Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »


Multi-tenancy needs authentication and authorization. Keycloack serves these two features.
In order to provide multi-tenancy of A&AI, A&AI can leverage Springboot security feature to interact with Keycloak. This document explains how to set up Keycloak and A&AI to provide essential authentication and authorization services for multi-tenancy

Keycloak setup

If you run Keycloak on your laptop instead of running on Kubernetes,

`docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:11.0.2`

docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:11.0.2


https://www.keycloak.org/getting-started/getting-started-docker

To install on Kubernetes, run the command below

kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

You can use kubernetes manifest file below.

https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml

It exposes Keycloak as a LoadBalancer service of Kubernetes. You can connect the Keycloak instance via 8080 port.


Tips. For development purposes, you can use port-forwarding feature of Kubernetes to connect the Keycloak instance. kubectl port-forward keycloak-pod-name source-port:target-port e.g kubectl port-forward keycloak-54b8bd56b9-tqsgb 8080:8080

https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#forward-a-local-port-to-a-port-on-the-pod

1. realm setting

Realm in Keycloak manages users, applications and groups. The first step of Keycloak setting is log-in to admin console via a web browser.

Since, you port-forward your 8080 port into Keycloack instance running in a Kubernetes cluster, you can log in with http://localhost:8080/auth/admin/

For more information, https://www.keycloak.org/docs/latest/getting_started/

You can set up a new realm through the admin console or simply import realm json file.
Here's a sample realm file


2. Create a client

The client is an entity requesting a credential from a Keycloak. Click the Clients menu

Select Client Protocol to openid-connect and Root URL as http://localhost:8080 then click Save.

Once Settings page, change Access type to confidential, service account, Authorization to on, and leave the default values as they are.

click save.

3. Create a client role

Select Roles tab


Click the Add Role button and create user and admin roles

4. Create a realm role

Select Roles from the main menu on the left and click Add role button.

Create app-admin and app-user realm roles.

Realm roles and client roles are different but there are associations.


Once you finished adding role, click app-admin role

Select a client for auth-demo-app that we just created above.

Associate realm roles to corresponding clients roles

5. Create a user


Users are entities that are able to log into your system

Now, create a user employee and grant app-user roles


Set Temporary button off because we like to use a permanent password.

Set a password then click Set Password button


aai-resource setup

aai-resource should be configured to interact with Keycloak

1. Configure aai-resource

We assume you have Kubernetes cluster with helm server running. If you like to run aai-resource on your laptop, Run AAI-Resources on your laptop

Clone OOM repository from ONAP gerrit.

git clone -b <BRANCH> <http://gerrit.onap.org/r/oom> --recurse-submodules

cd oom/kubernetes

Open oom/kubernetes/aai/values.yaml file to turn on Spring security with Keycloak.

Edit profiles.active to include keycloak

    # Active spring profiles for the resources microservice
    profiles:
      #active: production,dmaap,aaf-auth
      active: production,keycloak

edit /oom/kubernetes/aai/components/aai-resources/values.yaml file to change keycloak.host and keycloak.port properties.
If you like to config keycloak server and port after deployment, you can skip modifying aai-resource/values.yaml file.

Once you finished editing value.yaml file, run
SKIP_LINT=true make all command from oom/kubernetes directory to build helm charts for ONAP deployment

Once, building charts are done, you can modify aai-resource's value.yaml and deploy aai-resource onto Kubernetes cluster.

You can find onap-core-sdc.yaml here.

Run the command below.

helm deploy dev local/onap --namespace onap -f onap-core-sdc.yaml --timeout 900


2. verify configmap

In order to verify aai-resource is properly configured, run kubectl describe configmap dev-aai-resources-configmap -n onap | grep keycloak

You command outputs should show spring.properties.active=production,keycloak as we modified value.yaml earlier.

As you can see the output above keycloak.auth-server-url is not properly configured.

3. Fix configmap after deployment

aai-resource is configured to connect Keycloak server. You can configure before and after aai-resource is deployed.

  • To configure after its deployment, you need to know keycloak server ip address.

kubectl get pod and kubectl describe pod keycloak-xxx will show you keycloak server IP and port.

  • To edit aai-resource's configmap, run the command below. It will open an editor.

kubectl edit configmap -n onap dev-aai-resources-configmap -o yaml

Modify the keycloak.auth-server-url line with the IP address and port you got from kubectl get svc

  • To apply the change on configmap, run

kubectl get configmap dev-aai-resources-configmap -n onap -o yaml | kubectl apply -f -

Then restart aai-resource deployment.

  • To find aai-resource's deployment

kubectl get deployment -n onap

kubectl rollout restart deployments/dev-aai-resources -n onap


Run AAI-Resource on your laptop

In order to run aai-resource as a single instance on your laptop, you need two repositories, aai-common, and aai-resource.

  1. Install aai-common with mvn -DskipTests=true install command under aai-common repo.

  2. Modify application.properties file under aai-resources/aai-resources/src/main/resources directory. change spring.profiles.active=production,one-way-ssl line to spring.profiles.active=production,keycloak and server.local.startpath=aai-resource/src/main/resources/ line to server.local.startpath=src/main/resources/

  3. Run it with mvn -N -P runAjsc command under aai-resource root directory


Related articles

https://medium.com/devops-dudes/securing-spring-boot-rest-apis-with-keycloak-1d760b2004e


  • No labels