Multi-tenancy needs authentication and authorization. Keycloack serves these two features.
In order to provide multi-tenancy of A&AI, A&AI can leverage Springboot security feature to interact with Keycloak. This document explains how to set up Keycloak and A&AI to provide essential authentication and authorization services for multi-tenancy
Keycloak setup
If you run Keycloak on your laptop instead of running on Kubernetes,
`docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:11.0.2`
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:11.0.2
https://www.keycloak.org/getting-started/getting-started-docker
To install on Kubernetes, run the command below
kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
You can use kubernetes manifest file below.
It exposes Keycloak as a LoadBalancer service of Kubernetes. You can connect the Keycloak instance via 8080 port.
Tips. For development purposes, you can use port-forwarding feature of Kubernetes to connect the Keycloak instance. kubectl port-forward keycloak-pod-name source-port:target-port
e.g kubectl port-forward keycloak-54b8bd56b9-tqsgb 8080:8080
1. realm setting
Realm in Keycloak manages users, applications and groups. The first step of Keycloak setting is log-in to admin console via a web browser.
Since, you port-forward your 8080 port into Keycloack instance running in a Kubernetes cluster, you can log in with http://localhost:8080/auth/admin/
For more information, https://www.keycloak.org/docs/latest/getting_started/
You can set up a new realm through the admin console or simply import realm json file.
Here's a sample realm file
2. Create a client
The client is an entity requesting a credential from a Keycloak. Click the Clients
menu
Select Client Protocol
to openid-connect
and Root URL
as http://localhost:8080
then click Save
.
Once Settings
page, change Access type
to confidential
, service account
, Authorization
to on
, and leave the default values as they are.
click save.
3. Create a client role
Select Roles
tab
Click the Add Role
button and create user
and admin
roles
4. Create a realm role
Select Roles
from the main menu on the left and click Add role
button.
Create app-admin
and app-user
realm roles.
Realm roles and client roles are different but there are associations.
Once you finished adding role, click app-admin
role
Select a client for auth-demo-app
that we just created above.
Associate realm roles to corresponding clients roles
5. Create a user
Users are entities that are able to log into your system
Now, create a user employee
and grant app-user
roles
Set Temporary
button off
because we like to use a permanent password.
Set a password then click Set Password
button
aai-resource setup
aai-resource should be configured to interact with Keycloak
1. Configure aai-resource
We assume you have Kubernetes cluster with helm server running. If you like to run aai-resource on your laptop, Run AAI-Resources on your laptop
Clone OOM
repository from ONAP gerrit.
git clone -b <BRANCH> <http://gerrit.onap.org/r/oom> --recurse-submodules cd oom/kubernetes
Open oom/kubernetes/aai/values.yaml
file to turn on Spring security with Keycloak.
Edit profiles.active
to include keycloak
# Active spring profiles for the resources microservice profiles: #active: production,dmaap,aaf-auth active: production,keycloak
edit /oom/kubernetes/aai/components/aai-resources/values.yaml
file to change keycloak.host
and keycloak.port
properties.
If you like to config keycloak server and port after deployment, you can skip modifying aai-resource/values.yaml
file.
Once you finished editing value.yaml file, runSKIP_LINT=true make all
command from oom/kubernetes
directory to build helm charts for ONAP deployment
Once, building charts are done, you can modify aai-resource's value.yaml and deploy aai-resource onto Kubernetes cluster.
You can find onap-core-sdc.yaml
here.
Run the command below.
helm deploy dev local/onap --namespace onap -f onap-core-sdc.yaml --timeout 900
2. verify configmap
In order to verify aai-resource is properly configured, run kubectl describe configmap dev-aai-resources-configmap -n onap | grep keycloak
You command outputs should show spring.properties.active=production,keycloak
as we modified value.yaml earlier.
As you can see the output above keycloak.auth-server-url
is not properly configured.
3. Fix configmap after deployment
aai-resource is configured to connect Keycloak server. You can configure before and after aai-resource is deployed.
To configure after its deployment, you need to know keycloak server ip address.
kubectl get pod
and kubectl describe pod keycloak-xxx
will show you keycloak server IP and port.
To edit aai-resource's configmap, run the command below. It will open an editor.
kubectl edit configmap -n onap dev-aai-resources-configmap -o yaml
Modify the keycloak.auth-server-url
line with the IP address and port you got from kubectl get svc
To apply the change on configmap, run
kubectl get configmap dev-aai-resources-configmap -n onap -o yaml | kubectl apply -f -
Then restart aai-resource deployment.
To find aai-resource's deployment
kubectl get deployment -n onap
kubectl rollout restart deployments/dev-aai-resources -n onap
Run AAI-Resource on your laptop
In order to run aai-resource as a single instance on your laptop, you need two repositories, aai-common, and aai-resource.
Install aai-common with
mvn -DskipTests=true install
command under aai-common repo.Modify
application.properties
file under aai-resources/aai-resources/src/main/resources directory. changespring.profiles.active=production,one-way-ssl
line tospring.profiles.active=production,keycloak
andserver.local.startpath=aai-resource/src/main/resources/
line toserver.local.startpath=src/main/resources/
Run it with
mvn -N -P runAjsc
command under aai-resource root directory
Related articles
https://medium.com/devops-dudes/securing-spring-boot-rest-apis-with-keycloak-1d760b2004e