docs(authentication): add authentication layer enhancement#52
docs(authentication): add authentication layer enhancement#52chadcrum wants to merge 11 commits into
Conversation
chadcrum
requested review from
Fale,
croadfeldt,
ebichman-1,
gabriel-farache,
gciavarrini,
jenniferubah,
machacekondra,
pkliczewski and
ygalblum
as code owners
chadcrum
changed the title
Introduce the IDM/IAM authentication layer enhancement for DCM, targeting the control-plane monolith architecture. Defines oauth2-proxy as the auth gateway, actor/tenant data models, tenant isolation via TenantScope() query middleware, and CLI authentication via OIDC device flow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
chadcrum
force-pushed
the
flpath-4194-idm-iam-enhancement
branch
from
e2a98dd to
686a0a9
Compare
chadcrum
changed the title
|
Ready for review |
gabriel-farache
left a comment
gabriel-farache
left a comment
There was a problem hiding this comment.
good overall but there are too many implementation details mixes with the global auth architecture.
We can have "implementation orientation" sections but it should not be mixed with the rest of the doc
| - **Operational complexity:** Adds Keycloak as an external dependency for | ||
| production deployments. Mitigated by the built-in local provider as a | ||
| fallback and by reusing existing Red Hat SSO infrastructure. |
There was a problem hiding this comment.
the built-in local provider
is that defined anywhere? And is that something we want? IMO we should have keycloak as a pre-requisites
There was a problem hiding this comment.
The built-in provider is defined in Section 1 under "V1 Implementations." It's there for bootstrap (first admin account before Keycloak is configured) and integration tests.
That said — if we make Keycloak a hard prerequisite, we could drop the built-in provider entirely and seed the initial admin via a DB migration instead. Deploy-time config provides the Keycloak admin's sub claim (e.g., DCM_ADMIN_SUBJECT), and the migration creates the default tenant + admin actor + identity binding. No custom token endpoint, no password hashing, no extra attack surface.
Trade-off is integration tests would need a Keycloak container in CI or a test-only signing key, but that's probably more realistic anyway.
What do you think — Keycloak as a prerequisite with seed migration, or keep the built-in provider for bootstrap/testing flexibility?
There was a problem hiding this comment.
Trade-off is integration tests would need a Keycloak container in CI or a test-only signing key, but that's probably more realistic anyway.
My thoughts exactly
I would have Keycloak as a prerequisite, what @dcm-project/team-dcm thinks about it?
There was a problem hiding this comment.
Agree to have keycloak as prerequisite.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Agreed — we've started trimming Go-specific implementation details in this review round (removed some code-level references, simplified several sections). I'll continue separating the architecture from implementation as the doc evolves. The data models, sequence diagrams, and API-level integration points stay; the Go function/package references get moved or removed. |
Replace Go code constructs (TenantScope(), router.Use(), Chi router, context.Context, GORM, LRU, oapi-codegen, argon2id, ES256, http.Client, buildHTTPClient, go-jose) with architecture-level descriptions. Keeps data models, sequence diagrams, and API-level integration points. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Links to SP Registration Flow, SP Resource Manager, State Management, and ACM Cluster SP are already in the see-also front matter. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Reviewer feedback — capitalize the project name for readability. GitHub URL kept lowercase (case-sensitive). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
Too much implementation detail for the enhancement doc. The version pinning and CVE references can be revisited during implementation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
3 participants
Summary
Enhancement proposal for DCM's authentication layer — FLPATH-4194.
Targets the control-plane monolith architecture: one binary (
dcm-server), one database, in-process domain calls. All technical claims cross-checked against the control-plane codebase.X-Forwarded-User→ actor DB lookup → request context (ActorID,TenantID,ActorType) with LRU cache (60s TTL).TenantScope()GORM query middleware with merge-blocking CI lint rule from day one.DCM_BUILTIN_AUTH).dcm loginvia OIDC Device Authorization Grant + token file for CI/CD.Jira
FLPATH-4194 (epic: FLPATH-3254)
🤖 Generated with Claude Code