From 80d451d2d18632abb2a780da0ab907677c04ce3d Mon Sep 17 00:00:00 2001 From: Cole Garbo Date: Mon, 3 Mar 2025 15:25:01 -0500 Subject: [PATCH 1/6] initial draft of identity docs --- .../orchestration-identity/configuration.md | 45 ++++++++ .../orchestration-identity/installation.md | 9 ++ .../self-managed/identity/what-is-identity.md | 21 ++-- sidebars.js | 106 ++++++++++-------- 4 files changed, 123 insertions(+), 58 deletions(-) create mode 100644 docs/self-managed/identity/orchestration-identity/configuration.md create mode 100644 docs/self-managed/identity/orchestration-identity/installation.md diff --git a/docs/self-managed/identity/orchestration-identity/configuration.md b/docs/self-managed/identity/orchestration-identity/configuration.md new file mode 100644 index 00000000000..296be3dd1b1 --- /dev/null +++ b/docs/self-managed/identity/orchestration-identity/configuration.md @@ -0,0 +1,45 @@ +--- +id: configuration +title: "Configuration" +description: "Learn about the Identity configuration options available in your Orchestration cluster." +--- + +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +As a Spring Boot application, Identity supports any standard +[Spring configuration](https://docs.spring.io/spring-boot/reference/features/external-config.html) method. + + + + + +| Environment variable | Description | Default value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | +| `SPRING_PROFILES_ACTIVE` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | +| `CAMUNDA_SECURITY_AUTHENTICATION_METHOD` | The authentication method to use. | `basic` | +| `CAMUNDA_SECURITY_AUTHENTICATION_UNAUTHENTICATED-API` | If the API is enabled without authentication. | `true` | +| `CAMUNDA_PERSISTENT_SESSIONS_ENABLED` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | +| `CAMUNDA_SECURITY_AUTHORIZATIONS_ENABLED` | If authorizations are enabled. | `true` | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_USERNAME` | The username of the first user. | `demo` | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_PASSWORD` | The password of the first user. | `demo` | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_NAME` | The name of the first user. | Demo | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_EMAIL` | The email address of the first user. | `demo@demo.com` | + + + + +| Helm property | Description | Default value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | +| `spring.profiles.active` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | +| `camunda.security.authentication.method` | The authentication method to use. | `basic` | +| `camunda.security.authentication.unauthenticated-api` | If the API is enabled without authentication. | `true` | +| `camunda.persistent.sessions.enabled` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | +| `camunda.security.authorizations.enabled` | If authorizations are enabled. | `true` | +| `camunda.security.initialization.users[0].username` | The username of the first user. | `demo` | +| `camunda.security.initialization.users[0].password` | The password of the first user. | `demo` | +| `camunda.security.initialization.users[0].name` | The name of the first user. | `Demo` | +| `camunda.security.initialization.users[0].email` | The email address of the first user. | `demo@demo.com` | + + + diff --git a/docs/self-managed/identity/orchestration-identity/installation.md b/docs/self-managed/identity/orchestration-identity/installation.md new file mode 100644 index 00000000000..24218368eab --- /dev/null +++ b/docs/self-managed/identity/orchestration-identity/installation.md @@ -0,0 +1,9 @@ +--- +id: installation +title: Installation +description: "Learn how Identity is bundled with your default Orchestration cluster." +--- + +Identity is included by default with the deployment of any [Orchestration cluster](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster). Within an Orchestration cluster, Identity provides unified, cluster-level identity management and authorizations. + +Identity for Orchestration clusters is available via [Helm install](/self-managed/setup/install.md), and for local development via [Camunda 8 Run](/self-managed/setup/deploy/local/c8run.md). diff --git a/docs/self-managed/identity/what-is-identity.md b/docs/self-managed/identity/what-is-identity.md index 23e155da9cd..a9bd1502039 100644 --- a/docs/self-managed/identity/what-is-identity.md +++ b/docs/self-managed/identity/what-is-identity.md @@ -5,7 +5,17 @@ sidebar_label: "What is Identity?" description: "Identity is the component within the Camunda 8 stack responsible for authentication and authorization." --- -Identity is the component within the Camunda 8 stack responsible for authentication and authorization. It allows you to manage: +Identity is the component within the Camunda 8 stack responsible for authentication and authorization. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). + +## Identity for Orchestration clusters + +Identity is included by default in the [Orchestration cluster](/self-managed//reference-architecture/reference-architecture.md#orchestration-cluster), and does not require any external dependencies. For more information, see the Identity [configuration options](/self-managed/identity/orchestration-identity/configuration.md). + +## Identity for Web Modeler and Console + +For [Web Modeler and Console deployments](/self-managed/reference-architecture/reference-architecture.md#), Identity runs as a separate and dedicated component. For more information, see the guides on using an [existing Keycloak](/self-managed/setup/guides/using-existing-keycloak.md) instance, and connecting to an [OIDC provider](/self-managed/setup/guides/connect-to-an-oidc-provider.md). + +Once deployed, Identity manages the following in Web Modeler and Console: - Applications - APIs @@ -19,12 +29,3 @@ For example, using Identity you can: - [Create a group](/self-managed/identity/user-guide/groups/create-group.md) to apply a set of roles and authorizations to users. - [Manage resource authorizations](/self-managed/identity/user-guide/authorizations/managing-resource-authorizations.md) to control resource access within the Identity application. - [Utilize configuration variables](/self-managed/identity/deployment/configuration-variables.md). - -## Next steps - -If you're new to Identity, we suggest reviewing our [getting started guide](./getting-started/install-identity.md). - -You can use Identity for authentication with Keycloak. The following guidance can be used during platform installation and deployment: - -- [Use existing Keycloak](/self-managed/setup/guides/using-existing-keycloak.md) -- [Connect to an OIDC provider](/self-managed/setup/guides/connect-to-an-oidc-provider.md) diff --git a/sidebars.js b/sidebars.js index fc5b7993c85..feb5d13eaa3 100644 --- a/sidebars.js +++ b/sidebars.js @@ -1368,63 +1368,73 @@ module.exports = { Identity: [ "self-managed/identity/what-is-identity", - "self-managed/identity/getting-started/install-identity", { - "User guide": [ - { - Configuration: [ - "self-managed/identity/user-guide/configuration/making-identity-production-ready", - "self-managed/identity/user-guide/configuration/configure-external-identity-provider", - "self-managed/identity/user-guide/configuration/configure-logging", - "self-managed/identity/user-guide/configuration/connect-to-an-existing-keycloak", - ], - }, - { - Roles: [ - "self-managed/identity/user-guide/roles/add-assign-role", - "self-managed/identity/user-guide/roles/add-assign-permission", - ], - }, - { - Groups: [ - "self-managed/identity/user-guide/groups/create-group", - "self-managed/identity/user-guide/groups/assign-users-roles-to-group", - ], - }, - { - Authorizations: [ - "self-managed/identity/user-guide/authorizations/managing-resource-authorizations", - "self-managed/identity/user-guide/authorizations/managing-user-access", - "self-managed/identity/user-guide/authorizations/generating-m2m-tokens", - ], - }, - { - Tenants: [ - "self-managed/identity/user-guide/tenants/managing-tenants", - ], - }, + "Orchestration cluster Identity": [ + "self-managed/identity/orchestration-identity/installation", + "self-managed/identity/orchestration-identity/configuration", + ], + }, + { + "Identity for Web Modeler and Console": [ + "self-managed/identity/getting-started/install-identity", { - "Mapping rules": [ - "self-managed/identity/user-guide/mapping-rules/managing-mapping-rules", + "User guide": [ + { + Configuration: [ + "self-managed/identity/user-guide/configuration/making-identity-production-ready", + "self-managed/identity/user-guide/configuration/configure-external-identity-provider", + "self-managed/identity/user-guide/configuration/configure-logging", + "self-managed/identity/user-guide/configuration/connect-to-an-existing-keycloak", + ], + }, + { + Roles: [ + "self-managed/identity/user-guide/roles/add-assign-role", + "self-managed/identity/user-guide/roles/add-assign-permission", + ], + }, + { + Groups: [ + "self-managed/identity/user-guide/groups/create-group", + "self-managed/identity/user-guide/groups/assign-users-roles-to-group", + ], + }, + { + Authorizations: [ + "self-managed/identity/user-guide/authorizations/managing-resource-authorizations", + "self-managed/identity/user-guide/authorizations/managing-user-access", + "self-managed/identity/user-guide/authorizations/generating-m2m-tokens", + ], + }, + { + Tenants: [ + "self-managed/identity/user-guide/tenants/managing-tenants", + ], + }, + { + "Mapping rules": [ + "self-managed/identity/user-guide/mapping-rules/managing-mapping-rules", + ], + }, + { + "Additional features": [ + "self-managed/identity/user-guide/additional-features/adding-an-api", + "self-managed/identity/user-guide/additional-features/incorporate-applications", + ], + }, ], }, { - "Additional features": [ - "self-managed/identity/user-guide/additional-features/adding-an-api", - "self-managed/identity/user-guide/additional-features/incorporate-applications", + Deployment: [ + "self-managed/identity/deployment/configuration-variables", + "self-managed/identity/deployment/application-monitoring", + "self-managed/identity/deployment/starting-configuration-for-identity", + "self-managed/identity/deployment/resource-management", ], }, + "self-managed/identity/troubleshooting/troubleshoot-identity", ], }, - { - Deployment: [ - "self-managed/identity/deployment/configuration-variables", - "self-managed/identity/deployment/application-monitoring", - "self-managed/identity/deployment/starting-configuration-for-identity", - "self-managed/identity/deployment/resource-management", - ], - }, - "self-managed/identity/troubleshooting/troubleshoot-identity", ], }, { From 932e80340cabb7b626ccf57a464a368339e06c55 Mon Sep 17 00:00:00 2001 From: Cole Garbo Date: Wed, 5 Mar 2025 14:55:41 -0500 Subject: [PATCH 2/6] add initial configuration options and basic guide --- .../orchestration-identity/configuration.md | 4 ++ .../orchestration-identity/installation.md | 44 +++++++++++++++++++ sidebars.js | 2 +- 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/docs/self-managed/identity/orchestration-identity/configuration.md b/docs/self-managed/identity/orchestration-identity/configuration.md index 296be3dd1b1..6942ed380d2 100644 --- a/docs/self-managed/identity/orchestration-identity/configuration.md +++ b/docs/self-managed/identity/orchestration-identity/configuration.md @@ -7,8 +7,12 @@ description: "Learn about the Identity configuration options available in your O import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; +:::note As a Spring Boot application, Identity supports any standard [Spring configuration](https://docs.spring.io/spring-boot/reference/features/external-config.html) method. +::: + +The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, and Tasklist. diff --git a/docs/self-managed/identity/orchestration-identity/installation.md b/docs/self-managed/identity/orchestration-identity/installation.md index 24218368eab..13aa7371a48 100644 --- a/docs/self-managed/identity/orchestration-identity/installation.md +++ b/docs/self-managed/identity/orchestration-identity/installation.md @@ -7,3 +7,47 @@ description: "Learn how Identity is bundled with your default Orchestration clus Identity is included by default with the deployment of any [Orchestration cluster](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster). Within an Orchestration cluster, Identity provides unified, cluster-level identity management and authorizations. Identity for Orchestration clusters is available via [Helm install](/self-managed/setup/install.md), and for local development via [Camunda 8 Run](/self-managed/setup/deploy/local/c8run.md). + +## Initial configuration + +Following the default installation will result in a cluster with the following: + +1. Basic authentication enabled +2. API authentication disabled +3. Authorizations disabled +4. An initial user with the username/password `demo`/`demo` +5. An `admin` role with read, create, update, and delete permissions for other roles + +### Configure basic authentication + +To make changes to the initial configuration, add the desired values via your `application.yaml` or environment variables according to the available [configuration properties](./configuration.md). + +For example, to enable basic authentication and create an initial user, the following is required: + +```yaml +camunda.security: + authentication.unprotected-api: false + initialization.users[0].username: <> + initialization.users[0].password: < + initialization.users[0].name: < + initialization.users[0].email: <> +``` + +### Enable authorizations + +To work with authorizations, API authentication and authorization enforcement must be enabled. The following minimal `application.yaml` shows the required configuration for the APIs and authorizations: + +```yaml +camunda.security: + authentication.unprotected-api: false + authorizations.enabled: true +``` + +Basic authentication credentials are then required when making API requests, as in the following: + +```shell +curl --request POST 'http://localhost:8080/v1/process-definitions/search' \ + -u demo:demo \ + --header 'Content-Type: application/json' \ + --data-raw '{}' +``` diff --git a/sidebars.js b/sidebars.js index feb5d13eaa3..b52d7cd5c18 100644 --- a/sidebars.js +++ b/sidebars.js @@ -1369,7 +1369,7 @@ module.exports = { Identity: [ "self-managed/identity/what-is-identity", { - "Orchestration cluster Identity": [ + "Orchestration Cluster Identity": [ "self-managed/identity/orchestration-identity/installation", "self-managed/identity/orchestration-identity/configuration", ], From 83aa024fd05d48b90ece3f2272033ef234fc45bc Mon Sep 17 00:00:00 2001 From: Cole Garbo Date: Wed, 5 Mar 2025 14:57:30 -0500 Subject: [PATCH 3/6] Fix brackets --- .../identity/orchestration-identity/installation.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/self-managed/identity/orchestration-identity/installation.md b/docs/self-managed/identity/orchestration-identity/installation.md index 13aa7371a48..040aee47d85 100644 --- a/docs/self-managed/identity/orchestration-identity/installation.md +++ b/docs/self-managed/identity/orchestration-identity/installation.md @@ -27,10 +27,10 @@ For example, to enable basic authentication and create an initial user, the foll ```yaml camunda.security: authentication.unprotected-api: false - initialization.users[0].username: <> - initialization.users[0].password: < - initialization.users[0].name: < - initialization.users[0].email: <> + initialization.users[0].username: + initialization.users[0].password: + initialization.users[0].name: + initialization.users[0].email: ``` ### Enable authorizations From 8e5a3159cecc3ac70f0dda41ddcf37e613167583 Mon Sep 17 00:00:00 2001 From: Cole Garbo Date: Thu, 6 Mar 2025 09:52:05 -0500 Subject: [PATCH 4/6] update PR feedback --- .../orchestration-identity/configuration.md | 44 +++++------ .../orchestration-identity/installation.md | 76 +++++++++++++++---- .../self-managed/identity/what-is-identity.md | 2 +- 3 files changed, 83 insertions(+), 39 deletions(-) diff --git a/docs/self-managed/identity/orchestration-identity/configuration.md b/docs/self-managed/identity/orchestration-identity/configuration.md index 6942ed380d2..e7ccf40fd08 100644 --- a/docs/self-managed/identity/orchestration-identity/configuration.md +++ b/docs/self-managed/identity/orchestration-identity/configuration.md @@ -18,32 +18,32 @@ The following variables apply globally to all components within the Camunda Orch -| Environment variable | Description | Default value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | -| `SPRING_PROFILES_ACTIVE` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | -| `CAMUNDA_SECURITY_AUTHENTICATION_METHOD` | The authentication method to use. | `basic` | -| `CAMUNDA_SECURITY_AUTHENTICATION_UNAUTHENTICATED-API` | If the API is enabled without authentication. | `true` | -| `CAMUNDA_PERSISTENT_SESSIONS_ENABLED` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | -| `CAMUNDA_SECURITY_AUTHORIZATIONS_ENABLED` | If authorizations are enabled. | `true` | -| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_USERNAME` | The username of the first user. | `demo` | -| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_PASSWORD` | The password of the first user. | `demo` | -| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_NAME` | The name of the first user. | Demo | -| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_EMAIL` | The email address of the first user. | `demo@demo.com` | +| Environment variable | Description | Default value | +| --------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | +| `SPRING_PROFILES_ACTIVE` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | +| `CAMUNDA_SECURITY_AUTHENTICATION_METHOD` | The authentication method to use. | `basic` | +| `CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTED-API` | If the API is enabled without authentication. | `true` | +| `CAMUNDA_PERSISTENT_SESSIONS_ENABLED` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | +| `CAMUNDA_SECURITY_AUTHORIZATIONS_ENABLED` | If authorizations are enabled. | `true` | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_USERNAME` | The username of the first user. | `demo` | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_PASSWORD` | The password of the first user. | `demo` | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_NAME` | The name of the first user. | Demo | +| `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_EMAIL` | The email address of the first user. | `demo@demo.com` | -| Helm property | Description | Default value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | -| `spring.profiles.active` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | -| `camunda.security.authentication.method` | The authentication method to use. | `basic` | -| `camunda.security.authentication.unauthenticated-api` | If the API is enabled without authentication. | `true` | -| `camunda.persistent.sessions.enabled` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | -| `camunda.security.authorizations.enabled` | If authorizations are enabled. | `true` | -| `camunda.security.initialization.users[0].username` | The username of the first user. | `demo` | -| `camunda.security.initialization.users[0].password` | The password of the first user. | `demo` | -| `camunda.security.initialization.users[0].name` | The name of the first user. | `Demo` | -| `camunda.security.initialization.users[0].email` | The email address of the first user. | `demo@demo.com` | +| Helm property | Description | Default value | +| --------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | +| `spring.profiles.active` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | +| `camunda.security.authentication.method` | The authentication method to use. | `basic` | +| `camunda.security.authentication.unprotected-api` | If the API is enabled without authentication. | `true` | +| `camunda.persistent.sessions.enabled` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | +| `camunda.security.authorizations.enabled` | If authorizations are enabled. | `true` | +| `camunda.security.initialization.users[0].username` | The username of the first user. | `demo` | +| `camunda.security.initialization.users[0].password` | The password of the first user. | `demo` | +| `camunda.security.initialization.users[0].name` | The name of the first user. | `Demo` | +| `camunda.security.initialization.users[0].email` | The email address of the first user. | `demo@demo.com` | diff --git a/docs/self-managed/identity/orchestration-identity/installation.md b/docs/self-managed/identity/orchestration-identity/installation.md index 040aee47d85..c14a75c49ec 100644 --- a/docs/self-managed/identity/orchestration-identity/installation.md +++ b/docs/self-managed/identity/orchestration-identity/installation.md @@ -1,9 +1,12 @@ --- id: installation -title: Installation +title: Initial setup description: "Learn how Identity is bundled with your default Orchestration cluster." --- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + Identity is included by default with the deployment of any [Orchestration cluster](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster). Within an Orchestration cluster, Identity provides unified, cluster-level identity management and authorizations. Identity for Orchestration clusters is available via [Helm install](/self-managed/setup/install.md), and for local development via [Camunda 8 Run](/self-managed/setup/deploy/local/c8run.md). @@ -16,33 +19,74 @@ Following the default installation will result in a cluster with the following: 2. API authentication disabled 3. Authorizations disabled 4. An initial user with the username/password `demo`/`demo` -5. An `admin` role with read, create, update, and delete permissions for other roles - -### Configure basic authentication +5. An `admin` role with read, create, update, and delete permissions for other roles, which is applied to the initial `demo` user To make changes to the initial configuration, add the desired values via your `application.yaml` or environment variables according to the available [configuration properties](./configuration.md). -For example, to enable basic authentication and create an initial user, the following is required: +### Configure an initial user + +The initial user created by the application will be assigned the `admin` role, and can be used for authentication to the web applications and additional role management. + +To create a unique initial user, the following is required in your `application.yaml` or environment variables: + + + ```yaml -camunda.security: - authentication.unprotected-api: false - initialization.users[0].username: - initialization.users[0].password: - initialization.users[0].name: - initialization.users[0].email: +camunda: + security: + initialization: + users: + - username: + password: + name: + email: +``` + + + + +```shell +CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_USERNAME= +CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_PASSWORD= +CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_NAME= +CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_EMAIL= ``` -### Enable authorizations + + -To work with authorizations, API authentication and authorization enforcement must be enabled. The following minimal `application.yaml` shows the required configuration for the APIs and authorizations: +### Enable API authentication and authorizations + +By default, basic authentication is enabled on the Camunda web applications, but the API is unprotected, and authorizations are disabled. API protection and authorizations can both be enabled by modifying your `application.yaml` or environment variables: + + + ```yaml -camunda.security: - authentication.unprotected-api: false - authorizations.enabled: true +camunda: + security: + authentication: + unprotected-api: false + authorizations: + enabled: true +``` + + + + +```shell +CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTED-API=false +CAMUNDA_SECURITY_AUTHORIZATIONS_ENABLED=true ``` + + + +:::note +To enable authorizations, API protection must also be enabled. +::: + Basic authentication credentials are then required when making API requests, as in the following: ```shell diff --git a/docs/self-managed/identity/what-is-identity.md b/docs/self-managed/identity/what-is-identity.md index a9bd1502039..7e0737a0ac1 100644 --- a/docs/self-managed/identity/what-is-identity.md +++ b/docs/self-managed/identity/what-is-identity.md @@ -5,7 +5,7 @@ sidebar_label: "What is Identity?" description: "Identity is the component within the Camunda 8 stack responsible for authentication and authorization." --- -Identity is the component within the Camunda 8 stack responsible for authentication and authorization. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). +Identity is responsible for authentication and authorization within the Camunda 8 stack. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). ## Identity for Orchestration clusters From 41100be9d34b2644264d3b4ecd87c253663723b2 Mon Sep 17 00:00:00 2001 From: Cole Garbo Date: Thu, 6 Mar 2025 13:22:06 -0500 Subject: [PATCH 5/6] add pr feedback --- .../identity/orchestration-identity/configuration.md | 8 ++++---- .../identity/orchestration-identity/installation.md | 4 ++++ docs/self-managed/identity/what-is-identity.md | 4 +++- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/self-managed/identity/orchestration-identity/configuration.md b/docs/self-managed/identity/orchestration-identity/configuration.md index e7ccf40fd08..c7289fbfe51 100644 --- a/docs/self-managed/identity/orchestration-identity/configuration.md +++ b/docs/self-managed/identity/orchestration-identity/configuration.md @@ -8,11 +8,11 @@ import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; :::note -As a Spring Boot application, Identity supports any standard +As a Spring Boot application, Camunda 8 supports any standard [Spring configuration](https://docs.spring.io/spring-boot/reference/features/external-config.html) method. ::: -The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, and Tasklist. +The following variables apply globally to all components within the Camunda Orchestration core: Zeebe, Operate, Tasklist, and Identity. @@ -22,7 +22,7 @@ The following variables apply globally to all components within the Camunda Orch | --------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | | `SPRING_PROFILES_ACTIVE` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | | `CAMUNDA_SECURITY_AUTHENTICATION_METHOD` | The authentication method to use. | `basic` | -| `CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTED-API` | If the API is enabled without authentication. | `true` | +| `CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTED-API` | If the API can be used without authentication. | `true` | | `CAMUNDA_PERSISTENT_SESSIONS_ENABLED` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | | `CAMUNDA_SECURITY_AUTHORIZATIONS_ENABLED` | If authorizations are enabled. | `true` | | `CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_USERNAME` | The username of the first user. | `demo` | @@ -37,7 +37,7 @@ The following variables apply globally to all components within the Camunda Orch | --------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------- | | `spring.profiles.active` | **Note:** This property will be deprecated as additional authentication methods become available. | `consolidated-auth` | | `camunda.security.authentication.method` | The authentication method to use. | `basic` | -| `camunda.security.authentication.unprotected-api` | If the API is enabled without authentication. | `true` | +| `camunda.security.authentication.unprotected-api` | If the API cane be used without authentication. | `true` | | `camunda.persistent.sessions.enabled` | Enables shared authentication between the Orchestration web applications (Operate and Tasklist). | `true` | | `camunda.security.authorizations.enabled` | If authorizations are enabled. | `true` | | `camunda.security.initialization.users[0].username` | The username of the first user. | `demo` | diff --git a/docs/self-managed/identity/orchestration-identity/installation.md b/docs/self-managed/identity/orchestration-identity/installation.md index c14a75c49ec..19acd0105c6 100644 --- a/docs/self-managed/identity/orchestration-identity/installation.md +++ b/docs/self-managed/identity/orchestration-identity/installation.md @@ -53,6 +53,10 @@ CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_NAME= CAMUNDA_SECURITY_INITIALIZATION_USERS[0]_EMAIL= ``` +:::note +Any other users included in the initialization `user` list will also be granted the `admin` role. +::: + diff --git a/docs/self-managed/identity/what-is-identity.md b/docs/self-managed/identity/what-is-identity.md index 7e0737a0ac1..d41e7ebff8c 100644 --- a/docs/self-managed/identity/what-is-identity.md +++ b/docs/self-managed/identity/what-is-identity.md @@ -5,7 +5,9 @@ sidebar_label: "What is Identity?" description: "Identity is the component within the Camunda 8 stack responsible for authentication and authorization." --- -Identity is responsible for authentication and authorization within the Camunda 8 stack. Identity functions differently in Orchestration clusters and in Console and Web Modeler. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). +Identity in the Camunda 8 stack is handled by two distinct components: Identity for [Orchestration clusters](#identity-for-orchestration-clusters), and Identity for [Web Modeler and Comsole](#identity-for-web-modeler-and-console). In both cases, Identity is responsible for managing authentication and authorization within the Camunda 8 stack, but each implementation requires different configurations. In the case of Web Modeler and Console, Identity must be set up independently. + +For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console). ## Identity for Orchestration clusters From c1ae591dd3b1dfc7b926bf4f7545286c30c01720 Mon Sep 17 00:00:00 2001 From: Cole Garbo Date: Thu, 6 Mar 2025 13:24:47 -0500 Subject: [PATCH 6/6] comsole typo that's new --- docs/self-managed/identity/what-is-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/self-managed/identity/what-is-identity.md b/docs/self-managed/identity/what-is-identity.md index d41e7ebff8c..8a0d4b3e057 100644 --- a/docs/self-managed/identity/what-is-identity.md +++ b/docs/self-managed/identity/what-is-identity.md @@ -5,7 +5,7 @@ sidebar_label: "What is Identity?" description: "Identity is the component within the Camunda 8 stack responsible for authentication and authorization." --- -Identity in the Camunda 8 stack is handled by two distinct components: Identity for [Orchestration clusters](#identity-for-orchestration-clusters), and Identity for [Web Modeler and Comsole](#identity-for-web-modeler-and-console). In both cases, Identity is responsible for managing authentication and authorization within the Camunda 8 stack, but each implementation requires different configurations. In the case of Web Modeler and Console, Identity must be set up independently. +Identity in the Camunda 8 stack is handled by two distinct components: Identity for [Orchestration clusters](#identity-for-orchestration-clusters), and Identity for [Web Modeler and Console](#identity-for-web-modeler-and-console). In both cases, Identity is responsible for managing authentication and authorization within the Camunda 8 stack, but each implementation requires different configurations. In the case of Web Modeler and Console, Identity must be set up independently. For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console).