MZC-CSC/mc-iam-manager

mc-iam-manager-README.md

M-CMP IAM Manager

This repository provides a Multi-Cloud IAM Management Framework.

A sub-system of M-CMP platform to deploy and manage Multi-Cloud Infrastructures.

Overview

The Multi-Cloud Authorization and Access Control Framework provides platform account/role management, integrated management of cloud account/access control information, and workspace management functionalities. It offers features compatible with security policy determination, establishment, and enforcement for existing multi-cloud services. Additionally, it provides the capability to establish and manage independent security policies within the framework.

It defines an access control reference model for multi-cloud, distinguishing between user access control and service provider access control. This model adopts a prominent Role-Based Access Control (RBAC) approach and integrates it with existing policy management solutions for application and utilization.

• M-CMP 계정 및 역할 관리

  • M-CMP 계정관리/인증제어
  • M-CMP 역할관리/접근제어

• 멀티 클라우드 워크스페이스 관리

  • 워크 스페이스 생성/관리
  • 워크스페이스 권한/공유관리

• 멀티 클라우드 계정 및 접근 제어 정보 통합관리

  • M-CMP 계정-멀티클라우드 계정간 권한 관리
  • 멀티클라우드 계정/접근제어 정보 통합 관리

How to Use

• [설치 환경]
• [의존성]
• [소스 설치]
• [환경 설정]
• [mc-iam-manager 실행]

How to Install

[설치 환경]

mc-iam-manager는 1.19 이상의 Go 버전이 설치된 다양한 환경에서 실행 가능하지만 최종 동작을 검증한 OS는 Ubuntu 22.0.4입니다. keycloak은 PoC 환경에서 임시로 사용자 자격증명과 CSP SAML 인증을 위한 의존성이 있습니다.

[의존성]

• go : go1.21.0 >

  $ go version
  # go version go1.21.0 linux/amd64

  • buffalo framework : v0.18.8 >

    $ buffalo version
    # INFO[0000] Buffalo version is: v0.18.8

    • install buffalo

      Buffalo – Rapid Web Development in Go

• keycloak : 22.0.3

  downloads - Keycloak

  • SP (2023.10 AWS, ALI) setting

    • csp SAML idp reg, csp assumeRole setting require

      IAM을 사용하여 IdP 페더레이션 설정 및 QuickSight - 아마존 QuickSight

  • keycloak client setting require

    https://www.keycloak.org/guides#server

  # keycloak-22.0.3/conf/keycloak.conf
  
  # Basic settings for running in production. Change accordingly before deploying the server.
  
  # Database
  
  # The database vendor.
  db=postgres
  
  # The username of the database user.
  db-username={DB user}
  
  # The password of the database user.
  db-password={DB user password}
  
  # The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
  db-url=jdbc:postgresql://{DB host}/{DB name}
  
  # Observability
  
  # If the server should expose healthcheck endpoints.
  #health-enabled=true
  
  # If the server should expose metrics endpoints.
  #metrics-enabled=true
  
  # HTTP
  
  # The file path to a server certificate or certificate chain in PEM format.
  https-certificate-file=${kc.home.dir}conf/server.crt.pem
  # The file path to a private key in PEM format.
  https-certificate-key-file=${kc.home.dir}conf/server.key.pem
  
  # The proxy address forwarding mode if the server is behind a reverse proxy.
  #proxy=reencrypt
  
  # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
  #spi-sticky-session-encoder-infinispan-should-attach-route=false
  
  # Hostname for the Keycloak server.
  #hostname=myhostname
  

• etc

  $ node -v
  #v20.5.1
  $ npm -v
  #9.8.0
  $ yarn -v
  #3.6.3

[소스-설치]

• clone this repository

  git clone https://github.com/m-cmp/mc-iam-manager

Set mc-iam-manager ‘.env’ and ‘database.yml’

• You can write it by referring to the files in the repository.

  # mc-iam-manager/.env
  
  ## NETWORK
  # It doesn't matter if you use it as it is.
  ADDR=0.0.0.0 
  PORT=3000
  
  ## Keycloak Admin and Location
  # If you plan to control the keyclock,
  # enter your admin keyclock account and location, client info.
  KC_admin={Keycloak Admin ID}
  KC_passwd={Keycloak Admin Password}
  KC_uri=https://{Keycloak home url} # SSL
  # OIDC buffalo client info
  KC_realm={buffalo client Realm Name}
  KC_clientID={buffalo client ID}
  KC_clientSecret={buffalo client ID}
  
  ## SAML SP Endpoint
  SAML_IDP_Initiated_URL_AWS="https://{Keycloak home url}/realms/{realms Name}/protocol/saml/clients/{client Prefix}"
  SAML_IDP_Initiated_URL_ALI="https://{Keycloak home url}/realms/{realms Name}/protocol/saml/clients/{client Prefix}"
  SAML_user={Test SAML user ID}
  SAML_password={Test SAML user Password}
  

  # mc-iam-manager/database.yml
  # ONLY for $ buffalo dev
  
  ---
  development:
    dialect: postgres
    database: {DB name}
    user: {DB user name}
    password: {DB user password}
    host: {DB host}
    pool: 5
  
  test:
    url: {{envOr "TEST_DATABASE_URL" "postgres://postgres:postgres@127.0.0.1:5432/myapp_test"}}
  
  production:
    url: {{envOr "DATABASE_URL" "postgres://postgres:postgres@127.0.0.1:5432/myapp_production"}}
  

Run

• run Keycloak

  # at the keycloak bin folder
  $ ./kc.sh start-dev
  

• run buffalo

  # at the this repo clone folder
  $ cd mc-iam-manager
  $ buffalo dev
  

swagger docs

https://m-cmp.github.io/mc-iam-manager/

```
# https://m-cmp.github.io/mc-iam-manager/
```

models

• mc-iam-manager/buffalo/iammodels
  • 요청 응답 모델 관리

How to Contribute

• Issues/Discussions/Ideas: Utilize issue of mc-iam-manager

License