Users and roles management subsystem

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. Overview

The subsystem that provides management for users, user management, authentication/authorization settings, signle sign-on (SSO), and external Identity Providers integration in the Registry Platform.

2. Subsystem functions

  • User authentication

  • User authorization

  • User and roles management

  • Authentication mechanisms configuration

3. Subsystem technical design

user management.drawio1

Several authentication ways are available on the Platform:

4. Subsystem components

Component name Namespace Representation in Registry Source Repository Function

Users and roles management service

user-management

keycloak

3rd-party

gerrit:/mdtu-ddm/devops/keycloak

github:/epam/edp-ddm-user-management

User authentication and authorization

Keycloak operational database

user-management

keycloak-postgresql

3rd-party

-

Data and configurations storage

Digital signature service

user-management

digital-signature-ops

origin

gerrit:/mdtu-ddm/low-code-platform/platform/backend/applications/digital-signature-ops

Digital signature component that utilizes IIT Java signature library capabilities to provide digital signature functionality

Keycloak operatorр

user-management

keycloak-operator

epam-origin

gerrit:/mdtu-ddm/devops/keycloak

Authentication service configuration management

OpenShift OAuth

openshift-authentication

oauth-openshift

3rd-party

-

Internal OAuth server in OpenShift that provides authentication and authorization inside the container orchestration platform. Integrates with KeyCloak

User group synchronization operator

group-sync-operator

group-sync-operator-controller-manager

3rd-party

github:/redhat-cop/group-sync-operator

github:/epam/edp-ddm-user-management

Synchronization of users and roles between Openshift and KeyCloak

5. Technology stack

The following technologies were used in system design and development:

6. Subsystem quality attributes

6.1. Security

The subsystem was designed with security component in mind, and supports different authentication protocols, including OpenID Connect, OAuth 2.0 та SAML, providing a secure authentication and authorization mechanism.

6.2. Scalability

The subsystem was designed to support a large number of users and extensive traffic, so it can be scaled as required by means of container orchestration platform.

You can learn more in the following section: Container orchestration platform

6.3. Reliability

Users and roles management subsystem is highly-available, and effectively operates with different workloads. It was designed to handle large numbers of simultaneous user interactions, and efficiently manage user data without drops in performance.

6.4. Observability

Users and roles management subsystem supports incoming requests logging and performance metrics gathering for further analysis via web-interfaces of the corresponding Platform subsystems.

Find more information on subsystems design in the corresponding sections: