Multi-tenancy needs authentication and authorization. Keycloack serves these two features.
In order to provide multi-tenancy of A&AI, A&AI can leverage Springboot security feature to interact with Keycloak. This document explains how to set up Keycloak and A&AI to provide essential authentication and authorization services for multi-tenancy
Keycloak setup
If you run Keycloak on your laptop instead of running on Kubernetes,
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:11.0.2
For more information, please visit https://www.keycloak.org/getting-started/getting-started-docker
To install on Kubernetes, run the command below
kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
You can use Kubernetes manifest file below.
It exposes Keycloak as a LoadBalancer service of Kubernetes. You can connect the Keycloak instance via 8080 port.
Tips. For development purposes, you can use port-forwarding feature of Kubernetes to connect the Keycloak instance.
kubectl port-forward keycloak-pod-name source-port:target-port e.g kubectl port-forward keycloak-54b8bd56b9-tqsgb 8080:8080
1. realm setting
Realm in Keycloak manages users, applications and groups. The first step of Keycloak setting is log-in to admin console via a web browser.
Since, you port-forward your 8080 port into Keycloack instance running in a Kubernetes cluster, you can log in with http://localhost:8080/auth/admin/
For more information, https://www.keycloak.org/docs/latest/getting_started/
You can set up a new realm through the admin console or simply import realm json file.
Here's a sample realm file realm-keycloak.json
2. Create a client
The client is an entity requesting a credential from a Keycloak. Click the Clients menu
Select Client Protocol to openid-connect and Root URL as http://localhost:8080 then click Save.
Once Settings page, change Access type to confidential, service account, Authorization to on, and leave the default values as they are.
click save.
3. Create a client role
Select Roles tab
Click the Add Role button and create user and admin roles
4. Create a realm role
Select Roles from the main menu on the left and click Add role button.
Create app-admin and app-user realm roles.
Realm roles and client roles are different but there are associations.
Once you finished adding role, click app-admin role
Select a client for auth-demo-app that we just created above.
Associate realm roles to corresponding clients roles
5. Create a user
Users are entities that are able to log into your system
Now, create a user employee and grant app-user roles
Set Temporary button off because we like to use a permanent password.
Set a password then click Set Password button
aai-resource setup
aai-resource should be configured to interact with Keycloak
1. Configure aai-resource
We assume you have Kubernetes cluster with helm server running. If you like to run aai-resource on your laptop, Run AAI Resource on your laptop
Clone OOM repository from ONAP gerrit.
git clone -b <BRANCH> <http://gerrit.onap.org/r/oom> --recurse-submodules cd oom/kubernetes
Open oom/kubernetes/aai/values.yaml file to turn on Spring security with Keycloak.
Edit profiles.active to include keycloak
# Active spring profiles for the resources microservice
profiles:
#active: production,dmaap,aaf-auth
active: production,keycloak
edit /oom/kubernetes/aai/components/aai-resources/values.yaml file to change keycloak.host and keycloak.port properties.
If you like to config keycloak server and port after deployment, you can skip modifying aai-resource/values.yaml file.
Once you finished editing value.yaml file, runSKIP_LINT=true make all command from oom/kubernetes directory to build helm charts for ONAP deployment
Once, building charts are done, you can modify aai-resource's value.yaml and deploy aai-resource onto Kubernetes cluster.
You can find onap-core-sdc.yaml here. onap-core-sdc.yaml
Run the command below.
helm deploy dev local/onap --namespace onap -f onap-core-sdc.yaml --timeout 900
2. verify configmap
In order to verify aai-resource is properly configured, run kubectl describe configmap dev-aai-resources-configmap -n onap | grep keycloak
You command outputs should show spring.properties.active=production,keycloak as we modified value.yaml earlier.
As you can see the output above keycloak.auth-server-url is not properly configured.
3. Fix configmap after deployment
aai-resource is configured to connect Keycloak server. You can configure before and after aai-resource is deployed.
To configure after its deployment, you need to know keycloak server ip address.
kubectl get pod and kubectl describe pod keycloak-xxx will show you keycloak server IP and port.
To edit aai-resource's configmap, run the command below. It will open an editor.
kubectl edit configmap -n onap dev-aai-resources-configmap -o yaml
Modify the keycloak.auth-server-url line with the IP address and port you got from kubectl get svc
To apply the change on configmap, run
kubectl get configmap dev-aai-resources-configmap -n onap -o yaml | kubectl apply -f -
Then restart aai-resource deployment.
To find aai-resource's deployment
kubectl get deployment -n onap
kubectl rollout restart deployments/dev-aai-resources -n onap
Run AAI-Resource on your laptop
In order to run aai-resource as a single instance on your laptop, you need two repositories, aai-common, and aai-resource.
Install aai-common with
mvn -DskipTests=true installcommand under aai-common repo.Modify
application.propertiesfile under aai-resources/aai-resources/src/main/resources directory. changespring.profiles.active=production,one-way-sslline tospring.profiles.active=production,keycloakandserver.local.startpath=aai-resource/src/main/resources/line toserver.local.startpath=src/main/resources/Run it with
mvn -N -P runAjsccommand under aai-resource root directory
Related articles
https://medium.com/devops-dudes/securing-spring-boot-rest-apis-with-keycloak-1d760b2004e