From eb845b16f73979d828d885e3e17e0189f55075b5 Mon Sep 17 00:00:00 2001 From: bnallapeta Date: Thu, 7 Dec 2023 12:42:36 +0530 Subject: [PATCH 1/3] adds documentation on authn and authz for console --- content/explanation/auth.md | 37 ++++++++++++++++++++++++++++++++++ content/explanation/console.md | 14 +++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 content/explanation/auth.md diff --git a/content/explanation/auth.md b/content/explanation/auth.md new file mode 100644 index 00000000..e14c8ca6 --- /dev/null +++ b/content/explanation/auth.md @@ -0,0 +1,37 @@ +# Authentication and Authorization in MTO Console + +## Keycloak for Authentication + +MTO Console incorporates Keycloak, a leading authentication module, to manage user access securely and efficiently. Keycloak is provisioned automatically by our controllers, setting up a new realm, client, and a default user named 'mto'. + +### Benefits `:` + +- Industry Standard `:` Offers robust, reliable authentication in line with industry standards. +- Integration with Existing Systems `:` Enables easy linkage with existing Active Directories or SSO systems, avoiding the need for redundant user management. +- Administrative Control `:` Grants administrators full authority over user access to the console, enhancing security and operational integrity. + +## PostgreSQL as Persistent Storage for Keycloak + +MTO Console leverages PostgreSQL as the persistent storage solution for Keycloak, enhancing the reliability and flexibility of the authentication system. + +It offers benefits such as enhanced data reliability, easy data export and import. + +### Benefits `:` + +- Persistent Data Storage: By using PostgreSQL, Keycloak's data, including realms, clients, and user information, is preserved even in the event of a pod restart. This ensures continuous availability and stability of the authentication system. +- Data Exportability: Customers can easily export Keycloak configurations and data from the PostgreSQL database. +- Transferability Across Environments: The exported data can be conveniently imported into another cluster or Keycloak instance, facilitating smooth transitions and backups. +- No Data Loss: Ensures that critical authentication data is not lost during system updates or maintenance. +- Operational Flexibility: Provides customers with greater control over their authentication data, enabling them to manage and migrate their configurations as needed. + +## Built-in module for Authorization + +The MTO Console is equipped with an authorization module, designed to manage access rights intelligently and securely. + +### Benefits `:` + +- User and Tenant Based: Authorization decisions are made based on the user's membership in specific tenants, ensuring appropriate access control. +- Role-Specific Access: The module considers the roles assigned to users, granting permissions accordingly to maintain operational integrity. +- Elevated Privileges for Admins: Users identified as administrators or members of the clusterAdminGroups are granted comprehensive permissions across the console. +- Database Caching: Authorization decisions are cached in the database, reducing reliance on the Kubernetes API server. +- Faster, Reliable Access: This caching mechanism ensures quicker and more reliable access for users, enhancing the overall responsiveness of the MTO Console. diff --git a/content/explanation/console.md b/content/explanation/console.md index 61ce4304..f1a8c340 100644 --- a/content/explanation/console.md +++ b/content/explanation/console.md @@ -69,6 +69,20 @@ The implementation of this feature is facilitated by the Bootstrap controller, s Furthermore, the introduction of a dedicated cache layer ensures that there is no added burden on the kube API server when responding to MTO Console requests. This enhancement not only improves response times but also contributes to a more efficient and responsive resource management system. +## Authentication and Authorization + +MTO Console ensures secure access control using a robust combination of Keycloak for authentication and a custom-built authorization module. + +### Keycloak Integration + +Keycloak, an industry-standard authentication tool, is integrated for secure user login and management. It supports seamless integration with existing ADs or SSO systems and grants administrators complete control over user access. + +### Custom Authorization Module + +Complementing Keycloak, our custom authorization module intelligently controls access based on user roles and their association with tenants. Special checks are in place for admin users, granting them comprehensive permissions. + +For more details on Keycloak's integration, PostgreSQL as persistent storage, and the intricacies of our authorization module, please visit [here](./auth.md). + ## Conclusion The MTO Console is engineered to simplify complex multi-tenant management. The current iteration focuses on providing comprehensive visibility. Future updates could include direct CUD (Create/Update/Delete) capabilities from the dashboard, enhancing the console’s functionality. The Showback feature remains a standout, offering critical cost tracking and analysis. The delineation of roles between administrators and tenant users ensures a secure and organized operational framework. From 832fbe8c81573207dfee8fe0793fc24439cac2dd Mon Sep 17 00:00:00 2001 From: bnallapeta Date: Thu, 7 Dec 2023 12:48:18 +0530 Subject: [PATCH 2/3] fixes vale issue --- content/explanation/auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/explanation/auth.md b/content/explanation/auth.md index e14c8ca6..0bece6e5 100644 --- a/content/explanation/auth.md +++ b/content/explanation/auth.md @@ -2,7 +2,7 @@ ## Keycloak for Authentication -MTO Console incorporates Keycloak, a leading authentication module, to manage user access securely and efficiently. Keycloak is provisioned automatically by our controllers, setting up a new realm, client, and a default user named 'mto'. +MTO Console incorporates Keycloak, a leading authentication module, to manage user access securely and efficiently. Keycloak is provisioned automatically by our controllers, setting up a new realm, client, and a default user named `mto`. ### Benefits `:` From d0b48bb682334192df10b715c0134c25ce4d636c Mon Sep 17 00:00:00 2001 From: bnallapeta Date: Thu, 7 Dec 2023 13:23:09 +0530 Subject: [PATCH 3/3] fixes : rendering issue for headings --- content/explanation/auth.md | 12 ++++++------ content/explanation/console.md | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/explanation/auth.md b/content/explanation/auth.md index 0bece6e5..a6d38843 100644 --- a/content/explanation/auth.md +++ b/content/explanation/auth.md @@ -4,11 +4,11 @@ MTO Console incorporates Keycloak, a leading authentication module, to manage user access securely and efficiently. Keycloak is provisioned automatically by our controllers, setting up a new realm, client, and a default user named `mto`. -### Benefits `:` +### Benefits -- Industry Standard `:` Offers robust, reliable authentication in line with industry standards. -- Integration with Existing Systems `:` Enables easy linkage with existing Active Directories or SSO systems, avoiding the need for redundant user management. -- Administrative Control `:` Grants administrators full authority over user access to the console, enhancing security and operational integrity. +- Industry Standard: Offers robust, reliable authentication in line with industry standards. +- Integration with Existing Systems: Enables easy linkage with existing Active Directories or SSO systems, avoiding the need for redundant user management. +- Administrative Control: Grants administrators full authority over user access to the console, enhancing security and operational integrity. ## PostgreSQL as Persistent Storage for Keycloak @@ -16,7 +16,7 @@ MTO Console leverages PostgreSQL as the persistent storage solution for Keycloak It offers benefits such as enhanced data reliability, easy data export and import. -### Benefits `:` +### Benefits - Persistent Data Storage: By using PostgreSQL, Keycloak's data, including realms, clients, and user information, is preserved even in the event of a pod restart. This ensures continuous availability and stability of the authentication system. - Data Exportability: Customers can easily export Keycloak configurations and data from the PostgreSQL database. @@ -28,7 +28,7 @@ It offers benefits such as enhanced data reliability, easy data export and impor The MTO Console is equipped with an authorization module, designed to manage access rights intelligently and securely. -### Benefits `:` +### Benefits - User and Tenant Based: Authorization decisions are made based on the user's membership in specific tenants, ensuring appropriate access control. - Role-Specific Access: The module considers the roles assigned to users, granting permissions accordingly to maintain operational integrity. diff --git a/content/explanation/console.md b/content/explanation/console.md index f1a8c340..b39d6cfa 100644 --- a/content/explanation/console.md +++ b/content/explanation/console.md @@ -43,13 +43,13 @@ The Showback feature is an essential financial governance tool, providing detail ## User Roles and Permissions -### Administrators `:` +### Administrators Administrators have overarching access to the console, including the ability to view all namespaces and tenants. They have exclusive access to the IntegrationConfig, allowing them to view all the settings and integrations. ![image](../images/integrationConfig.png) -### Tenant Users `:` +### Tenant Users Regular tenant users can monitor and manage their allocated resources. However, they do not have access to the IntegrationConfig and cannot view resources across different tenants, ensuring data privacy and operational integrity.