fb0674d402
This sphinx internal ref was missing ``'s surrounding the token identifier. Add them which should fix the reference. Change-Id: I6261ab3a96cecbf63d0934441650d9d91baac798
1.7 KiB
- title
-
Keycloak
Keycloak
Keycloak is installed on keycloak.opendev.org. It is in a prototype phase for use with the Zuul admin API, and may be used by other OpenDev services in the future.
At a Glance
- Hosts
- Ansible
- Projects
- Bugs
Overview
Apache is configured as a reverse proxy to [::1]:8080
and there is also a separate MariaDB database listening on
[::1]:3306.
Use
We currently have a "zuul" realm configured, and all user accounts within this realm get administrative access to the WebUI for zuul.opendev.org. The configuration basically follows upstream Zuul's Configuring Keycloak Authentication document, but we extend the configuration by adding an infra-root group and a zuul-dedicated client scope within the zuul client with a group token mapper whose Token Claim Name is groups. The group mapping allows us to delegate administrative rights globally and on a per-tenant basis with admin-rule entries at the top of our main.yaml file.
Sysadmins should follow the zuul-admins instructions for adding their accounts to
the zuul realm, if such access is
desired.