MTA-6893 Document Hub OIDC authentication#382
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR adds documentation for Hub OIDC, LDAP, local authentication, identity providers, API keys, URI templating, CLI authentication, and VS Code integration. It also updates guide wiring, Keycloak content, RBAC descriptions, and profile-analysis procedures. ChangesAuthentication and documentation guide updates
Estimated code review effort: 3 (Moderate) | ~30 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 9
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
docs/topics/mta-install/con_roles-personas-users-permissions.adoc (1)
9-19: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winKeep the role count aligned with the new list.
The intro still says the product uses three roles, but the page now documents four (
admin,architect,migrator, andproject-manager). Readers will otherwise get conflicting guidance.💡 Suggested fix
-The {ProductFullName} uses three roles, each corresponding to a persona. +The {ProductFullName} uses four roles, each corresponding to a persona.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/topics/mta-install/con_roles-personas-users-permissions.adoc` around lines 9 - 19, The intro text in con_roles-personas-users-permissions.adoc still says there are three roles, but the role list now includes four personas. Update the opening description near the role overview to match the expanded set of roles documented in the same section, and keep the count consistent with admin, architect, migrator, and project-manager so the narrative and bullets align.docs/topics/mta-install/proc_accessing-rhbk-admin-console.adoc (1)
17-20: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winParameterize the secret lookup namespace.
The command hard-codes
openshift-mta, but the prose says the secret lives in the namespace where you installed the product. That makes the instruction fail for any non-default installation.💡 Suggested fix
-$ *oc get secret mta-keycloak-rhbk -n openshift-mta -o json| jq -r '.data.password | `@base64d`'* +$ *oc get secret mta-keycloak-rhbk -n _<namespace>_ -o json | jq -r '.data.password | `@base64d`'*🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/topics/mta-install/proc_accessing-rhbk-admin-console.adoc` around lines 17 - 20, The secret lookup in the RHBK admin console access instructions is hard-coded to the default namespace, which conflicts with the surrounding guidance. Update the command to use the installation namespace consistently, matching the prose that refers to the namespace where {ProductShortName} was installed, so the documented lookup works regardless of the chosen namespace.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/topics/mta-install/con_scope_rhbk.adoc`:
- Line 9: The abstract sentence in the con_scope_rhbk.adoc topic is incomplete
and ends mid-thought, so update the opening sentence to be a complete,
grammatical statement. Edit the introductory text in this topic so it fully
expresses the intended idea about simplifying role and scope management for
{ProductShortName} Hub OpenID Connect (OIDC) in RHBK, and make sure the abstract
no longer renders as a fragment.
In `@docs/topics/mta-install/proc_configure-identity-provider-cr.adoc`:
- Around line 32-38: The IdentityProvider example is using schema metadata under
primary instead of a real boolean value, making the manifest invalid. Update the
primary field in the sample manifest to an actual boolean value and remove the
description/type fragment, keeping the example aligned with the IdentityProvider
CR structure in proc_configure-identity-provider-cr.adoc.
In `@docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc`:
- Around line 55-59: The LDAP federation example contains a malformed group
filter in the custom resource snippet, so update the groupFilter value in the
example to use the correctly balanced expression in the
proc_create-custom-resource-ldap-federation content. Make sure the filter string
in the LDAP configuration example matches the intended pattern with the missing
closing brace added, and verify the surrounding password and userFilter fields
remain unchanged.
In `@docs/topics/mta-install/proc_create-secret-idp-client.adoc`:
- Around line 19-40: The procedure text is inconsistent: the secret example
creates idp-client-secret.yaml, but the apply step in the same section still
refers to ldap-secret.yaml. Update the apply instruction in
proc_create-secret-idp-client.adoc to use the same filename as the generated
Secret definition, and keep the wording aligned with the idp-client-secret
resource so users can apply the file they just created.
In `@docs/topics/mta-install/proc_enable-authentication-cr.adoc`:
- Around line 18-23: The procedure mixes an interactive edit flow with a
file-based apply flow, which makes the steps inconsistent. Update the steps
around the Edit the tackle CR section so they use one approach only: either keep
the oc edit command in the relevant procedure content and remove any later
apply-tackle-yaml wording, or switch the whole flow to a file edit plus oc apply
pattern and reference the same CR editing step consistently. Make sure the
instructions in the authentication procedure stay aligned with the chosen flow
across the affected sections.
- Around line 34-45: The example under the YAML source block uses invalid
key/value assignment syntax and quoted booleans, so update the snippet in the
authentication procedure to use standard YAML mappings and plain boolean values.
Fix the `spec` example by replacing the `=`-style entries with YAML `:` pairs
and removing quotes from boolean-like values so it can be copied and parsed
correctly.
In `@docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc`:
- Line 13: Fix the wording in the JWT payload description by changing “personal
identifiable information” to “personally identifiable information” in the
authentication-fields content. Update the sentence in the documentation text
only, keeping the rest of the explanation about token lifespan and role updates
unchanged.
In
`@docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc`:
- Around line 13-17: The LDAP wildcard examples in the rule-semantics doc are
inconsistent with the stated case-sensitive matching behavior. Update the
affected example patterns and sample values in the LDAP mappings section so the
wildcard matches use the same casing as the CN values returned by the server,
keeping the examples aligned with the case-sensitive rule. Use the existing
wildcard/matching examples in this document as the reference points and make the
pattern/value pairs consistent throughout the affected mappings.
In `@docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc`:
- Line 33: The wording in the OIDC authentication doc implies the extension
stores the IdP password locally, which should be avoided. Update the sentence in
the documentation text to describe reauthentication as token/session reuse or
refreshed permissions instead of “saved password,” keeping the meaning centered
on the existing auth session and permission renewal.
---
Outside diff comments:
In `@docs/topics/mta-install/con_roles-personas-users-permissions.adoc`:
- Around line 9-19: The intro text in con_roles-personas-users-permissions.adoc
still says there are three roles, but the role list now includes four personas.
Update the opening description near the role overview to match the expanded set
of roles documented in the same section, and keep the count consistent with
admin, architect, migrator, and project-manager so the narrative and bullets
align.
In `@docs/topics/mta-install/proc_accessing-rhbk-admin-console.adoc`:
- Around line 17-20: The secret lookup in the RHBK admin console access
instructions is hard-coded to the default namespace, which conflicts with the
surrounding guidance. Update the command to use the installation namespace
consistently, matching the prose that refers to the namespace where
{ProductShortName} was installed, so the documented lookup works regardless of
the chosen namespace.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 99b03a36-019c-470c-8093-669f2184f268
📒 Files selected for processing (30)
assemblies/mta-install-title/assembly_basic-authentication-local-users.adocassemblies/mta-install-title/assembly_hub-oidc-authentication.adocassemblies/mta-install-title/assembly_identity-provider-authentication.adocassemblies/mta-install-title/assembly_installing-mta-ui.adocassemblies/mta-install-title/assembly_ldap-authentication.adocassemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adocassemblies/mta-install-title/assembly_uri-templating-wildcard-patterns.adocdocs/install-guide/master.adocdocs/topics/mta-install/con_administrative-tasks.adocdocs/topics/mta-install/con_keycloak-migration.adocdocs/topics/mta-install/con_ldap-token-lifecycle.adocdocs/topics/mta-install/con_roles-personas-users-permissions.adocdocs/topics/mta-install/con_scope_rhbk.adocdocs/topics/mta-install/con_why-use-hub-oidc.adocdocs/topics/mta-install/proc_accessing-rhbk-admin-console.adocdocs/topics/mta-install/proc_add-users-assign-roles-web-console.adocdocs/topics/mta-install/proc_change-password-web-console.adocdocs/topics/mta-install/proc_configure-identity-provider-cr.adocdocs/topics/mta-install/proc_create-custom-resource-ldap-federation.adocdocs/topics/mta-install/proc_create-custom-role-assign-permissions.adocdocs/topics/mta-install/proc_create-secret-idp-client.adocdocs/topics/mta-install/proc_enable-authentication-cr.adocdocs/topics/mta-install/ref_authentication-fields-tackle-cr.adocdocs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adocdocs/topics/mta-install/ref_openldap-active-directory-configurations.adocdocs/topics/mta-install/ref_uri-template-variables.adocdocs/topics/mta-install/ref_uri-wildcard-patterns.adocdocs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adocdocs/topics/vscode/proc_vscode-analyzing-application-using-profiles.adocdocs/vs-code-extension-guide/master.adoc
💤 Files with no reviewable changes (1)
- assemblies/mta-install-title/assembly_installing-mta-ui.adoc
| clientSecret: | ||
| name: idp-client-secret | ||
| namespace: openshift-mta | ||
| redirectURI: "https://hub.example.com/oidc/idp/callback" | ||
| primary: | ||
| description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication. | ||
| type: boolean |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Replace the schema fragment with an actual field value.
The sample manifest puts description and type under primary, which makes the YAML invalid for an IdentityProvider CR. This should be a boolean field in the example, not schema metadata.
🛠️ Proposed fix
- primary:
- description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication.
- type: boolean
+ primary: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| clientSecret: | |
| name: idp-client-secret | |
| namespace: openshift-mta | |
| redirectURI: "https://hub.example.com/oidc/idp/callback" | |
| primary: | |
| description: IdP is the primary authentication method. When true, users are automatically redirected to this IdP for authentication. | |
| type: boolean | |
| clientSecret: | |
| name: idp-client-secret | |
| namespace: openshift-mta | |
| redirectURI: "https://hub.example.com/oidc/idp/callback" | |
| primary: true |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/topics/mta-install/proc_configure-identity-provider-cr.adoc` around
lines 32 - 38, The IdentityProvider example is using schema metadata under
primary instead of a real boolean value, making the manifest invalid. Update the
primary field in the sample manifest to an actual boolean value and remove the
description/type fragment, keeping the example aligned with the IdentityProvider
CR structure in proc_configure-identity-provider-cr.adoc.
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/topics/mta-install/proc_create-secret-idp-client.adoc (1)
19-40: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick winUse an underscore-separated placeholder here.
_<idp-client-secret>.yaml_violates the repo’s AsciiDoc placeholder convention. Please switch this example and theoc applycommand to either a concrete filename or an underscore-separated placeholder, e.g._<idp_client_secret>.yaml_.🛠 Suggested edit
- Create a secret such as `_<idp-client-secret>.yaml_`: + Create a secret such as `_<idp_client_secret>.yaml_`: ... -$ *oc apply -f `_<idp-client-secret>.yaml_`* +$ *oc apply -f `_<idp_client_secret>.yaml_`*🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/topics/mta-install/proc_create-secret-idp-client.adoc` around lines 19 - 40, The example filename placeholder for the secret manifest should follow the repo’s AsciiDoc underscore-separated convention. Update the placeholder used in the secret creation step and the `oc apply` command in `proc_create-secret-idp-client.adoc` to use a concrete filename or an underscore-separated placeholder such as `_<idp_client_secret>.yaml_`, keeping the references consistent across the `idp-client-secret` instructions.Source: Learnings
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@docs/topics/mta-install/proc_create-secret-idp-client.adoc`:
- Around line 19-40: The example filename placeholder for the secret manifest
should follow the repo’s AsciiDoc underscore-separated convention. Update the
placeholder used in the secret creation step and the `oc apply` command in
`proc_create-secret-idp-client.adoc` to use a concrete filename or an
underscore-separated placeholder such as `_<idp_client_secret>.yaml_`, keeping
the references consistent across the `idp-client-secret` instructions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 71d6f329-b59f-4b61-a017-2b69f1d2ed9c
📒 Files selected for processing (22)
assemblies/mta-install-title/assembly_hub-oidc-authentication.adocassemblies/mta-install-title/assembly_identity-provider-authentication.adocassemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adocdocs/install-guide/master.adocdocs/topics/mta-install/con_administrative-tasks.adocdocs/topics/mta-install/con_keycloak-migration.adocdocs/topics/mta-install/con_ldap-token-lifecycle.adocdocs/topics/mta-install/con_mta-features.adocdocs/topics/mta-install/con_scope_rhbk.adocdocs/topics/mta-install/con_why-use-hub-oidc.adocdocs/topics/mta-install/proc_add-users-assign-roles-web-console.adocdocs/topics/mta-install/proc_configure-identity-provider-cr.adocdocs/topics/mta-install/proc_create-custom-resource-ldap-federation.adocdocs/topics/mta-install/proc_create-custom-role-assign-permissions.adocdocs/topics/mta-install/proc_create-secret-idp-client.adocdocs/topics/mta-install/proc_enable-authentication-cr.adocdocs/topics/mta-install/ref_authentication-fields-tackle-cr.adocdocs/topics/mta-install/ref_custom-resource-settings.adocdocs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adocdocs/topics/mta-install/ref_uri-template-variables.adocdocs/topics/mta-install/ref_uri-wildcard-patterns.adocdocs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc
💤 Files with no reviewable changes (1)
- docs/topics/mta-install/ref_custom-resource-settings.adoc
✅ Files skipped from review due to trivial changes (13)
- docs/topics/mta-install/ref_uri-template-variables.adoc
- docs/topics/mta-install/con_why-use-hub-oidc.adoc
- docs/topics/mta-install/ref_uri-wildcard-patterns.adoc
- docs/topics/mta-install/con_mta-features.adoc
- assemblies/mta-install-title/assembly_hub-oidc-authentication.adoc
- docs/topics/mta-install/ref_authentication-fields-tackle-cr.adoc
- docs/topics/mta-install/con_keycloak-migration.adoc
- assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc
- docs/topics/mta-install/proc_enable-authentication-cr.adoc
- docs/topics/mta-install/con_scope_rhbk.adoc
- docs/topics/mta-install/proc_configure-identity-provider-cr.adoc
- docs/topics/mta-install/con_ldap-token-lifecycle.adoc
- docs/topics/mta-install/proc_create-custom-resource-ldap-federation.adoc
🚧 Files skipped from review as they are similar to previous changes (7)
- docs/topics/mta-install/proc_add-users-assign-roles-web-console.adoc
- docs/topics/mta-install/proc_create-custom-role-assign-permissions.adoc
- assemblies/mta-install-title/assembly_identity-provider-authentication.adoc
- docs/topics/mta-install/ref_logic-operators-rule-semantics-ldap-mappings.adoc
- docs/topics/vscode/proc_configure-oidc-authentication-ide-extension.adoc
- docs/topics/mta-install/con_administrative-tasks.adoc
- docs/install-guide/master.adoc
|
@jortel Thank you for multiple rounds of reviews in my draft! Can you please take a look at the preview links and provide me your feedback? |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
docs/topics/mta-install/proc_generate-api-key-web-console.adoc (1)
22-26: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd secure-handling guidance for the API key.
Because the key can remain valid for up to 10 years, instruct users to store it in a secret manager, never commit or log it, and revoke/regenerate it if exposed.
Suggested documentation
. Copy the displayed token. + +IMPORTANT: Treat the API key as a secret. Store it securely, do not commit or log it, and revoke it immediately if it is exposed.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/topics/mta-install/proc_generate-api-key-web-console.adoc` around lines 22 - 26, Update the API-key instructions near “Copy the displayed token” to direct users to store the key in a secure secret manager, never commit or log it, and revoke and regenerate it immediately if exposed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@docs/topics/mta-install/proc_generate-api-key-web-console.adoc`:
- Around line 22-26: Update the API-key instructions near “Copy the displayed
token” to direct users to store the key in a secure secret manager, never commit
or log it, and revoke and regenerate it immediately if exposed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 17907230-2f86-449b-a230-6291d1543cf1
📒 Files selected for processing (10)
assemblies/mta-install-title/assembly_managing-access-tokens-api-keys.adocassemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adocdocs/install-guide/master.adocdocs/topics/mta-install/con_keycloak-migration.adocdocs/topics/mta-install/con_roles-personas-users-permissions.adocdocs/topics/mta-install/con_scope_rhbk.adocdocs/topics/mta-install/con_why-use-hub-oidc.adocdocs/topics/mta-install/proc_generate-api-key-web-console.adocdocs/topics/mta-install/proc_revoke-api-key-admin.adocdocs/topics/mta-install/proc_revoke-api-key-migrator.adoc
💤 Files with no reviewable changes (1)
- assemblies/mta-install-title/assembly_red-hat-build-of-keycloak.adoc
✅ Files skipped from review due to trivial changes (5)
- docs/topics/mta-install/proc_revoke-api-key-migrator.adoc
- docs/topics/mta-install/con_scope_rhbk.adoc
- docs/topics/mta-install/proc_revoke-api-key-admin.adoc
- docs/topics/mta-install/con_why-use-hub-oidc.adoc
- docs/topics/mta-install/con_roles-personas-users-permissions.adoc
🚧 Files skipped from review as they are similar to previous changes (2)
- docs/topics/mta-install/con_keycloak-migration.adoc
- docs/install-guide/master.adoc
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc (1)
44-58: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winMake the analysis mode examples match the Java guidance.
The copy-paste commands use
--mode source-only, while the TIP says Java applications requirefull. A Java user following the procedure literally may receive an incomplete analysis. Provide separate Java/non-Java commands or make the mode an explicit placeholder in both examples.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc` around lines 44 - 58, Update the command examples in the analysis procedure to align with the Java guidance: provide separate commands for Java using --mode full and non-Java using --mode source-only, or replace the mode with an explicit placeholder and document the required values. Apply this consistently to both the basic command and the --target quarkus example.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@docs/topics/mta-cli/proc_analyzing-app-with-profile.adoc`:
- Around line 44-58: Update the command examples in the analysis procedure to
align with the Java guidance: provide separate commands for Java using --mode
full and non-Java using --mode source-only, or replace the mode with an explicit
placeholder and document the required values. Apply this consistently to both
the basic command and the --target quarkus example.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d5cee7fa-fb50-4f7f-b58a-4705fbbceb69
📒 Files selected for processing (4)
assemblies/cli-guide/assembly_analyzing-applications-using-profiles.adocassemblies/mta-install-title/assembly_managing-access-tokens-api-keys.adocdocs/topics/mta-cli/proc_analyzing-app-with-profile.adocdocs/topics/mta-cli/proc_connect-to-hub.adoc
✅ Files skipped from review due to trivial changes (1)
- docs/topics/mta-cli/proc_connect-to-hub.adoc
🚧 Files skipped from review as they are similar to previous changes (1)
- assemblies/mta-install-title/assembly_managing-access-tokens-api-keys.adoc
| = Scope management in RHBK | ||
|
|
||
| [role="_abstract"] | ||
| You can manually manage {ProductFullName} scopes in Red Hat Build of Keycloak (RHBK) and assign the scopes to roles so that {ProductShortName} assigns the necessary permissions to the Keycloak user. |
There was a problem hiding this comment.
Let's make it clear that: Although dynamic scopes are highly recommended user's can assign individual scopes.
There was a problem hiding this comment.
Thanks @jortel ! I have placed the dynamic scope section above the manual scope management to emphasize it as the preferred method to expand scopes. RH does not permit me to use the word "recommend".
Please could you take a look at the update?
| = Enable authentication in Tackle custom resource | ||
|
|
||
| [role="_abstract"] | ||
| Administrators can optionally configure authentication fields and token lifespan in the Tackle custom resource. If you do not configure, the {ProductFullName} Hub applies default values for the authentication and token fields. |
There was a problem hiding this comment.
| Administrators can optionally configure authentication fields and token lifespan in the Tackle custom resource. If you do not configure, the {ProductFullName} Hub applies default values for the authentication and token fields. | |
| As an administrator, you can configure authentication fields and the token lifespan in the Tackle custom resource (CR). If you do not configure these fields, the {ProductFullName} Hub applies default values. |
The word "optionally" is redundant because the auxiliary verb "can" combined with the next sentence ("If you do not...") already implies it is optional. Removing it improves minimalism. Additionally, you can tighten the end of the second sentence to just "applies default values" to avoid needlessly repeating the field names.
| = Generate API key from the web console | ||
|
|
||
| [role="_abstract"] | ||
| You can generate application programming interface (API) keys in the {ProductFirstRef} web console. The API key inherits permissions from the authenticated user's roles and has a maximum lifespan limit of 10 years. You can optionally configure the lifespan period when you create a token. |
There was a problem hiding this comment.
| You can generate application programming interface (API) keys in the {ProductFirstRef} web console. The API key inherits permissions from the authenticated user's roles and has a maximum lifespan limit of 10 years. You can optionally configure the lifespan period when you create a token. | |
| As an administrator, you can generate application programming interface (API) keys in the {ProductFirstRef} web console. An API key inherits permissions from the authenticated user's roles and has a maximum lifespan of 10 years. You can configure the lifespan when you create a token. |
Change the first sentence to start with "As an administrator, you can..." to maintain the consistent conversational tone established in previous reviews.
"maximum lifespan limit" is redundant. Change to "maximum lifespan".
"lifespan period" is also redundant. Change to "lifespan".
As noted in previous reviews, "optionally" is redundant when paired with the auxiliary verb "can". Simply say "You can configure the lifespan..."
There was a problem hiding this comment.
I had to split this introduction to keep it under 300 characters. Thanks for the review!
| = Revoke API keys as an administrator | ||
|
|
||
| [role="_abstract"] | ||
| Administrators can revoke an application programming interface (API) key before its lifespan in the migration toolkit for application (MTA) web console. |
There was a problem hiding this comment.
| Administrators can revoke an application programming interface (API) key before its lifespan in the migration toolkit for application (MTA) web console. | |
| As an administrator, you can revoke an application programming interface (API) key before it expires in the {ProductFirstRef} web console. |
There was a problem hiding this comment.
Please let me check with the SME if we can use expires here. API keys have a separate parameter called expiration, other than lifespan.
anarnold97
left a comment
There was a problem hiding this comment.
Thanks. Not a long wrong, despite the number of comments
Nothing I would really say blocks merging, apart from the version numbers being repeated 8.2.0 and 8.2.
The rest is just RH SSG stuff, which is more to guide you than anything else.
I am making it Request changes just so you can run it past me again, as i imagine you would like a re-review later.
@anarnold97 Thanks for the detailed review! I think I've included a majority of your feedback. Also, replaced version references with the version attribute as we discussed. Could you take a look at the updates, please? |
| * The `architect` role corresponds to the architect persona. An architect is a technical lead for the migration project. They can run assessments, create and modify applications and related information. They cannot modify or delete sensitive information, but can view it. For example, they can associate an existing set of credentials with a specific application repository. | ||
|
|
||
| * The `tackle-migrator` role corresponds to the Migrator persona. A Migrator can analyze applications. However, the Migrator cannot create, modify, or delete the applications. | ||
| * The `migrator` role corresponds to the migrator persona. A migrator can analyze applications but cannot create, modify, or delete the them. |
There was a problem hiding this comment.
cannot create, modify, or delete them
| [role="_abstract"] | ||
| As an administrator, you can simplify security and regulatory compliance by implementing the {ProductFullName} Hub as an OpenID Connect (OIDC) broker to federate user authentication to an identity provider (IdP). | ||
|
|
||
| You can integrate the following IdPs and managing roles and permissions in the {ProductShortName} web console for authorization: |
There was a problem hiding this comment.
You can integrate the following IdPs and manage roles
| :_mod-docs-content-type: PROCEDURE | ||
|
|
||
| [id="revoke-api-key-migrator_{context}"] | ||
| = Revoke API keys as an migrator |
There was a problem hiding this comment.
Revoke API keys as a migrator
| = Authentication fields in the Tackle CR | ||
|
|
||
| [role="_abstract"] | ||
| As an administrator, you can configure the authentication fields in the Tackle custom resource (CR) to include permission and role changes in new tokens, apply stateless validation, and control staleness for sessions and tokens by |
| name: idp-client-secret | ||
| namespace: openshift-mta | ||
| redirectURI: "https://hub.example.com/oidc/idp/callback" | ||
| primary: |
There was a problem hiding this comment.
This doesn't look correct .
I think it should be
| primary: | |
| primary:true |
@jortel can you please review .
Signed-off-by: Prabha Kylasamiyer Sundara Rajan <pkylasam@redhat.com>
ac3cccc to
50bf86f
Compare
Signed-off-by: Prabha Kylasamiyer Sundara Rajan <pkylasam@redhat.com>
JIRA
Version
Previews
Summary by CodeRabbit
Summary by CodeRabbit