Interfacing with Keycloak through Open Data for Industries

You can interact with Keycloak to manage Open Data for Industries access by using two methods.

Direct interaction
This method uses the Keycloak administrative console and REST API.
Open Data for Industries Entitlements service wrapper
This method uses the Keycloak Java™ SDK and a set of methods that are provided by IBM®.

Direct interaction

The Keycloak Administration Console is considered the best way to create and manage resources. For more information about using the console to manage users, roles, and tokens, see Managing Open Data for Industries users through Keycloak.

Keycloak also features a powerful set of REST endpoints, including the following endpoints for authentication:
  • Token endpoint
    Clients (users and services) can obtain a JSON Web Tokens (JWT) from this endpoint.
  • Resource management endpoint
    Use this endpoint to create, delete, and query resources.
  • Permission management endpoint
    Use this endpoint to manage user permissions.

For more information about Keycloak endpoints, see https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_api.

Open Data for Industries Entitlements service wrapper

The Entitlements service interacts with Keycloak to standardize the process of user management in Open Data for Industries.

The Entitlements service supports authorization by enabling the following use cases:
  • Data groups are used for data authorization. Examples: data.welldb.viewer, data.welldb.owner.
  • Service groups are used for service authorization Examples: service.storage.user, service.storage.admin.
  • User groups are used for hierarchical grouping of user and service identities. Examples: users.datalake.viewers, users.datalake.editors.

For each group, a user can be added as an owner or a member. Users who are added as owners have the additional privilege to manage the members of the same group.

The Entitlements service also enforces the following policies:
  • Group naming strategy, which is the structure that must be followed.
  • Group naming convention, which is the name that reflects the type of group. For example, data groups start with the word data, service groups start with the word service, and user groups start with the word user.

For more information, see Entitlements API (Open Data for Industries).