红帽全球峰会3.3. 红帽构建的 Keycloak
MTA 7.3.0 使用红帽构建 Keycloak (RHBK) 实例进行用户身份验证和授权。
MTA 操作器管理 RHBK 实例,并使用必要的角色和权限配置专用 域。
MTA 管理的 RHBK 实例允许您执行高级 RHBK 配置,例如 为用户联邦或集成 身份提供程序添加 供应商。要访问 RHBK 管理控制台,请在浏览器中打开 < route > 替换为 MTA web 控制台地址,在浏览器中输入 URL https://<_ route _>/auth/admin。
示例:
- MTA Web 控制台 :https://mta-openshiftmta.example.com/
- RHBK 管理控制台 :https://mta-openshiftmta.example.com/auth/admin
RHBK 的 admin 凭证存储在安装 MTA 的命名空间中名为 mta-keycloak-rhbk 的 secret 文件中。
要检索您的 admin 凭证,请运行以下命令:
oc get secret mta-keycloak-rhbk -n openshift-mta -o json| jq -r '.data.password | @base64d'
$ oc get secret mta-keycloak-rhbk -n openshift-mta -o json| jq -r '.data.password | @base64d'3.3.1. roles, Personas, Users, and Permissions
MTA 使用三个角色,各自对应于用户角色:
| 角色 | persona |
|---|---|
|
| Administrator |
|
| 架构 |
|
| migrator |
角色已在您的 RHBK 实例中定义。您不需要创建它们。
如果您是 MTA 管理员,您可以在 RHBK 中创建用户,并为每个用户分配一个或多个角色,每个用户角色都有一个角色。
3.3.1.1. 角色、用户角色和用户界面视图的访问权限
虽然用户可以有多个角色,但每个角色都对应于特定的用户角色:
-
管理员:管理员具有架构师和 migrators 的全部权限,以及能够创建其他用户可消耗的应用程序范围配置参数,但不能更改或查看。示例:Git 凭证、Maven
settings.xml文件。 - 架构师:迁移项目的技术领导,能够运行评估,并可创建和修改相关应用程序和信息。架构师无法修改或删除敏感信息,但可以使用这些信息。示例:将现有凭证与特定应用程序的存储库关联。
- migrator :用户可以分析应用程序,但不能创建、修改或删除应用程序。
如 用户界面视图 中所述,MTA 有两个视图,即 管理和迁移。
只有管理员才能访问 管理 视图。架构师和 migrator 无法访问 管理 视图,他们甚至无法看到它。
管理员可以执行 Migration 视图 支持的所有操作。架构师和 migrator 可以看到 Migration 视图的所有元素,但它们在 Migration 视图中执行操作的能力取决于对其角色授予的权限。
下表中总结了管理员、架构师和 migrator 访问 MTA 用户界面的管理和迁移视图的能力:
| 菜单 | 架构 | migrator | Admin |
|---|---|---|---|
| 管理 | 否 | 否 | 是 |
| Migration | 是 | 是 | 是 |
3.3.1.2. 角色和权限
下表包含 MTA 查找受管 RHBK 实例的角色和权限(范围):
| tackle-admin | 资源名称 | Verbs |
| 附加组件 |
delete | |
| adoptionplans |
post | |
| 应用程序 |
delete | |
| applications.facts |
delete | |
| applications.tags |
delete | |
| applications.bucket |
delete | |
| assessments |
delete | |
| businessservices |
delete | |
| dependencies |
delete | |
| identities |
delete | |
| imports |
delete | |
| jobfunctions |
delete | |
| proxies |
delete | |
| reviews |
delete | |
| 设置 |
delete | |
| stakeholdergroups |
delete | |
| stakeholders |
delete | |
| tags |
delete | |
| tagtypes |
delete | |
| tasks |
delete | |
| tasks.bucket |
delete | |
| tickets |
delete | |
| trackers |
delete | |
| 缓存 |
delete | |
| files |
delete | |
| rulebundles |
delete |
| tackle-architect | 资源名称 | Verbs |
| 附加组件 |
delete | |
| applications.bucket |
delete | |
| adoptionplans |
post | |
| 应用程序 |
delete | |
| applications.facts |
delete | |
| applications.tags |
delete | |
| assessments |
delete | |
| businessservices |
delete | |
| dependencies |
delete | |
| identities |
get | |
| imports |
delete | |
| jobfunctions |
delete | |
| proxies |
get | |
| reviews |
delete | |
| 设置 |
get | |
| stakeholdergroups |
delete | |
| stakeholders |
delete | |
| tags |
delete | |
| tagtypes |
delete | |
| tasks |
delete | |
| tasks.bucket |
delete | |
| trackers |
get | |
| tickets |
delete | |
| 缓存 |
get | |
| files |
delete | |
| rulebundles |
delete |
| tackle-migrator | 资源名称 | Verbs |
| 附加组件 |
get | |
| adoptionplans |
post | |
| 应用程序 |
get | |
| applications.facts |
get | |
| applications.tags |
get | |
| applications.bucket |
get | |
| assessments |
get | |
| businessservices |
get | |
| dependencies |
delete | |
| identities |
get | |
| imports |
get | |
| jobfunctions |
get | |
| proxies |
get | |
| reviews |
get | |
| 设置 |
get | |
| stakeholdergroups |
get | |
| stakeholders |
get | |
| tags |
get | |
| tagtypes |
get | |
| tasks |
delete | |
| tasks.bucket |
delete | |
| tackers |
get | |
| tickets |
get | |
| 缓存 |
get | |
| files |
get | |
| rulebundles |
get |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}