You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(arc42): Correct Keycloak realm and clarify user management authorization (#39)
Update Keycloak realm name from `gaia-x` to `federated-catalogue-realm` in runtime view sequence diagrams.
Add a new section to the building block view to clarify the dual authorization layers for user management. This distinguishes between the roles required for the catalogue's user/participant API and those for the embedded Keycloak Admin Console, addressing potential confusion regarding client roles versus direct `realm-management` roles.
Copy file name to clipboardExpand all lines: federated-catalogue/src/docs/architecture/chapters/05_building_block_view.adoc
+19Lines changed: 19 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -269,6 +269,25 @@ Additionally, five predefined task-specific composite roles are available:
269
269
270
270
Participant and user management endpoints continue to use the legacy roles directly (Ro-MU-CA, Ro-MU-A, Ro-PA-A).
271
271
272
+
===== User Management and the Keycloak Admin Console
273
+
274
+
User management is governed by two distinct authorization layers:
275
+
276
+
[options="header",cols="1,2,2"]
277
+
|===
278
+
| Layer | Authenticated identity | Required roles
279
+
| Catalogue user/participant API (`/users`, `/participants`) | the catalogue's `federated-catalogue` Keycloak *service account* | `realm-management` roles held by the service account (`view-users`, `query-users`, `manage-users`)
280
+
| Embedded Keycloak Admin Console (the admin UI's user-management iframe) | the *logged-in human user* | the same `realm-management` roles, held by the **user** directly
281
+
|===
282
+
283
+
The catalogue's own user-management endpoints are reached with the catalogue client roles above (`Ro-MU-CA`, `Ro-MU-A`, `Ro-PA-A`); the catalogue server then calls the Keycloak Admin API through its service account, which carries the `realm-management` roles.
284
+
285
+
Note that `ADMIN_ALL` gates the `/admin/**` dashboard endpoints but **does not** authorize user- or participant-management — those require one of `Ro-MU-CA`, `Ro-MU-A`, or `Ro-PA-A` directly. `Ro-MU-CA` (Catalogue Administrator) is the composite that bundles `Ro-MU-A`, `Ro-PA-A`, `Ro-AS-A`, *and* `ADMIN_ALL`, so a Catalogue Administrator can drive both the dashboard and user management; a user holding only `ADMIN_ALL` is rejected from the user-management endpoints.
286
+
287
+
The user-management page additionally embeds the Keycloak Admin Console in an iframe. That console authenticates as the human user, not the service account, so a user must hold the `realm-management` roles (`view-users`, `query-users`, `manage-users`) on `federated-catalogue-realm` to view or manage users through it.
288
+
289
+
NOTE: The catalogue client roles (`Ro-MU-CA`, `Ro-MU-A`, `Ro-PA-A`) and the Keycloak `realm-management` roles are independent. Holding only a catalogue role authorizes the catalogue's user-management API but not the embedded Admin Console; the user sees an empty or forbidden console until granted the `realm-management` roles.
290
+
272
291
==== Core Services (fc-service-core)
273
292
274
293
The Core Services receive calls from the service component and provide the building blocks to support the flows for the different operations.
Parti ->> + Keycloak: GET /realms/gaia-x/groups/{partID}
276
+
Parti ->> + Keycloak: GET /realms/federated-catalogue-realm/groups/{partID}
277
277
Keycloak -->> - Parti: Participant
278
278
279
279
Parti ->> + AssetStore: getById(participantAssetId)
@@ -286,7 +286,7 @@ Notes:
286
286
Note over AssetStore: AssetDeletedEvent is published before commit;<br/>ValidationResultCleanupListener cascades removal of validation results<br/>and ProvenanceCleanupListener cascades removal of provenance credentials —<br/>see _validation_result_storage.
287
287
AssetStore -->> - Parti: Null
288
288
289
-
Parti ->> + Keycloak: DELETE /realms/gaia-x/groups/{partID}
289
+
Parti ->> + Keycloak: DELETE /realms/federated-catalogue-realm/groups/{partID}
290
290
Keycloak -->> - Parti: Participant
291
291
292
292
Parti -->> - API: Participant
@@ -315,7 +315,7 @@ sequenceDiagram
315
315
API ->> + service: getUsers(partId)
316
316
service ->> service: Ro-MU-CA|Ro-Pa-A|Ro-MU-A in User.Roles
317
317
service -->> + dao: selectUsers(partId)
318
-
dao -->> + keycloak: GET /realms/gaia-x/groups/{partId}/users
318
+
dao -->> + keycloak: GET /realms/federated-catalogue-realm/groups/{partId}/users
319
319
keycloak -->> - dao: UserRepresentations
320
320
dao -->> - service: UserProfiles
321
321
service -->> - API:UserProfiles
@@ -344,7 +344,7 @@ sequenceDiagram
344
344
User ->> + API:GET /users/{userId}
345
345
API ->> + service: getUser(userId)
346
346
service -->> + dao: select(userId)
347
-
dao -->> + keycloak: GET /realms/gaia-x/users/{userId}
347
+
dao -->> + keycloak: GET /realms/federated-catalogue-realm/users/{userId}
348
348
keycloak -->> - dao: UserRepresentation
349
349
dao -->> - service: UserProfile
350
350
service ->> service: (Ro-MU-CA in User.Roles) or <br>(Ro-Pa-A or Ro-MU-A in User.Roles and RequestedUser.Participant == User.Participant)
@@ -376,7 +376,7 @@ sequenceDiagram
376
376
API ->> + service: addUser(user)
377
377
service ->> service: Ro-MU-CA|Ro-Pa-A|Ro-MU-A in User.Roles
378
378
service -->> + dao: create(user)
379
-
dao -->> + keycloak: POST /realms/gaia-x/groups/{partId}/users
379
+
dao -->> + keycloak: POST /realms/federated-catalogue-realm/groups/{partId}/users
380
380
keycloak -->> - dao: UserRepresentation
381
381
dao -->> - service: UserProfile
382
382
service -->> - API: UserProfile
@@ -411,7 +411,7 @@ sequenceDiagram
411
411
service ->> service: Ro-MU-CA|Ro-Pa-A|Ro-MU-A in User.Roles
412
412
413
413
service -->> + dao: select(userId)
414
-
dao -->> + keycloak: GET /realms/gaia-x/groups/{partId}/users/{id}
414
+
dao -->> + keycloak: GET /realms/federated-catalogue-realm/groups/{partId}/users/{id}
415
415
keycloak -->> - dao: UserRepresentation
416
416
dao -->> - service: UserProfile
417
417
@@ -420,7 +420,7 @@ sequenceDiagram
420
420
end
421
421
422
422
service ->> + dao: update(userId, user)
423
-
dao -->> + keycloak: PUT /realms/gaia-x/groups/{partId}/users
423
+
dao -->> + keycloak: PUT /realms/federated-catalogue-realm/groups/{partId}/users
424
424
keycloak -->> - dao: UserRepresentation
425
425
426
426
dao -->> - service: UserProfile
@@ -460,7 +460,7 @@ sequenceDiagram
460
460
API ->> + service: updateUser(userId,user)
461
461
service ->> service: Ro-MU-CA|Ro-Pa-A|Ro-MU-A in User.Roles
462
462
service -->> + dao: select(userId)
463
-
dao -->> + keycloak: GET /realms/gaia-x/groups/{partId}/users/{id}
463
+
dao -->> + keycloak: GET /realms/federated-catalogue-realm/groups/{partId}/users/{id}
464
464
keycloak -->> - dao: UserRepresentation
465
465
dao -->> - service: UserProfile
466
466
@@ -469,7 +469,7 @@ sequenceDiagram
469
469
end
470
470
471
471
service ->> + dao: updateRoles(userId, roles)
472
-
dao -->> + keycloak: PUT /realms/gaia-x/groups/{partId}/users
472
+
dao -->> + keycloak: PUT /realms/federated-catalogue-realm/groups/{partId}/users
473
473
keycloak -->> - dao: UserRepresentation
474
474
475
475
dao -->> - service: UserProfile
@@ -499,7 +499,7 @@ sequenceDiagram
499
499
500
500
API ->> + service: deleteUser(userId)
501
501
service -->> + dao: select(userId)
502
-
dao -->> + keycloak: GET /realms/gaia-x/groups/{partId}/users/{id}
502
+
dao -->> + keycloak: GET /realms/federated-catalogue-realm/groups/{partId}/users/{id}
503
503
keycloak -->> - dao: UserRepresentation
504
504
dao -->> - service: UserProfile
505
505
@@ -508,7 +508,7 @@ sequenceDiagram
508
508
end
509
509
510
510
service ->> + dao: delete(userId)
511
-
dao -->> + keycloak: DELETE /realms/gaia-x/groups/{partId}/users/{id}
511
+
dao -->> + keycloak: DELETE /realms/federated-catalogue-realm/groups/{partId}/users/{id}
0 commit comments