aa3f4d71b0
Step-by-step process for adding your account to the zuul realm in Keycloak, so that you can access the admin capabilities of our Zuul WebUI. Change-Id: I613e3b45316471df2054300a8b115da78debdcb2
1.7 KiB
- title
-
Keycloak
Keycloak
Keycloak is installed on keycloak.opendev.org. It is in a prototype phase for use with the Zuul admin API, and may be used by other OpenDev services in the future.
At a Glance
- Hosts
- Ansible
- Projects
- Bugs
Overview
Apache is configured as a reverse proxy to [::1]:8080
and there is also a separate MariaDB database listening on
[::1]:3306.
Use
We currently have a "zuul" realm configured, and all user accounts within this realm get administrative access to the WebUI for zuul.opendev.org. The configuration basically follows upstream Zuul's Configuring Keycloak Authentication document, but we extend the configuration by adding an infra-root group and a zuul-dedicated client scope within the zuul client with a group token mapper whose Token Claim Name is groups. The group mapping allows us to delegate administrative rights globally and on a per-tenant basis with admin-rule entries at the top of our main.yaml file.
Sysadmins should follow the :ref:zuul-admins instructions for adding their accounts to the zuul realm, if such access is desired.