Authentication Types and Their Configuration

Deckhouse Observability Platform provides various authentication methods to ensure secure access to the system.

UI Access:

• Email-Password: A standard authentication method where users log in using their email and password. This method is enabled by default.
• External Authentication: For organizations that prefer to use their existing identity management systems, Deckhouse Observability Platform provides authentication through external sources. Currently, the following methods are supported:
  • OIDC (OpenID Connect): A modern authentication standard based on the OAuth 2.0 protocol.
  • LDAP/Active Directory using Dex: Integration with corporate LDAP or Active Directory directories using Dex as an intermediary (requires additional configuration on the Deckhouse Kubernetes Platform’s side).

You can configure the authentication method during system installation by specifying the appropriate settings in the module config. When using external authentication, additional role mapping configuration is required.

API Access:

• API Tokens: An authentication method for interacting with the system through the API. This type of authentication is always enabled.

The User Role Model

A user is an account in the system that has various access rights to different entities within the system. Users interact with the system through the web interface only.

Users can have 4 types of roles:

• Super Administrator: Full access to all system entities, including system settings.
• Administrator: Access to a specific entity, such as organization, space, or project. Automatically applies to nested entities.
• User: Access to a specific entity, such as organization, space, or project. Automatically applies to nested entities.
• Viewer: Read-only access to a specific entity, such as organization, space, or project. Automatically applies to nested entities.

User Role Model

External Authentication

Enabling External Authentication

External authentication allows users of the Deckhouse Observability Platform to use accounts from external systems to log in. Follow the steps below to enable it:

1. Set the mapping for the Super Administrator role:

   • Go to “System Settings” -> “Role Mapping Settings”.
   • Select “Add Mapping”.
   • Fill in the fields:
     • Group Name: the identifier of the external group (e.g., “super-administrator”).
     • Object Type: select “Entire System”.
     • Role: specify “Super Administrator”.
   • Confirm your choice by clicking “Update”.

2. Enable external authorization:

   • If using Dex, preliminary configuration of dexProvider is required.
   • If OIDC is enabled, configure oidc settings in the module config.
   • Enable external authorization in the module config using the command:

     kubectl patch ModuleConfig observability-platform -p '{"spec": {"settings": {"auth": {"mode": "externalAuth"}}}}' --type=merge
     

Once these steps are complete, the system will be ready for external authentication.

Setting Up Role Mapping

Follow the steps below to set up role mapping:

1. Go to “System Settings” -> “Role Mapping Settings”.
2. Click “Add Role Mapping”:
   • Group Name: the name of the group from the external system (e.g., “admins”).
   • Object Type: select the object (“Entire System”, “Organization”, “Space”, “Project”).
   • Parent Object (if applicable).
   • Object Name (if applicable).
   • Role: select one of the role types (Super Administrator, Administrator, User, Read-Only).

The Tokens Role Model

Tokens is an account in the system that has various access rights to different entities within the system. It interacts with the system exclusively through the API.

If a token is created whose scope includes multiple projects, a space, or an organization, such a token is classified as multi-tenant. These tokens are limited to read-only access to monitoring data in the selected scope.