Configuring Cluster IAM Providers
In Apcera the role of the identity provider is to authenticate clients who need to access Apcera resources. In production the identity provider resides external to the Apcera Platform to receive and respond to authentication requests from clients. Once the client is authenticated, you use policy to issue the client an access token, and then additional policy to grant access to resources. See Authenticating with the API Server for details on how the authentication process works.
Supported IAM Providers
Apcera supports the following identity providers for cluster deployments:
Basic and Device Auth are not supported for production clusters. In prodouction you should use a supported third-party IAM provider, such as Google Auth, LDAP, AD, or Keycloak.
Configuring ID providers
For production deployments you must configure an identity provider using the cluster.conf
file. To do this, you populate the auth_server.identity
section of the cluster.conf
file as demonstrated below.
"auth_server": {
"identity": {
"google": {
"users": [
"abc@acme.com",
"lmn@acme.com",
"xyz@acme.com"
]
},
},
"admins": [
"abc@acme.com"
"xyz@acme.com"
]
}
Auth Server settings include the identity provider (in this case google
) and the users
subsection which is used to authenticate users. Users listed here are issued an access token to log into the cluster and use it. Users in the admins
section are granted admin role permissions.
To grant a user access and admin permissions, the user must be listed in both users
and admins
block. If only user
is listed, the user can log in but not do anything (has no permissions).
Both the users
for each identity provider, and admins
generate policy. The former get auth tokens, the latter are made members of the admin role. Because these settings each generate policy, they are ignored by the Auth Server after the initial deploy. To add users after your platform is deployed, you use policy.