Originally published on May 8, 2020 as an IBM Developer Recipe
In this blog we will take a quick stab on configuring Access Control using IBM Cloud IAM and LDAP in CP4I running on IBM Cloud.
To understand the IAM services in IBM Cloud, follow the below link:https://cloud.ibm.com/docs/account?topic=account-iamoverview
1) This article assumes that Access Groups and Access Policies have been set-up with appropriate access to the Openshift Cluster and Schematics workspace in respective Resource Groups. The users required to access CP4I are part of the appropriate Access Groups.
2) It has been tested with CP4I 2020.1.1 running on OCP 4.3 on IBM Cloud
3) An LDAP server. For this demo we have installed an Open LDAP running on a Virtual Server on IBM Cloud. You may follow below link to set-up an Open LDAP server on Ubuntu for POC.
Below diagram shows the quick view of IBM Cloud Identity and Access Management Architecture
Login to CP4I Platform Navigator and go to Cloud Pak Foundation using the ‘admin’ id.
It would land you to ‘Authentication’ page. You can also navigate to Authentication page from Administer –> Identitiy and Access.
Click on ‘Create Connection’. For open ldap, select the ‘Server type’ as ‘Custom’.
Enter Base DN, Bind DN, Password for Bind DN, LDAP connection information and click on ‘Test Connection’. If it’s able to connect to the LDAP server, it will show the message ‘Successful connection’.
Enter the LDAP filter parameters for open ldap.
Group filter: (&(cn=%v)(objectclass=groupOfUniqueNames))
User filter: (&(uid=%v)(objectclass=inetOrgPerson))
Group ID map: *:cn
User ID map: *:uid
Group member ID map: groupOfUniqueNames:uniqueMember
Look at below link to find out LDAP filter parameters for supported types of LDAP servers.
Click on ‘Create’.
You can add more LDAP servers if required.
Now perform below tasks:
– Create teams
– Add IBM Cloud IAM users and/or Open LDAP users/groups into respective teams
– Assign appropriate roles to users/groups within team
– Assign resources (namespaces / projects) to the teams
To do this, go to ‘Teams’ tab and click on ‘Create Team’.
Give the team name and select the domain as ‘Cloud Identity Directory’ to add IBM Cloud IAM users.
Click on ‘Users’ tab, enter IBM id and hit enter. It will pull the IBM id, select it and assign an appropriate role to this user.
Note that before you can add the IBM id here, it should exist in OCP as CP4I IAM service is integrated with OCP. So the IBM id should have access to the OCP and have at least logged-in once in OCP so that his/her id is created there. If it has not been done, it will not be able to find the user.
Click on ‘Add’.
Now let us add one user from open LDAP. Click on Add Users, select domain as your ldap connection name, search a user that exists in LDAP and assign appropriate role. Note that this user doesn’t require to exist in OCP as in case of IBM Cloud IAM user.
Click on Add.
Similarly you can add more users and groups in a team. Depending on the role assigned to Users/Groups, they would be able to perform appropriate tasks. Look at below link to see the permissions associated with different types of roles listed.
Now assign resources to this team. Go to ‘Resources’ tab and click on ‘Manage Resources’.
Select the resources (namespaces/projects) you want this team to access and click on Save.
Similarly you can create more teams, assign resource to those teams and assign appropriate roles to members of those teams.
Now users who have been given access, can login to CP4I platform navigator. If you are logging-in using your IBM Id, you only need to enter username and click on log-in. If you are logging-in using the LDAP server, enter username and password.
If you are logging-in using IBM Id, make sure that you are logged-into OCP console. This is a current known limitation at the time of writing this article.
You can navigate to the respective instance of integration capabilities and perform the tasks as per role assigned to you.
To login to API Connect Cloud Manager and API Manager, you must set-up the user registries for these components. Setting-up the User registries and configuring access control inside API Connect is out of scope for this article. You may follow the instructions at below link to do the same.
*Note: At the time of writing this article, there are some known limitations wrt IBM Cloud IAM integration with CP4I.