support Keycloak
Change-Id: I4971534be80cb111f02cd3dc4d2e8c4ad6afdb5f
This commit is contained in:
Eyal
parent
c1629507a4
commit
69f3e2a160
124
specs/pike/implemented/keycloak.rst
Normal file
124
specs/pike/implemented/keycloak.rst
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
================
|
||||||
|
Keycloak support
|
||||||
|
================
|
||||||
|
|
||||||
|
launchpad blueprint:
|
||||||
|
https://blueprints.launchpad.net/vitrage/+spec/keycloak-support
|
||||||
|
|
||||||
|
As part of an on going effort to make vitrage to be able to work also in a non
|
||||||
|
OpenStack environment (in addition to the default OpenStack environment).
|
||||||
|
We should be able to make vitrage work with a different authorization server
|
||||||
|
instead of keystone. An optional authorization server can be Keycloak which is
|
||||||
|
an open source Identity and Access Management solution aimed at modern
|
||||||
|
applications and services
|
||||||
|
|
||||||
|
|
||||||
|
Problem description
|
||||||
|
===================
|
||||||
|
|
||||||
|
Vitrage at the moment can only work in an OpenStack environment because it needs
|
||||||
|
Keystone for authorization. We should support other authorization such as Keycloak.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Proposed change
|
||||||
|
===============
|
||||||
|
|
||||||
|
New auth_mode in api section in Vitrage config file::
|
||||||
|
|
||||||
|
[api]
|
||||||
|
auth_mode = keycloak
|
||||||
|
|
||||||
|
New keycloak section with the auth_url in Vitrage config::
|
||||||
|
|
||||||
|
[keycloak]
|
||||||
|
auth_url = http://[keycloak server]:[keycloak port]/auth
|
||||||
|
|
||||||
|
The Vitrage server will use a new middleware which will authenticate with the
|
||||||
|
Keycloak server once an api request is received.
|
||||||
|
|
||||||
|
A new auth plugin will be added to the vitrage client which will get the token
|
||||||
|
from the Keycloak server and sent it with the api request.
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Data model impact
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
REST API impact
|
||||||
|
---------------
|
||||||
|
When using the client we should use the keycloak-plugin
|
||||||
|
|
||||||
|
Versioning impact
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Other end user impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Deployer impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
To use the Keycloak Authorization there is a need to define it in the
|
||||||
|
Vitrage config file.
|
||||||
|
|
||||||
|
Developer impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Horizon impact
|
||||||
|
--------------
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
eyalb1
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
- Create Keycloak plugin in client
|
||||||
|
|
||||||
|
- Create Keycloak plugin in server
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
None
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
This blueprint requires unit tests.
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
The usage of the KeyCloak authorization will be documented
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
`keycloak-config.rst <https://github.com/openstack/vitrage/blob/master/doc/source/contributor/keycloak-config.rst>`_
|
||||||
Loading…
Reference in New Issue
Block a user