Skip to content

Commit

Permalink
Roles, Users, and Permissions in MTV
Browse files Browse the repository at this point in the history
  • Loading branch information
RichardHoch committed Jul 22, 2024
1 parent 61244ef commit a2cbc95
Showing 1 changed file with 28 additions and 9 deletions.
37 changes: 28 additions & 9 deletions docs/topics/mta-7-installing-web-console-on-openshift.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ The most commonly used CR settings are listed in this table:
|====
+
.Example YAML file
[sample,YAML]
[source,YAML]
----
kind: Tackle
apiVersion: tackle.konveyor.io/v1alpha1
Expand Down Expand Up @@ -264,16 +264,11 @@ To prevent out-of-memory events and protect nodes, use the `--eviction-hard` set

The amount of memory available for running pods on this node is 28.9 GiB. This amount is calculated by subtracting the `system-reserved` and `eviction-hard` values from the overall capacity of the node. If the memory usage exceeds this amount, the node starts evicting pods.


== Red Hat Single Sign-On
{ProductShortName} delegates authentication and authorization to a
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6[Red
Hat Single Sign-On] (RHSSO) instance managed by the {ProductShortName} operator. Aside from controlling the full lifecycle of the managed RHSSO instance, the {ProductShortName} operator also manages the configuration of a dedicated
{ProductShortName} delegates authentication and authorization to a https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6[Red Hat Single Sign-On] (RHSSO) instance managed by the {ProductShortName} operator. Aside from controlling the full lifecycle of the managed RHSSO instance, the {ProductShortName} operator also manages the configuration of a dedicated
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring_realms[realm] that contains all the roles and permissions that {ProductShortName} requires.

If an advanced configuration is required in the {ProductShortName} managed RHSSO instance, such as https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/user-storage-federation#adding_a_provider[adding
a provider for User Federation] or https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/identity_broker[integrating
identity providers], users can log into the RHSSO https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring_realms#using_the_admin_console[Admin
If an advanced configuration is required in the {ProductShortName} managed RHSSO instance, such as https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/user-storage-federation#adding_a_provider[adding a provider for User Federation] or https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/identity_broker[integrating identity providers], administrators can log in to the RHSSO https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring_realms#using_the_admin_console[Admin
Console] through the `/auth/admin` subpath in the `{LC_PSN}-ui` route. The admin credentials to access the {ProductShortName} managed RHSSO instance can be retrieved from the `credential-mta-rhsso` secret available in the namespace in which the {WebName} was installed.

A dedicated route for the {ProductShortName} managed RHSSO instance can be created by setting the `rhsso_external_access` parameter to `True` in the *Tackle CR* that manages the {ProductShortName} instance.
Expand All @@ -282,7 +277,31 @@ For more information, see
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/red_hat_single_sign_on_features_and_concepts[Red
Hat Single Sign-On features and concepts].

=== Roles and Permissions
=== Roles, Users, and Permissions

==== Roles and Users

{ProductShortName} makes use of three roles or personas:

* `tackle-admin` (administrator)
* `tackle-architect` (architect)
* `tackle-migrator` (migrator)

These roles are already defined in your RHSSO instance. You do not need to create them.

If you are an {ProjectShortName} administrator, you can create users in your RHSSO and assign each user one or more roles

==== Definitions of Roles

Although a user can have more than one role, each role has a specific definition:

* Administrator: An administrator has all the permissions that architects and migrators have, along with access to some application-wide configuration parameters that other users can consume but not change or browse. Examples: Git credentials, Maven `settings.xml` files.

* Architect: A technical lead for the migration project that can create and modify applications and information related to them. An architect cannot modify or delete sensitive information, but can consume it. Example: Associate an existing credential to the repository of a specific application.

* Migrator: A developer who can analyze applications, but not create, modify, or delete them.

==== Roles and permissions

The following table contains the roles and permissions (scopes) that {ProductShortName} seeds the managed RHSSO instance with:

Expand Down

0 comments on commit a2cbc95

Please sign in to comment.