From 350e53152bac1d28049f14f645bc9503dd75a6f8 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Thu, 9 May 2024 12:24:43 -0600 Subject: [PATCH 1/3] inital commit for doc --- docs/GROUPS_AND_ACCESSES.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 docs/GROUPS_AND_ACCESSES.md diff --git a/docs/GROUPS_AND_ACCESSES.md b/docs/GROUPS_AND_ACCESSES.md new file mode 100644 index 000000000..ac5dd8327 --- /dev/null +++ b/docs/GROUPS_AND_ACCESSES.md @@ -0,0 +1,35 @@ +# UDS-CORE Groups and Accesses + +UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. + +## Applications +### Grafana +Grafana [maps the groups](https://github.com/defenseunicorns/uds-core/blob/49cb11a058a9209cee7019fa552b8c0b2ef73368/src/grafana/values/values.yaml#L37) from Keycloak to it's internal `Admin` and `Viewer` groups. + +| Keycloak Group | Mapped Grafana Group | +|----------------|----------------------| +| `Admin` | `Admin` | +| `Auditor` | `Viewer` | + +If a user doesn't belong to either of these Keycloak groups the user will be unauthorized when accessing Grafana. + +### Neuvector +Neuvector [maps the groups](https://github.com/defenseunicorns/uds-core/blob/main/src/neuvector/chart/templates/uds-package.yaml#L31-L35) from Keycloak to it's internal `admin` and `reader` groups. + +| Keycloak Group | Mapped Neuvector Group | +|----------------|------------------------| +| `Admin` | `admin` | +| `Auditor` | `reader` | + +## Keycloak +> [!IMPORTANT] +> All groups are under the Uds-Core parent group. Frequently a group will be referred to as Uds-Core/Admin or Uds-Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups. + +### Identity Providers ( IDP ) + +Generally we recommend following our process for configuring an IDP and and it's group mappings. `uds-identity-config` has some [more docs](https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#customizing-realm) for the process of defining the environment variables for the [realm.json](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json#L1712-L1813) file as well. + +At this time Google SAML is the only provider configured to work with UDS Core Keycloak out of the box. Using Google Workspace for configuring the groups that should be mapped to Keycloak groups via an `Advanced Attribute to Group`. + +There is nothing limiting the use of other IDP's, for example using gitlab or another Keycloak. + From 14666db5cb0c6395606783a568367f652316c2b1 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Thu, 9 May 2024 14:29:05 -0600 Subject: [PATCH 2/3] rename doc --- docs/{GROUPS_AND_ACCESSES.md => UDS_CORE_GROUPS.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/{GROUPS_AND_ACCESSES.md => UDS_CORE_GROUPS.md} (98%) diff --git a/docs/GROUPS_AND_ACCESSES.md b/docs/UDS_CORE_GROUPS.md similarity index 98% rename from docs/GROUPS_AND_ACCESSES.md rename to docs/UDS_CORE_GROUPS.md index ac5dd8327..9727def4c 100644 --- a/docs/GROUPS_AND_ACCESSES.md +++ b/docs/UDS_CORE_GROUPS.md @@ -1,4 +1,4 @@ -# UDS-CORE Groups and Accesses +# UDS-CORE Groups UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. From c66e062cab12fc60a6b872da6eed5a11c3d1bfb8 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Thu, 9 May 2024 15:16:29 -0600 Subject: [PATCH 3/3] update idp section --- docs/UDS_CORE_GROUPS.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/UDS_CORE_GROUPS.md b/docs/UDS_CORE_GROUPS.md index 9727def4c..34c2579a2 100644 --- a/docs/UDS_CORE_GROUPS.md +++ b/docs/UDS_CORE_GROUPS.md @@ -23,13 +23,15 @@ Neuvector [maps the groups](https://github.com/defenseunicorns/uds-core/blob/mai ## Keycloak > [!IMPORTANT] -> All groups are under the Uds-Core parent group. Frequently a group will be referred to as Uds-Core/Admin or Uds-Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups. +> All groups are under the Uds Core parent group. Frequently a group will be referred to as Uds Core/Admin or Uds Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups. ### Identity Providers ( IDP ) -Generally we recommend following our process for configuring an IDP and and it's group mappings. `uds-identity-config` has some [more docs](https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#customizing-realm) for the process of defining the environment variables for the [realm.json](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json#L1712-L1813) file as well. +UDS Core ships with a [templated](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json#L1712-L1813) Google SAML IDP, more documentation to configure the `realmInitEnv` values in [uds-identity-config](https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#customizing-realm). -At this time Google SAML is the only provider configured to work with UDS Core Keycloak out of the box. Using Google Workspace for configuring the groups that should be mapped to Keycloak groups via an `Advanced Attribute to Group`. +Configuring your own IDP can be achieved via: +* Custom uds-identity-config with a templated realm.json -There is nothing limiting the use of other IDP's, for example using gitlab or another Keycloak. +* Keycloak Admin UI and click ops +* Custom [realm.json](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json#L1712-L1813) for direct import in Keycloak