You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Motivation

Find a user mangement system for ONAP to use which

  • provides a GUI
  • allows setup via REST
  • doubles as oauth provider

Based on the requirements, Keycloak was chosen.

Version

Keycloak version 11.0.3 is used.

General

For further information about keycloak, see the documentation.

Setup

Following, the two ways to setup keycloak are discussed. To be able to automate the process, a bash script was written.

The bash script follows the steps of the manual setup.

Manual

  1. Do a   docker pull quay.io/keycloak/keycloak:11.0.3
  2. Start the docker container with set env vars for 'KEYCLOAK_USER' and 'KEYCLOAK_PASSWORD` on a preferred port. Internal port is 8080.
  3. Navigate to http://localhost:8080/auth/admin and login, getting access to the master realm.
  4. Create an 'onap' realm

Following, three steps need to be done. The creation of the default users, creating and assigning roles, and the creation of a client for onap/odlux to use for authentication of the users.

Adding Roles

  • Navigate to 'Roles'
  • Add roles as needed

Adding default users

  • Navigate to 'Users'
  • Add users as needed
  • Once created, click a user, navigate to 'Role Mappings' and assign a given role

Adding client

  1. Navigate to 'Clients' and create a new one
  2. Create a client with client ID 'odlux.app' and client protocol 'openid-connect'
  3. Select client and open 'Settings' tab
  4. enable if not already done
    1. Direct Access Grants
    2. Standard Flow Enabled
  5. Set access type to 'confidential'
  6. Add valid redirect urls for your onap installation
  7. (Note: If the lifespan of a token should be longer, it can be updated under the 'Advanced Settings' dropdown)

Automated

To automate the process, the following script can be used. Make sure to download the realm.json file. Place both files next to each other,

The bash script will pull the correct docker container, start it with admin/username set to 'admin', import the 'onap' realm and 'odlux.app' client, create default users in accordance with User management, and set their roles.

Known problems - change secret of client / automated creation


The 'odlux.app' client in the 'onap' realm, which is used for authentication from onap gets created as a 'public' client.

To access the secret via the GUI, the access-type must be changed to 'confidential' and saved. Following, the 'credentials' tab gets visible in the GUI.

On the credentials tab, the current secret can be copied or a new one created.

Currently, the client can not be created as confidential via the REST API.


  • No labels