Initial draft of identity docs #5133
Conversation
|
👋 🤖 🤔 Hello, @conceptualshark! Did you make your changes in all the right places? These files were changed only in docs/. You might want to duplicate these changes in versioned_docs/version-8.6/.
You may have done this intentionally, but we wanted to point it out in case you didn't. You can read more about the versioning within our docs in our documentation guidelines. |
conceptualshark
added
8.8.0-alpha2
component:docs
| <Tabs> | ||
| <TabItem value="env" label="Environment variables" default> | ||
|
|
||
| | Environment variable | Description | Default value | |
There was a problem hiding this comment.
💭 These variables are applicable to all components in the orchestration cluster so I think we need to find a central home for these. As per @megglos suggestion I wonder if we can create a new area for the Core components?
It may be that its more important to just get this in place regardless and then adjust as we go, happy to align off PR.
There was a problem hiding this comment.
Followed up on the related issue, but I think ideally we move forward with this iteration, and then make additional Core-related changes in subsequent PRs: https://github.com/camunda/documentation-team/issues/465#issuecomment-2701824081
There was a problem hiding this comment.
In favor of having this as a first increment too.
| ], | ||
| }, | ||
| { | ||
| "Identity for Web Modeler and Console": [ |
There was a problem hiding this comment.
💭 How do you feel about positioning this one as Management cluster Identity?
There was a problem hiding this comment.
I would love to have a simple name for this, but right now we use "Web Modeler and Console" throughout the docs. For consistency - and to make it easier to update when/if this gets changed - I'd like to have it match for now.
|
Added @FarkasRabai as a reviewer to get the PM perspective on these Identity docs changes. |
There was a problem hiding this comment.
I've pushed an update to include/respond to @Ben-Sheppard's suggestions, and to incorporate the ACs asked by @megglos in https://github.com/camunda/documentation-team/issues/465
I am sure some of this is incorrect! 😅 Let me know what needs to be updated.
docs/self-managed/identity/orchestration-identity/installation.md
Outdated
Show resolved
Hide resolved
docs/self-managed/identity/orchestration-identity/installation.md
Outdated
Show resolved
Hide resolved
docs/self-managed/identity/orchestration-identity/installation.md
Outdated
Show resolved
Hide resolved
| [Spring configuration](https://docs.spring.io/spring-boot/reference/features/external-config.html) method. | ||
| ::: | ||
|
|
||
| The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, and Tasklist. |
There was a problem hiding this comment.
Do you know if we need to state anything about Optimize explicitly? In the current 8.8 glossary definition of Orchestration core, we include Optimize but don't mention it here at all.
There was a problem hiding this comment.
I think that Glossary needs updating after this decision https://camunda.slack.com/archives/C01H4NG9XDY/p1740070705216559 where from my understanding Optimize is not considered part of the core orchestration cluster but a separate component.
can you confirm @RomanJRW @felix-mueller @romansmirnov ?
There was a problem hiding this comment.
Yes, this would be true.
The kick-off for Optimize in a dedicated app happened earlier this week. One of the defined action items was for the DRI (@buccarel) to reach out to the Docs team and specify what docs changes need as a result of this decision. This needs a more holistic approach than just tweaks imo
docs/self-managed/identity/orchestration-identity/configuration.md
Outdated
Show resolved
Hide resolved
docs/self-managed/identity/orchestration-identity/installation.md
Outdated
Show resolved
Hide resolved
docs/self-managed/identity/orchestration-identity/configuration.md
Outdated
Show resolved
Hide resolved
| For example, to enable basic authentication and create an initial user, the following is required: | ||
| ### Configure an initial user | ||
|
|
||
| The initial user created by the application will be assigned the `admin` role, and can be used for authentication to the web applications and additional role management. |
There was a problem hiding this comment.
🔧 I'm not sure if it should be noted here or not but the admin role is assigned to all users who are set in the camunda.security.initialization.users list, long term we'd want to refine that IMO but for now thats the functionality
| </Tabs> | ||
|
|
||
| :::note | ||
| To enable authorizations, API protection must also be enabled. |
There was a problem hiding this comment.
👍🏻 this is a great point to note down, in the future we will look to make the application more defensive during start up but its super important to note this otherwise you can get into a broken state :)
| @@ -5,7 +5,7 @@ sidebar_label: "What is Identity?" | |||
| description: "Identity is the component within the Camunda 8 stack responsible for authentication and authorization." | |||
| --- | |||
|
|
|||
| Identity is the component within the Camunda 8 stack responsible for authentication and authorization. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). | |||
| Identity is responsible for authentication and authorization within the Camunda 8 stack. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). | |||
There was a problem hiding this comment.
💭 I'm still wondering if this is the right wording but I don't feel strongly enough that we should block the merging. Identity is responsible really for authorization and for managing the assignments to different entities i.e. groups.
The authentication is handled via Spring in the basic setup or via Spring + the provider in cases of OIDC, we do have a new authentication layer/module but its not really exposed.
There was a problem hiding this comment.
Great start on finally documenting the new configuration properties and guidance on relevant config scenarios!
I'm requesting changes mainly for:
- clarification of default values - as they depend on the distribution
- the installation page being c8run specific while not stating that clearly enough
| import TabItem from '@theme/TabItem'; | ||
|
|
||
| :::note | ||
| As a Spring Boot application, Identity supports any standard |
There was a problem hiding this comment.
🔧 effectively Identity is part of the Camunda 8 application, I would thus keep this statement general with regards to Camunda 8 as spring boot application.
| As a Spring Boot application, Identity supports any standard | |
| As a Spring Boot application, Camunda 8 supports any standard |
| [Spring configuration](https://docs.spring.io/spring-boot/reference/features/external-config.html) method. | ||
| ::: | ||
|
|
||
| The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, and Tasklist. |
There was a problem hiding this comment.
🔧 the config applies also to identity itself too,
| The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, and Tasklist. | |
| The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, Tasklist and Identity. |
| 2. API authentication disabled | ||
| 3. Authorizations disabled |
There was a problem hiding this comment.
❌ this is only true for c8run, for helm we default to a secured setup and both are enabled, as the into mentions both distributions, let's label this guide as c8run specific?
| The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, and Tasklist. | ||
|
|
||
| <!-- updates must be made to BOTH tables --> | ||
| <Tabs> |
There was a problem hiding this comment.
❓ what is the default config we want to refer to here? Because this differs by distribution, whether it's c8run or helm, based on the second tab it seems helm? I can then provide the actual defaults next. Some like SPRING_PROFILES_ACTIVE are also not relevant then as the user can't control them.
There was a problem hiding this comment.
I see in installation we refer to this as reference from a c8run perspective, I woudl thus suggest to have tabs by distribution c8run and helm. I would omit the ENV variable tab and instead extend the spring boot note by the fact that all properties can be provided as environment variables too, like we do in other places of the docs like here https://docs.camunda.io/docs/next/self-managed/zeebe-deployment/configuration/environment-variables/#environment-variables-for-configuration
There was a problem hiding this comment.
Ideally I think this guide should reflect Helm (and other production-ready distributions when ready) and not C8Run at all, as C8Run is unique, not for production, and its configuration requirements are largely handled on its own page. I assume that other production-ready distributions, when available, would reflect the same defaults as Helm?
We've historically had difficulty with users converting from Helm config to environment variables, and the docs team has discussed listing them out separately as we can - @akeller do you have any input here? My thinking was to start having this available for Docker and other distributions down the line, to prevent our docs from being as Helm-biased a they are now.
(Edit: Recognizing that Helm isn't ready for prod, either - but it will be!)
There was a problem hiding this comment.
My current understanding is C8Run is for onboarding and non-production use cases to get up and running as quickly as possible (and maybe even, ideally, with no configuration?). Since we prioritize the Java Spring dev during onboarding, leading with the Spring configuration makes sense.
Once we start talking about production distributions, things are a bit unclear to me - what's our happy path or recommendation when it comes to config? Default config feels like a PM decision and I would defer to @FarkasRabai and/or @theburi.
I do think we need to be super explicit about Helm config vs. environment variables vs. properties and not expect our users to do the mapping themselves and add _ or . appropriately. We can't just say "follow this pattern" and document the configuration fully in only one way.
🤞 hope this helps. LMK if there if anything else I can clarify.
| 4. An initial user with the username/password `demo`/`demo` | ||
| 5. An `admin` role with read, create, update, and delete permissions for other roles, which is applied to the initial `demo` user | ||
|
|
||
| To make changes to the initial configuration, add the desired values via your `application.yaml` or environment variables according to the available [configuration properties](./configuration.md). |
There was a problem hiding this comment.
❌ you would need to use the --config flag of c8run to make use of an own config, see https://github.com/camunda/camunda-docs/pull/5145/files#diff-5f8b726fad04379e6db620802a56d8916fd1fb90956429487f4b16d80b88afcfR133
|
|
||
| ## Initial configuration | ||
|
|
||
| Following the default installation will result in a cluster with the following: |
There was a problem hiding this comment.
❓ what is the default installation, reading further it seems c8run?
| </TabItem> | ||
| <TabItem value="env" label="Environment variables" default> | ||
|
|
||
| ```shell | ||
| CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_USERNAME=<Your chosen username> | ||
| CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_PASSWORD=<Your chosen password> | ||
| CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_NAME=<The name of the first user> | ||
| CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_EMAIL=<The email address of the first user> | ||
| ``` | ||
|
|
||
| </TabItem> |
There was a problem hiding this comment.
🔧 similar to the configuration page, I would not duplicate config for env var setups, given this conversion is a spring boot feature we can refer to generally.
| </TabItem> | ||
| </Tabs> | ||
|
|
||
| ### Enable API authentication and authorizations |
There was a problem hiding this comment.
🔧 this duplicates pending changes by #5145 shall we link from one to the other instead?
There was a problem hiding this comment.
Would this differ at all if we look at this guide from a Helm default perspective? Otherwise the C8Run guide can point here, but that can be updated separately.
| @@ -5,7 +5,17 @@ sidebar_label: "What is Identity?" | |||
| description: "Identity is the component within the Camunda 8 stack responsible for authentication and authorization." | |||
| --- | |||
|
|
|||
| Identity is the component within the Camunda 8 stack responsible for authentication and authorization. It allows you to manage: | |||
| Identity is responsible for authentication and authorization within the Camunda 8 stack. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). | |||
There was a problem hiding this comment.
🔧 we should indicate these are different identity components indeed
| Identity is responsible for authentication and authorization within the Camunda 8 stack. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). | |
| Identity components are responsible for authentication and authorization within the Camunda 8 stack. There are two different identity components in the stack, one as an integral part of the Orchestration cluster and spanning across orchestration clusters used for Console and Web Modeler access management. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). |
There was a problem hiding this comment.
I've tried to clarify this further in the latest update! Once there is a place in the docs for Orchestration cluster docs vs Everything else docs, this page will mostly be able to go away, and I hope this distinction will feel much more separate.
|
@megglos @Ben-Sheppard I've incorporated the last round of feedback, but would like guidance on:
For the second and third points, I think it means the API is protected and authorizations are enabled by default.
|
|
The preview environment relating to the commit 9f6e98a has successfully been deployed. You can access it at https://preview.docs.camunda.cloud/pr-5133/index.html |
Description
Identity (with basic auth) is now bundled in the Orchestration cluster. However, Web Modeler and Console clusters will still need to run Identity independently, and so the older documentation is still relevant.
This PR aims to:
This PR does not address how Identity is used or described elsewhere in the docs, including the Helm chart. I've also moved a bunch of content only in the sidebars, but not yet moved their actual file locations.
Resolves requirements 2 and 3 of https://github.com/camunda/documentation-team/issues/455
Relates to https://github.com/camunda/documentation-team/issues/465
When should this change go live?
bugorsupportlabel)available & undocumentedlabel)holdlabel)low priolabel)PR Checklist
/docsdirectory (version 8.8)./versioned_docs/version-8.7/directory (version 8.7)./versioned_docsdirectory.@camunda/tech-writersunless working with an embedded writer.