloak as its identity and access management (IAM) solution to provide secure authentication and authorization across the platform. By leveraging Keycloak, PoT ensures a centralized and scalable approach to manage user identities, roles, and permissions. This integration enables robust Role-Based Access Control (RBAC) for users, ensuring secure access to critical edge infrastructure and applications. With Keycloak, Datasance PoT supports Single Sign-On (SSO) and identity federation, streamlining user management while enhancing security, making it an ideal solution for enterprises operating in dynamic and distributed environments.

Roles and permissions

By default preconfigured Datasance PoT realm comes with below Realm level roles:

  • pot-Admin
  • pot-SRE
  • pot-Developer
  • pot-Viewer

By default preconfigured Datasance PoT realm comes with two client pot-controller and ecn-viewer. ecn-viewerclient comes with Standard Flow , pot-controller client comes with Direct access grants and Service accounts roles

Both pot-controller and ecn-viewer client has tree roles: SRE, Developer and Viewer

Below you can find how realm Level roles are associated with Client level roles.

Realm Rolepot-controllerecn-viewer
pot-AdminSRESRE
pot-SRESRESRE
pot-DeveloperDeveloperDeveloper
pot-ViewerViewerViewer

Only users with pot-Admin roles can access Keycloak console and add or remove users, configure realm settings.

Don't change client level roles

It is important to note that you have never change the client level roles as Controller's REST-API endpoints protected against user's associated client level roles.

  • SRE's can deploy, manage and configure both Agents, System Applications, Applications and Microservices.
  • Developer's can deploy, manage and configure Applications and Microservices.
  • Viewer's can only view the cluster resources.

By default users with Developer and Viewer roles need to configure 2FA. If you want to force SRE's to 2FA you need to configure settings on browser dynamic otp flow on Authentication section.

Don't have Keycloak Instance?

We recommended going through the Keycloak Deployment Guide before continuing on here.

Download PreConfigured Realm Configuration for Datasance PoT

You can download preconfigured realm import json for Datasance PoT with below command. Replace newRealmValue with the you would like to give for your realm.

wget -q -O - "https://raw.githubusercontent.com/Datasance/keycloak/refs/heads/main/datasance-realm_template.json" | sed 's/\$realm/newRealmValue/g' > datasance-pot-ralm.json
Example
Download preconfigured Datasance PoT realm configuration and assign realm-name: test
wget -q -O - "https://raw.githubusercontent.com/Datasance/keycloak/refs/heads/main/datasance-realm_template.json" | sed 's/\$realm/test/g' > datasance-pot-realm.json

Import Realm

Import the preconfigured realm json you download in previous step.

Create User

Create user inside imported realm. Create user's password and assign role.

Get Client Secret

Create client secret for pot-controller client. Copy and save it, you wil use it while preparing ControlPlane yaml.

Get RealmKey

Get your realKey. Copy and save it, you wil use it while preparing ControlPlane yaml.

Prepare ControlPlane yaml

Now you are ready to deploy ControlPlane with the auth configuration generated on previous steps.

echo "---
apiVersion: datasance.com/v3
kind: KubernetesControlPlane
metadata:
name: albatros-1
spec:
iofogUser:
name: Foo
surname: Bar
email: foo@bar.com
password: testPasword12xlj
auth:
url: https://kc-url/
realm: $realm-name
realmKey: $realm-key
ssl: external
controllerClient: pot-controller
controllerSecret: $controller-client-secret
viewerClient: ecn-viewer

Configure ECN-Viewer URL

Configure ECN-Viewer Redirect URL

Once you deploy your Datasance PoT ControlPlane, you need to configure ECN-Viewer redirect URL on Keycloak client setting. Follow instructions on below images. Only configure Root URLand do not put / at the end of Root URL

Group 3See anything wrong with the document? Help us improve it!