This repository provides a Multi-Cloud IAM Management Framework.
A sub-system of M-CMP platform to deploy and manage Multi-Cloud Infrastructures.
The Multi-Cloud Authorization and Access Control Framework provides platform account/role management, integrated management of cloud account/access control information, and workspace management functionalities. It offers features compatible with security policy determination, establishment, and enforcement for existing multi-cloud services. Additionally, it provides the capability to establish and manage independent security policies within the framework.
It defines an access control reference model for multi-cloud, distinguishing between user access control and service provider access control. This model adopts a prominent Role-Based Access Control (RBAC) approach and integrates it with existing policy management solutions for application and utilization.
-
M-CMP 계정 및 역할 관리
- M-CMP 계정관리/인증제어
- M-CMP 역할관리/접근제어
-
멀티 클라우드 워크스페이스 관리
- 워크 스페이스 생성/관리
- 워크스페이스 권한/공유관리
-
멀티 클라우드 계정 및 접근 제어 정보 통합관리
- M-CMP 계정-멀티클라우드 계정간 권한 관리
- 멀티클라우드 계정/접근제어 정보 통합 관리
mc-iam-manager는 1.19 이상의 Go 버전이 설치된 다양한 환경에서 실행 가능하지만 최종 동작을 검증한 OS는 Ubuntu 22.0.4입니다. keycloak은 PoC 환경에서 임시로 사용자 자격증명과 CSP SAML 인증을 위한 의존성이 있습니다.
-
go : go1.21.0 >
$ go version # go version go1.21.0 linux/amd64-
buffalo framework : v0.18.8 >
$ buffalo version # INFO[0000] Buffalo version is: v0.18.8-
install buffalo
-
-
-
keycloak : 22.0.3
-
SP (2023.10 AWS, ALI) setting
-
csp SAML idp reg, csp assumeRole setting require
-
-
keycloak client setting require
# keycloak-22.0.3/conf/keycloak.conf # Basic settings for running in production. Change accordingly before deploying the server. # Database # The database vendor. db=postgres # The username of the database user. db-username={DB user} # The password of the database user. db-password={DB user password} # The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor. db-url=jdbc:postgresql://{DB host}/{DB name} # Observability # If the server should expose healthcheck endpoints. #health-enabled=true # If the server should expose metrics endpoints. #metrics-enabled=true # HTTP # The file path to a server certificate or certificate chain in PEM format. https-certificate-file=${kc.home.dir}conf/server.crt.pem # The file path to a private key in PEM format. https-certificate-key-file=${kc.home.dir}conf/server.key.pem # The proxy address forwarding mode if the server is behind a reverse proxy. #proxy=reencrypt # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy #spi-sticky-session-encoder-infinispan-should-attach-route=false # Hostname for the Keycloak server. #hostname=myhostname -
-
etc
$ node -v #v20.5.1 $ npm -v #9.8.0 $ yarn -v #3.6.3
-
clone this repository
git clone https://github.com/m-cmp/mc-iam-manager
-
You can write it by referring to the files in the repository.
# mc-iam-manager/.env ## NETWORK # It doesn't matter if you use it as it is. ADDR=0.0.0.0 PORT=3000 ## Keycloak Admin and Location # If you plan to control the keyclock, # enter your admin keyclock account and location, client info. KC_admin={Keycloak Admin ID} KC_passwd={Keycloak Admin Password} KC_uri=https://{Keycloak home url} # SSL # OIDC buffalo client info KC_realm={buffalo client Realm Name} KC_clientID={buffalo client ID} KC_clientSecret={buffalo client ID} ## SAML SP Endpoint SAML_IDP_Initiated_URL_AWS="https://{Keycloak home url}/realms/{realms Name}/protocol/saml/clients/{client Prefix}" SAML_IDP_Initiated_URL_ALI="https://{Keycloak home url}/realms/{realms Name}/protocol/saml/clients/{client Prefix}" SAML_user={Test SAML user ID} SAML_password={Test SAML user Password}# mc-iam-manager/database.yml # ONLY for $ buffalo dev --- development: dialect: postgres database: {DB name} user: {DB user name} password: {DB user password} host: {DB host} pool: 5 test: url: {{envOr "TEST_DATABASE_URL" "postgres://postgres:[email protected]:5432/myapp_test"}} production: url: {{envOr "DATABASE_URL" "postgres://postgres:[email protected]:5432/myapp_production"}}
-
run Keycloak
# at the keycloak bin folder $ ./kc.sh start-dev -
run buffalo
# at the this repo clone folder $ cd mc-iam-manager $ buffalo dev
- Issues/Discussions/Ideas: Utilize issue of mc-iam-manager
