Manage keycloak access by artifact groups

[Bewi42]

Hello,
Is it possible to manage access rights by artifact groups with apicurio and keycloak ?
For instance :
user1 can only access artifacts within group1 (and not the ones within group2)
user2 can only access artifacts within group2 (and not the ones within group1)

Thanks for your answers.

[carlesarnal]

Hi @Bewi42, although is a nice feature, for now, this is not available in Registry. If you would like to see this implemented, please, feel free to create an issue for further discussion.

[Bewi42]

That's nice to hear.
What version of apicurio would be the best to use for multi tenancy ? 2.1.x I suppose ?
Is there any documentation about configuring and running a containerized multi tenant environment with keycloak ?

[carlesarnal]

Yes, Apicurio Registry 2.1.x. No, unfortunately, is not covered yet since we're still working on that and it's not fully supported (the multitenant mode). It will be supported in the future but not right now. By supported I mean fully documented, with docker-compose files etc.

[Bewi42]

Hello,
I'll try to "play" with it and see where I can go by myself.

[EricWittmann]

Please ask questions about setting up a multi-tenant version of registry! I will start you off with some hints. You will need to run two components:

• Registry with multi-tenancy enabled
• The Tenant Manager component (we usually deploy it as a sidecar in a k8s environment)

The Tenant Manager has its own REST API - it is used to manage the fleet of tenants. Each tenant is a "virtual" instance of a Registry, with its own URL. Registry, when multi-tenancy is enabled, consults the tenant manager to ensure that a tenant actually exists. All the registry data goes into the same DB but is segregated in the database using the tenantId, which is a column on all of the relevant tables. This is what provides the data separation.

The problem you will likely have if you enable this is the UI. We haven't done much work getting the UI to work in MT mode. Everything else should be pretty manageable. But as Carles mentioned, this is still a work in progress and not thoroughly documented or supported in the downstream Red Hat product. Yet. :)

[Bewi42]

Hello,
Thanks for the pointers. I'll be sure to ask questions as needed.