文档中心API Explorer
ZHEN
文档中心ZCFZCF Cloud FederationZCF

ZCF Cloud Federation

ZCF Cloud Federation connects and organizes ZStack Cloud, ZStack Zaku, ZStack ZStone, and other components or environments in ZCF. After components are connected, administrators can deliver SSO configurations, view Region information, and provide data sources for resource collection and observability analysis based on the access relationships.

This chapter describes how to connect and maintain platforms, configure SSO, view Region information, and connect ecosystem services such as Anheng Tianchi. Login experience and cross-component access in Unified Portal depend on Cloud Federation access relationships and SSO configurations.

Core Concepts

Concept Description
ZCF Cloud Federation A feature for connecting and organizing ZStack Cloud, ZStack Zaku, ZStack ZStone, and other components or environments. After connection, SSO, resource collection, and observability analysis can use the established access relationships.
Connected Platform A component instance or ecosystem service connected to ZCF Cloud Federation, such as ZStack Cloud, ZStack Zaku, ZStack ZStone, or Anheng Tianchi. After it is connected, the object appears on the Platform Access page.
Access Configuration Information used to connect to a target component or ecosystem service, including endpoint, port, authentication method, credential, target scope, and enabled features.
Connection Status Indicates whether ZCF can access the connected platform. If the connection is abnormal, check the target endpoint, port, network connectivity, and authentication information.
Enabled Capabilities Features enabled during platform access, such as resource collection, metric collection, log collection, or SSO federation. Available options depend on the page and the target platform.
Platform Details A page for checking connection information, enabled features, resource statistics, and synchronization status of a connected platform. Use it to confirm the access result and troubleshoot access issues.
Identity Source A configuration source that provides SSO capabilities. After a ZIAM identity source is added, the corresponding SSO configuration can be delivered to connected platforms.
Platform SSO Configuration A configuration relationship between an identity source and a connected platform. After delivery, the target platform can use the corresponding SSO configuration.
Region A management view that represents resource ownership. The Region Management page shows the Default Region, bound Cloud, connected platform count, asset count, and synchronization status.
Ecosystem Service Access Access for ecosystem services such as Anheng Tianchi. After the service is connected and the SSO configuration is delivered, users can open the corresponding console from the ecosystem service entry in the Default Region.

Connect Components and Ecosystem Services

Use Platform Access to connect infrastructure components such as ZStack Cloud, ZStack Zaku, and ZStack ZStone, and ecosystem services such as DBAPPSecurity Tianchi, to ZCF Cloud Federation. After the connection is complete, you can maintain connection relationships from the platform access list and configure SSO, resource collection, or ecosystem service access based on the product type.

This section describes how to connect infrastructure components, maintain connection relationships, and connect ecosystem services.

Connect Platforms

Prerequisites

Before you connect a platform, complete the following preparations:

  • Make sure the management address of the target product or ecosystem service is reachable from the ZCF environment.
  • Prepare the authentication information of the target product or ecosystem service, such as username and password, AK/SK, or Token.
  • Confirm the features to enable, such as resource collection, metric collection, log collection, or SSO federation. Available options depend on the page and the target platform support.

About this task

Use Platform Access to connect infrastructure components such as ZStack Cloud, ZStack Zaku, and ZStack ZStone to ZCF Cloud Federation. After a platform is connected, ZCF can identify resource sources, deliver related configurations, and provide resource, metric, or log data for ZCF Observability based on the access relationship.

Procedure

  1. In the upper-right corner of the main menu, switch to Global Management.
  2. Go to Cloud Federation > Platform Access.
  3. Add a connected platform as prompted.
  4. Configure the connected platform as prompted.
    Item Description
    Product Type Select the infrastructure component or ecosystem service to connect, such as ZStack Cloud, ZStack Zaku, ZStack ZStone, or Anheng Tianchi. Parameters and available features may vary by type.
    Name Display name of the connected platform in ZCF Cloud Federation. Use a name that identifies the environment or purpose.
    Endpoint Management or service address of the target product or ecosystem service. Enter an address that is reachable from the ZCF environment.
    Port Service port of the target platform. The page may display a default port or placeholder based on the product type. If your environment uses a custom port, enter the actual port.
    Authentication Method Authentication method used to access the target platform. Different product types may use username and password, AK/SK, Token, or other methods.
    Scope Scope of the connected platform. Infrastructure components are typically associated with a Region. Platform capability components or ecosystem services can be associated with Global Management. Available options are displayed on the page.
    Enabled Features Features to enable after access, such as resource collection, metric collection, log collection, or SSO federation. Available features depend on the target platform type, deployment status, and license status.
  5. Test the connection to verify that the target platform is reachable and the authentication information is valid.
  6. After you save the access configuration, check the connection status in the Platform Access list.

Results

After the platform is connected, check the connection status in the Platform Access list, and open platform details to view the scope, enabled features, resource statistics, and synchronization status. If dashboards, reports, Metrics Explorer, or Log Explorer do not show expected data, first check whether the platform is connected, whether the connection is normal, and whether the required collection features are enabled.

What to do next

Note: If the connection test fails, check the endpoint, port, network connectivity, and authentication information. Save the access configuration after the connection test succeeds to reduce failures in resource collection, SSO delivery, or observability analysis.

Manage Platform Access

After a platform is connected, use the Platform Access list to view connection status, product type, enabled features, and update time, and to maintain access information. This page is also the starting point for troubleshooting SSO delivery issues and missing resource, metric, or log data.

Operation Description
Search and filter Find a target platform by platform name, address, product type, or connection status.
View details View connection information, scope, enabled features, resource statistics, and synchronization status of a connected platform to confirm whether the platform is connected as expected.
Test connection Check whether the target platform is reachable and whether the current authentication information is valid.
Edit access information Modify the endpoint, authentication information, scope, or enabled features. After modification, test the connection again and confirm whether related collection or SSO configurations still meet expectations.
Delete connected platform Remove the access relationship between ZCF and the target platform. This operation does not delete the underlying product instance or any created Region.

If resource, metric, or log data of a platform is missing in ZCF Observability, first check whether the platform connection is normal and whether the corresponding collection feature is enabled on the Platform Access page. If SSO is unavailable, confirm that the target platform is connected and that the SSO configuration has been delivered.

Connect Ecosystem Services

About this task

Use Platform Access to connect ecosystem services such as Anheng Tianchi to ZCF Cloud Federation. After the service is connected and the SSO configuration is delivered, users can access the corresponding console from the Default Region.

Procedure

  1. In the upper-right corner of the main menu, switch to Global Management.
  2. Go to Cloud Federation > Platform Access.
  3. When adding a connected platform, enter the Anheng Tianchi access information as prompted.
    Item Description
    Product Type Select Anheng Tianchi to identify the connected object as an ecosystem service.
    Service Address Access address of the Anheng Tianchi service. Enter an address that is reachable from the ZCF environment.
    Port Service port of Anheng Tianchi. Enter the port used in the actual environment.
    AK/SK Access credentials used to connect to Anheng Tianchi. Use an AK/SK pair with the required access permissions.
    SSO Configuration The configuration used to deliver ZCF SSO settings to Anheng Tianchi. After delivery succeeds, users can access the Anheng Tianchi console through SSO.
  4. Test the connection to verify that the Anheng Tianchi service is reachable and the authentication information is valid.
  5. After you save the access configuration, check the connection status in the Platform Access list.
  6. Go to Cloud Federation > SSO, and deliver an SSO configuration to Anheng Tianchi.
  7. Switch to the Default Region, and go to Security > Anheng Tianchi to open the Anheng Tianchi console.

What to do next

After the service is connected, verify the following items:

  • The Anheng Tianchi connection status is normal in the Platform Access list.
  • The SSO configuration has been delivered to Anheng Tianchi.
  • The current account has permission to access the Anheng Tianchi console.
  • After switching to the Default Region, you can open the Anheng Tianchi console from Security > Anheng Tianchi.

Configure SSO

Use SSO to maintain ZIAM SSO configurations and deliver them to connected platforms. After configuration, users can access configured platforms from the Unified Portal through SSO.

When you configure SSO, you typically perform the following tasks:

  • Add a ZIAM SSO configuration, including the authentication server, authentication protocol, and user provisioning method.
  • Deliver the SSO configuration to target platforms so that they use ZIAM as the unified authentication source.
  • Verify that users, organizations, member groups, projects, and other identity data in the Default Region are included in unified authentication management as expected.

Add a ZIAM SSO Configuration

Prerequisites

Before adding the configuration, make sure that:

  • An available ZIAM authentication server is displayed on the page.
  • ZIAM unified authentication service has been deployed in the current environment, and the authentication protocol is fixed to OIDC.
  • If the page indicates that no ZIAM authentication server is available, check the ZIAM deployment and service status first.

About this task

A ZIAM SSO configuration establishes the SSO relationship between ZCF and ZIAM. After the configuration is saved, authentication parameters such as Client ID, Client Secret, OpenID Configuration URL, and Callback URL are generated or obtained automatically.

Procedure

  1. Switch to Global Management in the upper-right corner of the main menu.
  2. Go to Cloud Federation > SSO.
  3. On the Identity Source tab, click Add SSO Configuration.
  4. Configure ZIAM SSO information as prompted.
    Parameter Description
    Name Display name of the SSO configuration. It is used to identify the configuration in the identity source list and on the Platform SSO Configuration tab.
    ZIAM Authentication Server Select the ZIAM instance used for unified authentication. The page displays available ZIAM authentication servers. If no ZIAM authentication server is available, check the ZIAM deployment and service status first.
    Authentication Protocol Fixed to OIDC. The current version uses OIDC to establish SSO with ZIAM.
    User Provisioning

    Select how user accounts are made available to the target platform.

    • SCIM: The identity source synchronizes users in advance. This is suitable when user accounts must be ready before users sign in.
    • JIT: When a user signs in through SSO, the platform creates or updates the account based on information returned by the identity source.
    Group Provisioning

    Select how user group information is made available to the target platform.

    • SCIM: The identity source synchronizes user groups in advance. This is suitable when user group relationships are maintained centrally by the identity source.
    • JIT: When a user signs in through SSO, the platform updates user group relationships based on user group information returned by the identity source.
  5. Click OK to save the configuration.

What to do next

Note: If ZIAM is unavailable, or if the automatically generated authentication parameters cannot be obtained from ZIAM, you cannot add, edit, or deliver SSO configurations. Resolve the ZIAM service issue and try again.

Deliver an SSO Configuration

Prerequisites

Before delivering an SSO configuration, make sure that:

  • The target platform has been connected to ZCF Cloud Federation.
  • An available ZIAM SSO configuration has been added.
  • The target platform is not unavailable or under maintenance.

About this task

After you create a ZIAM SSO configuration, deliver it to target platforms on the Platform SSO Configuration tab. After the configuration is delivered, users can log in to the target platforms through ZIAM SSO.

Procedure

  1. Switch to Global Management in the upper-right corner of the main menu.
  2. Go to Cloud Federation > SSO.
  3. Open the Platform SSO Configuration tab.
  4. Select the ZIAM SSO configuration to deliver.
  5. Select the target platforms on which the SSO configuration will be enabled.
    Available platforms depend on the options displayed on the page.
  6. Click Deliver SSO Configuration.
  7. Check the configuration status in the platform list to confirm whether the target platforms are configured.

View Region Information

About this task

Use Region Management to view the Default Region and its access relationships. After infrastructure components such as ZStack Cloud, ZStack Zaku, and ZStack ZStone are connected, use this page to verify whether the product environments are associated with the expected Region and whether asset and synchronization status are normal.

Item Description
Default Region Carries infrastructure component access relationships in the current environment.
Bound Platform Shows the ZStack Cloud bound to the Default Region and the number of related platforms such as ZStack Zaku and ZStack ZStone.
Asset Count Shows the number of identified resources in the Region.
Synchronization Status Shows the latest synchronization status, which helps verify whether resource ownership and asset data are updated as expected.

Procedure

  1. In the upper-right corner of the main menu, switch to Global Management.
  2. Go to Cloud Federation > Region Management.
  3. View the Default Region, bound platforms, connected platform count, asset count, and synchronization status.

What to do next

If Region information or asset count is not as expected, return to the Platform Access page and check connection status, scope, and enabled features.

上一篇统一门户