Skip to content



Role is used for determining if the operation is allowed. You can specify which operations should be permitted or denied by specifying operation key regex patterns. Operation is a key with structure like: api.{operation type}.{object}.{operation name}. Operation keys can be found here.


In this example you should use Keycloak as authorization provider. You can install Keycloak by yourself (here you can find more information about it) our you can use docker compose file with our Keycloak image.

Docker compose with Keycloak

First, you need to go to download page and choose between docker compose with just Onteon and docker compose with additional Sonario monitoring tool. For now, you can download docker compose without Sonario, but version with Sonario will work as well.

Then, you need to modify your docker compose file. First, you need to add Keycloak image.

    image: onteon/keycloak:1.0.0
      - "8080:8080"

Now you need to configure Onteon Control Center Authorization Provider to Keycloak. Configuration parameters can be passed in three ways:

  • in configuration file
  • in env variable
  • in jvm parameter

In this example, the best solution will be to pass configuration parameters via environment variables. Modify onteoncc-master by adding the environment fields.

    image: onteon/control-center:1.2.0
      - "8050:8050"
      - "9096:9096"
      - "27017:27017"
      - "27018:27018"
      - "27019:27019"
      ONTEON_AUTH_PROVIDER_PARAMS_CONFIGURATIONURL: "http://keycloak:8080/auth/realms/master/.well-known/openid-configuration"
      - '/opt/onteoncc/onteon-control-center/storage'
    command: [ "./" ]

Now you should be ready to start docker compose. Execute docker-compose up.

Then you can use your own OnteonCLI, or you can run docker-compose run --rm onteoncli and start container with preinstalled cli.

Now login to Onteon Control Center. Execute onteoncli login --cluster-url <cluster-address>. If you are using cli from container, you can execute onteoncli login --cluster-url http://onteoncc-master:8050. Then open link in your browser, confirm the code and login with user onteon_admin and password admin. Now you should be ready for next steps.


In this example you will create role that allows all read operations and all operations on application instances, except action operations. As a result, you need to:

Role File

Role can be created from file. Here is a role file for this example:

name: custom_role
  - ^api\.read\..*$
  - ^api\..*\.application_instances\..*$
  - ^api\.action\.application_instances\..*$

name is a name of Role. Name must be unique and cannot be empty.

allowedOperationsKeyIdPatterns is a list of patterns that allows operations. It is not obligatory to add this field.

deniedOperationsKeyIdPatterns is a list of patterns that denies operations. It is not obligatory to add this field.

Creating role

Role can be created by executing onteoncli role create-from-file <role-file>, then you can list roles by executing onteoncli role list.

$ onteoncli role create-from-file role.yml 
id:        616938b5d2bf9e4d1f8a0ef3
createdAT: 2021-10-15T08:15:49.364Z
updatedAt: 2021-10-15T08:15:49.364Z
name:      custom_role
    0: ^api\\.read\\..*$
    1: ^api\\..*\\.application_instances\\..*$
    0: ^api\\.action\\.application_instances\\..*$

$ onteoncli role list 
id                       createdAt                updatedAt                name
616938b5d2bf9e4d1f8a0ef3 2021-10-15T08:15:49.364Z 2021-10-15T08:15:49.364Z custom_role
616924dbd2bf9e4d1f8a0ec4 2021-10-15T06:51:07.19Z  2021-10-15T06:51:07.19Z  super_admin


Now you need to create Keycloak user and assign new role to new user.

Go to users and click Add user.

Fill the form and click save. Now go to credentials and set password.

Go to clients > onteon (or your custom client) > roles and click 'add role'. Role name need to match role name that you created in previous steps. Click save.

Now go to users > (your new user) > Role Mappings, and select 'onteon' or your client in 'Client Roles'. Then, assign your new role (custom_role) to the user. Next, you need to add two realm roles: offline_access and uma_authorization.


Let's test if your role works. First, you need to login as new user. Execute onteoncli login --cluster-url <cluster-url> and login as new user.

Now you can test if new role works.

# Read operation
$ onteoncli node list
id                       createdAt                updatedAt                ipAddress  nodeApiPort zoneId status
82292538e6725c2f2741462d 2021-10-14T10:22:03.826Z 2021-10-14T10:44:00.562Z 8030        null   available

# Non read operation
$ onteoncli node disconnect 123123
Error occurred while disconnecting node due to: Operation not permitted.

# Application instance operation
onteoncli application-instance create 6168135068378c3a666161e5 82292538e6725c2f2741462d
id:                 5644f06b4b4539840e70f3db
createdAt:          2021-10-14T11:24:30.951Z
applicationName:    fridge
applicationVersion: 1.0.0
applicationId:      6168135068378c3a666161e5
nodeId:             82292538e6725c2f2741462d
status:             created

# Application instance action operation
$ onteoncli application-instance start 5644f06b4b4539840e70f3db
Error occurred while starting application instance due to: Operation not permitted.