Account Types
User accounts, service accounts, and SSO accounts
Overview
The Config API and Keycloak implement unified auth in a Hydrolix cluster.
The Config API tracks accounts and provides two endpoints providing authentication services: Login to Hydrolix and Login to Hydrolix using SSO. By default, all APIs and network services are protected by unified auth.
Administrators can enable Basic access authentication for some services.
Hydrolix supports these account types:
- User accounts - users, locally administered and authenticated
- SSO user accounts - users, authenticated by an external identity provider, a type of user account
- Service accounts - administrative accounts, added by local or SSO users
- basic_auth accounts - administrative accounts, locally authenticated, backed by Kubernetes
Secrets, not the unified auth system
User accounts
User accounts are the traditional username (email address) and password pair and exist locally in a single Hydrolix cluster. To protect sensitive information, account credentials are stored in the Keycloak system. The Config API identifies users only by their UUID, requesting all authentication and authorization services from Keycloak.
For programmatic access, user accounts can retrieve Authorization tokens.
Users with sufficient permissions can use the API or UI to create a new user account and invite the user by email to the cluster. The new account isn't active until the user accepts the invitation and completes the registration process. See User management How-to.
Administrators can modify Account permissions or roles associated with user accounts. See RBAC How-to for examples.
SSO user accounts
Single Sign-On (SSO) accounts support users authenticated by an external identity provider.
SSO accounts behave identically to user accounts when interacting with the Hydrolix UI and services delivered to a web browser.
Administrators must configure their chosen identity providers in the Keycloak system. See Single-Sign On (SSO) for instructions on configuring SSO.
SSO limitations
- SSO accounts use a different login workflow, using Login to Hydrolix using SSO
- SSO users can't create and fetch an Authorization token
- SSO users can create auth tokens associated with Service accounts for programmatic access or use a workaround depending on cookies
Service accounts
Service accounts are typically used for programmatic access to services. These accounts exist locally in a Hydrolix cluster, managed using the Config API.
- SSO and user accounts with sufficient permissions can create service accounts and service account tokens.
- Service accounts themselves have no credentials and can't authenticate. Instead these accounts use manageable, long-lived authorization tokens to gain access to services.
- Users with permissions to manage service accounts may create, revoke, and delete variable lifetime authorization tokens. See Service Accounts How-to.
basic_auth accounts
Each cluster runs a reverse proxy which handles internal load balancing among pods and nodes, and other application routing services.
Kubernetes administrators may install configurations into this reverse proxy for some services to support Basic access authentication, known as basic auth.
Basic auth credentials are independent and unknown to unified auth. See also Enable Basic Auth.
Updated 2 days ago