Motivation

Currently, authorization permissions are pushed via ColdFront to downstream services, such as OpenStack and OpenShift.

These permissions should also be centralized, so that they can be consumed automatically. That is currently the case only for the pi role, which is described as membership to the pi group in Keycloak.

Keycloak has no knowledge of which projects or resource allocations a user or PI has access to, therefore that information can't be included in access_tokens and id_tokens for automating consumption by other services, such as observability, storage, or plugin that automatically sync based on it, etc.

Completion Criteria

Investigate methods for centralizing authorization information in Keycloak. A decision should be made on the groups or role hierarchy and its representation and meaning.

Description

• Investigate available methods for representing authorization information in Keycloak and how they work in the context of RBAC (global) and scoped RBAC (project/resource allocation).
• Write a design document based on decided method and get approval.

Completion dates

Desired - 2025-03-14
Required - TBD

Related issue

• Push resource allocation and project membership into Keycloak groups/roles coldfront-plugin-keycloak#6