Configure and use role-based access control (RBAC) with Flipt, Keycloak, and OPA.
Realm Roles
tab.Create Role
.developer
as the role name and description and click Save
.Users
tab.user
user.Role Mappings
tab.Assign Role
.developer
role and click Assign
.roles
scope to the flipt
client:
Clients Scopes
tab.roles
in the list of client scopes.Mappers
tab.realm roles
in the list of mappers.Token Claim Name
field to something short like roles
.Claim JSON Type
field to String
.Add to ID token
.Save
.developer
role:
developer
role. If the user has the developer
role, the policy will allow the request. Otherwise, the request will be denied.
The authentication
input is provided by Flipt to OPA and contains the authentication information for the request. This information is specific to the authentication method used to authenticate the request.
More complex policies can be defined to enforce fine-grained access control based on your organization’s requirements. For example, you could define policies that check for specific roles and permissions for different resources or actions.
An example policy that allows users with the developer
role to have full access to the Management API and users with the viewer
role to have read-only access might look like this:
policy.rego
with the following content:flipt.yaml
configuration file from the Login with Keycloak guide to enable authorization and specify the path to the Rego policy file:
developer
role, they should be able to access the Flipt Management API.
You can create a new user in Keycloak that does not have the developer
role to test that the policy is working as expected.
If the user does not have the developer
role, they should receive an error message in the UI or API response.