Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document illustrates how to setup Keycloak for AAI multi-tenancy support.

Prerequisites

  • A Keycloak instance running with administrative credentials
  • AAI application (aai-resource or aai-traversal) running and can reach the Keycloak instance
  • AAI application should be running with the "keycloak" as one of the active spring profiles

ie:  Check values.yaml to see if "keycloak" is included in the profile.active config

...

Multi-tenancy needs authentication and authorization. Keycloack serves these two features.
In order to provide multi-tenancy of A&AI, A&AI can leverage Springboot security feature to interact with Keycloak. This document explains how to set up Keycloak and A&AI to provide essential authentication and authorization services for multi-tenancy

Keycloak setup

If you run Keycloak on your laptop instead of running on Kubernetes, docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:11.0.2

https://www.keycloak.org/getting-started/getting-started-docker

To install on Kubernetes, run the command below

kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

You can use kubernetes manifest file below.

https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

It exposes Keycloak as a LoadBalancer service of Kubernetes. You can connect the Keycloak instance via 8080 port.


Tips. For development purposes, you can use port-forwarding feature of Kubernetes to connect the Keycloak instance. kubectl port-forward keycloak-pod-name source-port:target-port e.g kubectl port-forward keycloak-54b8bd56b9-tqsgb 8080:8080

https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#forward-a-local-port-to-a-port-on-the-pod

1. realm setting

Realm in Keycloak manages users, applications and groups. The first step of Keycloak setting is log-in to admin console via a web browser.

Since, you port-forward your 8080 port into Keycloack instance running in a Kubernetes cluster, you can log in with http://localhost:8080/auth/admin/

For more information, https://www.keycloak.org/docs/latest/getting_started/

You can set up a new realm through the admin console or simply import realm json file.
Here's a sample realm file


View file
nameaai-resources-realm.json
height150

Image Added

2. Create a client

The client is an entity requesting a credential from a Keycloak. Click the Clients menu

Select Client Protocol to openid-connect and Root URL as http://localhost:8080 then click Save.

Once Settings page, change Access type to confidential, service account, Authorization to on, and leave the default values as they are.

click save.

Image Added

Image Added

3. Create a client role

Select Roles tab

Image Added

Click the Add Role button and create user and admin roles

Image Added

4. Create a realm role

Select Roles from the main menu on the left and click Add role button.

Create app-admin and app-user realm roles.

Realm roles and client roles are different but there are associations.

Image Added

Once you finished adding role, click app-admin role

Image Added

Select a client for auth-demo-app that we just created above.

Image Added

Associate realm roles to corresponding clients roles

5. Create a user


Users are entities that are able to log into your system

Now, create a user employee and grant app-user roles

Image Added

Set Temporary button off because we like to use a permanent password.

Set a password then click Set Password button

Image Added

aai-resource setup

aai-resource should be configured to interact with Keycloak

1. Configure aai-resource

We assume you have Kubernetes cluster with helm server running. If you like to run aai-resource on your laptop, Run AAI-Resources on your laptop

Clone OOM repository from ONAP gerrit.

git clone -b <BRANCH> <http://gerrit.onap.org/r/oom> --recurse-submodules

cd oom/kubernetes

Open oom/kubernetes/aai/values.yaml file to turn on Spring security with Keycloak.

Edit profiles.active to include keycloak

    # Active spring profiles for the resources microservice
    profiles:
      

...

#active: production,

...

dmaap,

...

aaf-auth

...

Setting up Keycloak's realm, users and roles

...


      active: production,keycloak

edit /oom/kubernetes/aai/components/aai-resources/values.yaml file to change keycloak.host and keycloak.port properties.
If you like to config keycloak server and port after deployment, you can skip modifying aai-resource/values.yaml file.

Once you finished editing value.yaml file, run
SKIP_LINT=true make all command from oom/kubernetes directory to build helm charts for ONAP deployment

Once, building charts are done, you can modify aai-resource's value.yaml and deploy aai-resource onto Kubernetes cluster.

You can find onap-core-sdc.yaml here.

Run the command below.

helm deploy dev local/onap --namespace onap -f onap-core-sdc.yaml --timeout 900


2. verify configmap

In order to verify aai-resource is properly configured, run kubectl describe configmap dev-aai-resources-configmap -n onap | grep keycloak

You command outputs should show spring.properties.active=production,keycloak as we modified value.yaml earlier.

As you can see the output above keycloak.auth-server-url is not properly configured.

3. Fix configmap after deployment

aai-resource is configured to connect Keycloak server. You can configure before and after aai-resource is deployed.

  • To configure after its deployment, you need to know keycloak server ip address.

kubectl get pod and kubectl describe pod keycloak-xxx will show you keycloak server IP and port.

  • To edit aai-resource's configmap, run the command below. It will open an editor.

kubectl edit configmap -n onap dev-aai-resources-configmap -o yaml

Modify the keycloak.auth-server-url line with the IP address and port you got from kubectl get svc

  • To apply the change on configmap, run

kubectl get configmap dev-aai-resources-configmap -n onap -o yaml | kubectl apply -f -

Then restart aai-resource deployment.

  • To find aai-resource's deployment

kubectl get deployment -n onap

kubectl rollout restart deployments/dev-aai-resources -n onap


Test Multi-tenancy Locally

In order to test multi-tenancy locally, you need to run aai-resource and aai-traversal locally, along with Keycloak and Cassandra, following steps below:

  • Setup Keycloak and Cassandra by downloading a configuration zip file attached and run 

    Code Block
    docker-compose up


  • Clone required repositories, aai-commonaai-resource and aai-traversal.
  • Install aai-common with

    Code Block
    mvn clean install -DskipTests=true


  • Modify application.properties file under resources/aai-resources/src/main/resources directory.
    # Switch to keycloak
    spring.profiles.active=production, keycloak

  • Modify application.properties file under traversal/aai-traversal/src/main/resources directory.
    # Switch to keycloak
    spring.profiles.active=production, keycloak
  • Run resources and traversal with the commands below:  

    Code Block
    cd aai-resources 
    mvn -N -P runAjsc -Dserver.local.startpath=src/main/resources/ 
    
    
    cd aai-traversal 
    mvn -N -P runAjsc -Dserver.local.startpath=src/main/resources/



Demo

View file
namedemo-locally.mp4
height250

Running test suites

The test suites has the following sequences

...