Keycloak support¶
launchpad blueprint: https://blueprints.launchpad.net/vitrage/+spec/keycloak-support
As part of an on going effort to make vitrage to be able to work also in a non OpenStack environment (in addition to the default OpenStack environment). We should be able to make vitrage work with a different authorization server instead of keystone. An optional authorization server can be Keycloak which is an open source Identity and Access Management solution aimed at modern applications and services
Problem description¶
Vitrage at the moment can only work in an OpenStack environment because it needs Keystone for authorization. We should support other authorization such as Keycloak.
Proposed change¶
New auth_mode in api section in Vitrage config file:
[api]
auth_mode = keycloak
New keycloak section with the auth_url in Vitrage config:
[keycloak]
auth_url = http://[keycloak server]:[keycloak port]/auth
The Vitrage server will use a new middleware which will authenticate with the Keycloak server once an api request is received.
A new auth plugin will be added to the vitrage client which will get the token from the Keycloak server and sent it with the api request.
Alternatives¶
None
Data model impact¶
None
REST API impact¶
When using the client we should use the keycloak-plugin
Versioning impact¶
None
Other end user impact¶
None
Deployer impact¶
To use the Keycloak Authorization there is a need to define it in the Vitrage config file.
Developer impact¶
None
Horizon impact¶
None
Implementation¶
Assignee(s)¶
- Primary assignee:
eyalb1
Work Items¶
Create Keycloak plugin in client
Create Keycloak plugin in server
Dependencies¶
None
Testing¶
This blueprint requires unit tests.
Documentation Impact¶
The usage of the KeyCloak authorization will be documented
