ENDOC-578 Update the RBAC tutorial for Entando 7.1 #587
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Lyd1aCla1r3
reviewed
Oct 6, 2022
|
|
||
| #### Modify Security Checks for Kubernetes | ||
| #### Keycloak Client options in an Entando Application |
There was a problem hiding this comment.
Option (capitalized to match style of other headers)
| 3. Verify that attempting to delete via the UI generates a `403 error` in the browser console and an error in the service logs similar to the following: | ||
| 1. Restart the microservice. By default, this includes rebuilding any changed source files. | ||
| 2. Return to the MFE and try deleting one of the Conferences in the list | ||
| 3. Verify that attempting to delete a conference via the UI generates a `403 error` in the browser console. There should be an error in the service logs similar to the following: |
There was a problem hiding this comment.
"conference" is capitalized in the step above, which is contextually similar
|
|
||
| 1. In your browser, go to <http://localhost:3000>. This is typically the location of the tableWidget MFE. | ||
| 2. Access the tableWidget MFE with the default credentials of `username: admin`, `password: admin` | ||
| 1. In your browser, go to <http://localhost:3000>. |
There was a problem hiding this comment.
minor: remove period for consistency
| ## Notes | ||
| ### Realm Roles versus Client Authorities | ||
| This tutorial utilizes authorities. In Keycloak, authorities are roles mapped to a user for a specific client. It is possible to assign higher-level Realm Roles directly to users, e.g. `ROLE_ADMIN`, but this can result in collisions between applications using the same roles. | ||
| ### Step 10. Configure the roles in `entando.json` |
There was a problem hiding this comment.
prefer this reference to entando.json which is not prefaced by "the"; minor but technically correct to not use "the"
| To implement Realm-assigned roles, the code above must be modified: | ||
| - In the backend, use the annotation `@Secured('ROLE_ADMIN)` or `@PreAuthorize(hasRole('ROLE_ADMIN'))` | ||
| - In the frontend, use `keycloak.hasRealmRole` instead of `keycloak.hasResourceRole` | ||
| 1. Modify the `entando.json` by adding the following line to the `microservices/conference-ms`: |
There was a problem hiding this comment.
think it's correct either way, with or without the
There was a problem hiding this comment.
jyunmitch
reviewed
Oct 6, 2022
|
|
||
| > Note: Once authenticated, the message "No conferences are available" is generated. If you check your browser | ||
| console, you should see a `403 (Forbidden)` error for the request made to `localhost:8080/services/conference/api/conferences`. This is expected because the admin user has not yet been granted the new role. | ||
| > Note: Once authenticated, the message "No conferences are available" is generated. If you check your browser console, you should see a `403 (Forbidden)` error for the request made to `localhost:8080/services/conference/api/conferences`. This is expected because the admin user has not yet been granted the new role. |
There was a problem hiding this comment.
backtick admin in last line
| To implement Realm-assigned roles, the code above must be modified: | ||
| - In the backend, use the annotation `@Secured('ROLE_ADMIN)` or `@PreAuthorize(hasRole('ROLE_ADMIN'))` | ||
| - In the frontend, use `keycloak.hasRealmRole` instead of `keycloak.hasResourceRole` | ||
| 1. Modify the `entando.json` by adding the following line to the `microservices/conference-ms`: |
There was a problem hiding this comment.
think it's correct either way, with or without the
jyunmitch
approved these changes
Oct 6, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.