Keycloak Group and Role Management#
This guide describes how to configure Keycloak roles and groups to manage access control in the OSMO platform.
Overview#
OSMO uses Keycloak’s role-based access control to manage permissions for pool access and other resources. The configuration follows a hierarchical structure:
Roles: Represent specific permissions within OSMO (e.g.,
osmo-group1grants permission to submit workflows togroup1-*pools)Groups: Collections of users that share the same access requirements. When a role is assigned to a group, all members inherit the associated permissions
Users: Individual accounts that belong to one or more groups and inherit the roles assigned to those groups
This hierarchical approach simplifies access management by allowing administrators to grant permissions to entire teams at once rather than configuring each user individually.
Configuration Workflow#
The typical workflow for setting up access control is:
Create roles in Keycloak clients (
osmo-browser-flowandosmo-device)Create groups in Keycloak
Assign roles to groups
Add users to groups (manually or via identity provider mappings)
Create matching pools in OSMO
Verify access
Creating Roles in Keycloak#
Roles must be created in both Keycloak clients that OSMO uses:
Access the Keycloak admin console and select the OSMO realm
Navigate to the “Clients” tab and select the
osmo-browser-flowclientClick on the “Roles” tab, then click “Create Role”
Enter a name for the role following the format
osmo-<pool-group-name>For example:
osmo-group1Click “Save”
Repeat steps 2-5 for the
osmo-deviceclient
Note
The role name is format-sensitive. You must use the exact format osmo-<pool-group-name> for pool access roles.
Creating Groups in Keycloak#
Groups are used to organize users and assign roles to multiple users at once:
In the Keycloak admin console, select the OSMO realm
Navigate to the “Groups” tab and click “Create Group”
Enter a name for the group following the format
OSMO <pool-group-name>For example:
OSMO group1Click “Save”
Assigning Roles to Groups#
After creating the group, assign the appropriate roles:
Click into the group you just created
Select the “Role Mapping” tab
Click “Assign Role”
Click on the filter dropdown and select “Filter by clients”
Search for
osmo-<pool-group-name>(e.g.,osmo-group1)Select both roles (one from
osmo-browser-flowand one fromosmo-deviceclient)Click “Assign”
Note
The osmo-browser-flow client is used for the Web UI and the osmo-device client is used for the CLI.
You must assign roles from both clients for full functionality.
Managing Users#
Adding Users Manually#
To manually add users to groups:
Navigate to the “Users” tab in the Keycloak admin console
Search for and select the user you want to add
Click on the “Groups” tab
Click “Join Group”
Select the group you want to add the user to
Click “Join”
Configuring Identity Provider Mappings#
Instead of manually adding users to groups, you can configure identity provider mappings to automatically add users to groups based on claims or metadata provided by the identity provider. For more information, see the Keycloak documentation .
Verification and Testing#
Verifying User Access#
To verify that a user has the correct roles:
Have the user log in to OSMO
In the Keycloak admin console, go to “Users” and find the user
Click on the user and select the “Groups” tab
Verify the user is in the expected groups
Select the “Role Mapping” tab and click “View all assigned roles”
Confirm the user has the expected roles (both from
osmo-browser-flowandosmo-device)
Testing Pool Access#
Test that the user can access the pool:
Log in to OSMO as the user
List available pools:
$ osmo pool list
Submit a test workflow to the pool:
$ osmo workflow submit my-workflow.yaml --pool group1-h100-gpu
If successful, the user has proper access
Troubleshooting#
User Cannot Access Pool#
Symptoms: User receives “Permission denied” or cannot see the pool
Solutions:
Verify Role Policy in OSMO:
Ensure the corresponding role has been created in OSMO.
Follow the steps in Troubleshooting.
Verify Role Names:
Pool access roles must start with
osmo-prefix (See Role Naming for Pools).Pool names must match the role suffix
Example: Role
osmo-team1will make pools namedteam1*visible
Check Both Clients:
Ensure roles are created in both
osmo-browser-flowandosmo-deviceclientsBoth roles must be assigned to the group
Verify Group Membership:
In Keycloak admin console, check if the user appears in the group
If using IdP Mappings (see Configuring Identity Provider Mappings):
Verify the mapping configuration
Check IdP logs to ensure claims are being sent
Have the user log out and log back in again. Check Keycloak logs during login and verify that the IdP claim matches the mapper configuration.
Roles Not Appearing in JWT Token#
Symptoms: User can log in but has no permissions
Solutions:
Check Client Scope:
Verify that
osmo-browser-flowclient has the correct client scopesVerify that
osmo-deviceclient has the correct client scopes
Review Token:
Decode the JWT token to see what roles are included
Use a tool like jwt.io to inspect the token
Best Practices#
Naming Conventions#
Roles: Use lowercase with hyphens:
osmo-<team>-<purpose>Groups: Use title case:
OSMO <Team> <Purpose>Pools: Match role suffix:
<team>-<resource-type>
- Examples:
Role:
osmo-ml-teamGroup:
OSMO ML TeamPools:
ml-team-training,ml-team-inference
Group Organization#
Use Hierarchy: Create parent groups for departments and child groups for teams
Document Purpose: Add descriptions to groups explaining their purpose
Regular Audits: Periodically review group memberships
Security Considerations#
Principle of Least Privilege: Only grant necessary pool access
Regular Reviews: Audit role assignments quarterly
Offboarding: Remove users from groups when they leave teams
Monitor Access: Review Keycloak audit logs for unusual activity
Test Changes: Always test role/group changes with a test user first
See Also#
Roles and Policies for understanding OSMO roles and policies
Authentication Flow for authentication flow details
Create Resource Pools for pool configuration