Keycloak Authorization Services based authz prototype (#24)

* Keycloak Authz Services based authz prototype

Signed-off-by: Marko Strukelj <[email protected]>

* Address spotbugs issues

Signed-off-by: Marko Strukelj <[email protected]>

* Address PR comments

Signed-off-by: Marko Strukelj <[email protected]>

* Added initial authz test to testsuite

Signed-off-by: Marko Strukelj <[email protected]>

* Fix SpotBugs failure on Java 11

Signed-off-by: Marko Strukelj <[email protected]>

* Add missing resource and action scope

Signed-off-by: Marko Strukelj <[email protected]>

* A more comprehensive test

Signed-off-by: Marko Strukelj <[email protected]>

* Fix JSONUtil.asListOfString() to convert non-textual values to text

Signed-off-by: Marko Strukelj <[email protected]>

* Fixes to examples/README-authz.md

Signed-off-by: Marko Strukelj <[email protected]>

* Rebase on master + improve README-authz.md + add DelegationToken resource for completeness

Signed-off-by: Marko Strukelj <[email protected]>

* Fix equals() method

Signed-off-by: Marko Strukelj <[email protected]>

* Fix UserSpec.of() method

Signed-off-by: Marko Strukelj <[email protected]>

* Throw exception for ACL methods if delegation to simple kafka ACL is not enabled

Signed-off-by: Marko Strukelj <[email protected]>

* Fix issues identified when testing with Kafka 2.4 and mutual TLS listeners

Signed-off-by: Marko Strukelj <[email protected]>

* Improve handling of non-oauth users and delegation to simple ACL

Signed-off-by: Marko Strukelj <[email protected]>

* Upgrade examples to Kafka 2.4.0 + oauthz example improvements

Signed-off-by: Marko Strukelj <[email protected]>

* Suggestions and comments from @tombentley

Signed-off-by: Marko Strukelj <[email protected]>

* Suggestions and comments from @tombentley

Signed-off-by: Marko Strukelj <[email protected]>

* Change strimzi.authz.* to strimzi.authorization.*

Signed-off-by: Marko Strukelj <[email protected]>

* Document authorization-scopes.json

Signed-off-by: Marko Strukelj <[email protected]>

README.md

@@ -72,6 +72,7 @@ Copy the following jars into your Kafka libs directory:
 
     oauth-common/target/kafka-oauth-common-*.jar
     oauth-server/target/kafka-oauth-server-*.jar
+    oauth-keycloak-authorizer/target/kafka-oauth-keycloak-authorizer-*.jar
     oauth-client/target/kafka-oauth-client-*.jar
     oauth-client/target/lib/keycloak-common-*.jar
     oauth-client/target/lib/keycloak-core-*.jar

examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java

@@ -22,7 +22,7 @@ public class ExampleConsumer {
 
     public static void main(String[] args) {
 
-        String topic = "Topic1";
+        String topic = "a_Topic1";
 
         Properties defaults = new Properties();
         Config external = new Config();
@@ -50,8 +50,8 @@ public static void main(String[] args) {
         final String accessToken = external.getValue(ClientConfig.OAUTH_ACCESS_TOKEN, null);
 
         if (accessToken == null) {
-            defaults.setProperty(Config.OAUTH_CLIENT_ID, "kafka-producer-client");
-            defaults.setProperty(Config.OAUTH_CLIENT_SECRET, "kafka-producer-client-secret");
+            defaults.setProperty(Config.OAUTH_CLIENT_ID, "kafka-consumer-client");
+            defaults.setProperty(Config.OAUTH_CLIENT_SECRET, "kafka-consumer-client-secret");
         }
 
         // Use 'preferred_username' rather than 'sub' for principal name
@@ -94,7 +94,7 @@ private static Properties buildConsumerConfig() {
         p.setProperty(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class.getName());
         p.setProperty(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class.getName());
 
-        p.setProperty(ConsumerConfig.GROUP_ID_CONFIG, "consumer-group");
+        p.setProperty(ConsumerConfig.GROUP_ID_CONFIG, "a_consumer-group");
         p.setProperty(ConsumerConfig.MAX_POLL_RECORDS_CONFIG, "10");
         p.setProperty(ConsumerConfig.ENABLE_AUTO_COMMIT_CONFIG, "true");
 

examples/docker/README.md

@@ -124,14 +124,20 @@ To regenerate Root CA run the following:
 
 You also have to regenerate keycloak and hydra server certificates otherwise clients won't be able to connect any more.
 
-    cd /opt/jboss/keycloak/certificates
+    cd keycloak/certificates
     rm *.srl *.p12 cert-*
     ./gen-keycloak-certs.sh
 
     cd ../hydra/certificates 
     rm *.srl *.crt *.key *.csr
     ./gen-hydra-certs.sh
 
+And if CA has changed, then kafka broker certificates have to be regenerated as well:
+
+    cd kafka-oauth-strimzi/kafka/certificates
+    rm *.p12
+    ./gen-kafka-certs.sh
+
 And finally make sure to rebuild the docker module again and re-run `docker-compose` to ensure new keys and certificates are used everywhere.
 
     mvn clean install

examples/docker/kafka-oauth-strimzi/compose-authz.yml

@@ -0,0 +1,86 @@
+version: '3.5'
+
+services:
+
+  #################################### KAFKA BROKER ####################################
+  kafka:
+    image: strimzi/example-kafka
+    build: kafka-oauth-strimzi/kafka/target
+    container_name: kafka
+    ports:
+      - 9092:9092
+
+      # javaagent debug port
+      - 5006:5006
+
+    environment:
+
+      # Java Debug
+      KAFKA_DEBUG: y
+      DEBUG_SUSPEND_FLAG: y
+      JAVA_DEBUG_PORT: 5006
+
+      #
+      # KAFKA Configuration
+      #
+      LOG_DIR: /home/kafka/logs
+
+      KAFKA_BROKER_ID: 1
+      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+      KAFKA_LISTENERS: REPLICATION://kafka:9091,CLIENT://kafka:9092
+      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: REPLICATION:SSL,CLIENT:SASL_PLAINTEXT
+      KAFKA_SASL_ENABLED_MECHANISMS: OAUTHBEARER
+      KAFKA_INTER_BROKER_LISTENER_NAME: REPLICATION
+      KAFKA_SSL_SECURE_RANDOM_IMPLEMENTATION: SHA1PRNG
+      KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
+
+      KAFKA_LISTENER_NAME_REPLICATION_SSL_KEYSTORE_LOCATION: /tmp/kafka/cluster.keystore.p12
+      KAFKA_LISTENER_NAME_REPLICATION_SSL_KEYSTORE_PASSWORD: Z_pkTh9xgZovK4t34cGB2o6afT4zZg0L
+      KAFKA_LISTENER_NAME_REPLICATION_SSL_KEYSTORE_TYPE: PKCS12
+      KAFKA_LISTENER_NAME_REPLICATION_SSL_TRUSTSTORE_LOCATION: /tmp/kafka/cluster.truststore.p12
+      KAFKA_LISTENER_NAME_REPLICATION_SSL_TRUSTSTORE_PASSWORD: Z_pkTh9xgZovK4t34cGB2o6afT4zZg0L
+      KAFKA_LISTENER_NAME_REPLICATION_SSL_TRUSTSTORE_TYPE: PKCS12
+      KAFKA_LISTENER_NAME_REPLICATION_SSL_CLIENT_AUTH: required
+
+      KAFKA_LISTENER_NAME_CLIENT_OAUTHBEARER_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;"
+      KAFKA_LISTENER_NAME_CLIENT_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
+      KAFKA_LISTENER_NAME_CLIENT_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
+
+      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+
+      KAFKA_AUTHORIZER_CLASS_NAME: io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer
+      KAFKA_PRINCIPAL_BUILDER_CLASS: io.strimzi.kafka.oauth.server.authorizer.JwtKafkaPrincipalBuilder
+
+      KAFKA_STRIMZI_AUTHORIZATION_KAFKA_CLUSTER_NAME: cluster2
+      KAFKA_STRIMZI_AUTHORIZATION_DELEGATE_TO_KAFKA_ACL: "true"
+      KAFKA_SUPER_USERS: User:CN=my-cluster-kafka,O=io.strimzi;User:CN=my-cluster-entity-operator,O=io.strimzi;User:CN=my-cluster-kafka-exporter,O=io.strimzi;User:service-account-kafka
+
+      #
+      # Strimzi OAuth Configuration
+      #
+
+      # Authentication config
+      OAUTH_CLIENT_ID: "kafka"
+      OAUTH_CLIENT_SECRET: "kafka-secret"
+      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
+
+      # Validation config
+      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}"
+      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+
+      # username extraction from JWT token claim
+      OAUTH_USERNAME_CLAIM: preferred_username
+
+      # For start.sh script to know where the keycloak is listening
+      KEYCLOAK_HOST: ${KEYCLOAK_HOST:-keycloak}
+      REALM: ${REALM:-kafka-authz}
+
+  zookeeper:
+    image: strimzi/example-zookeeper
+    build: kafka-oauth-strimzi/zookeeper/target
+    container_name: zookeeper
+    ports:
+      - 2181:2181
+    environment:
+      LOG_DIR: /home/kafka/logs

examples/docker/kafka-oauth-strimzi/kafka/Dockerfile

@@ -1,8 +1,9 @@
-FROM strimzi/kafka:latest-kafka-2.3.0
+FROM strimzi/kafka:latest-kafka-2.4.0
 
 COPY libs/* /opt/kafka/libs/strimzi/
 COPY config/* /opt/kafka/config/
 COPY *.sh /opt/kafka/
+COPY certificates/*.p12 /tmp/kafka/
 
 USER root
 RUN chmod +x /opt/kafka/*.sh

examples/docker/kafka-oauth-strimzi/kafka/certificates/gen-kafka-certs.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -e
+
+STOREPASS=Z_pkTh9xgZovK4t34cGB2o6afT4zZg0L
+
+echo "#### Generate broker keystore"
+keytool -keystore cluster.keystore.p12 -alias localhost -validity 380 -genkey -keyalg RSA -ext SAN=DNS:kafka -dname "CN=my-cluster-kafka,O=io.strimzi" -deststoretype pkcs12 -storepass $STOREPASS -keypass $STOREPASS
+
+echo "#### Add the CA to the brokers’ truststore"
+keytool -keystore cluster.truststore.p12 -deststoretype pkcs12 -storepass $STOREPASS -alias CARoot -importcert -file ../../../certificates/ca.crt -noprompt
+
+echo "#### Export the certificate from the keystore"
+keytool -keystore cluster.keystore.p12 -storetype pkcs12 -alias localhost -certreq -file cert-file -storepass $STOREPASS
+
+echo "#### Sign the certificate with the CA"
+openssl x509 -req -CA ../../../certificates/ca.crt -CAkey ../../../certificates/ca.key -in cert-file -out cert-signed -days 400 -CAcreateserial -passin pass:$STOREPASS
+
+echo "#### Import the CA and the signed certificate into the broker keystore"
+keytool -keystore cluster.keystore.p12 -deststoretype pkcs12 -alias CARoot -import -file ../../../certificates/ca.crt -storepass $STOREPASS -noprompt
+keytool -keystore cluster.keystore.p12 -deststoretype pkcs12 -alias localhost -import -file cert-signed -storepass $STOREPASS -noprompt

examples/docker/kafka-oauth-strimzi/kafka/jwt.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+if [ "$1" == "" ] || [ "$1" == "--help" ]; then
+  echo "Usage: $0 [JSON_WEB_TOKEN]"
+  exit 1
+fi
+
+IFS='.' read -r -a PARTS <<< "$1"
+
+echo "Head: "
+echo $(echo -n "${PARTS[0]}" | base64 -d 2>/dev/null)
+echo
+echo "Payload: "
+echo $(echo -n "${PARTS[1]}" | base64 -d 2>/dev/null)

examples/docker/kafka-oauth-strimzi/kafka/oauth.sh

@@ -0,0 +1,121 @@
+#!/bin/bash
+
+usage() {
+  echo "Usage: $0 [USERNAME] [PASSWORD] [ARGUMENTS] ..."
+  echo
+  echo "$0 is a tool for obtaining an access token or a refresh token for the user or the client."
+  echo
+  echo " USERNAME    The username for user authentication"
+  echo " PASSWORD    The password for user authentication (prompted for if not specified)"
+  echo
+  echo " If USERNAME and PASSWORD are not specified, client credentials as specified by --client-id and --secret will be used for authentication."
+  echo
+  echo " ARGUMENTS:"
+  echo "   --quiet, -q                      No informational outputs"
+  echo "   --insecure                       Allow http:// in token endpoint url"
+  echo "   --access                         Return access_token rather than refresh_token"
+  echo "   --endpoint  TOKEN_ENDPOINT_URL   Authorization server token endpoint"
+  echo "   --client-id CLIENT_ID            Client id for client authentication - must be configured on authorization server"
+  echo "   --secret    CLIENT_SECRET        Secret to authenticate the client"
+  echo "   --scopes    SCOPES               Space separated list of scopes to request - default value: offline_access"
+}
+
+
+CLAIM=refresh_token
+GRANT_TYPE=password
+DEFAULT_SCOPES=offline_access
+
+while [ $# -gt 0 ]
+do
+    case "$1" in
+      "-q" | "--quiet")
+          QUIET=1
+          ;;
+      --endpoint)
+          shift
+          TOKEN_ENDPOINT="$1"
+          ;;
+      --insecure)
+          INSECURE=1
+          ;;
+      --access)
+          CLAIM=access_token
+          DEFAULT_SCOPES=""
+          ;;
+      --client-id)
+          shift
+          CLIENT_ID="$1"
+          ;;
+      --secret)
+          shift
+          CLIENT_SECRET="$1"
+          ;;
+      --scopes)
+          shift
+          SCOPES="$1"
+          ;;
+      --help)
+          usage
+          exit 1
+          ;;
+      *)
+          if [ "$UNAME" == "" ]; then
+            UNAME="$1"
+          elif [ "$PASS" == "" ]; then
+            PASS="$1"
+          else
+            >&2 echo "Unexpected argument!"
+            exit 1
+          fi
+          ;;
+    esac
+    shift
+done
+
+if [ "$TOKEN_ENDPOINT" == "" ]; then
+    >&2 echo "ENV variable TOKEN_ENDPOINT not set."
+    exit 1
+fi
+
+if [ "$UNAME" != "" ] && [ "$PASS" == "" ]; then
+    >&2 read -s -p "Password: " PASS
+    >&2 echo
+fi
+
+if [ "$UNAME" == "" ] && [ "$CLIENT_ID" == "" ]; then
+    echo "USERNAME not specified. Use --client-id and --secret to authenticate with client credentials."
+    exit 1
+fi
+
+if [ "$CLIENT_ID" == "" ]; then
+    [ "$QUIET" == "" ] && >&2 echo "ENV var CLIENT_ID not set. Using default value: kafka-cli"
+    CLIENT_ID=kafka-cli
+fi
+
+if [ "$UNAME" == "" ]; then
+    GRANT_TYPE=client_credentials
+else
+    USER_PASS_CLIENT="&username=${UNAME}&password=${PASS}&client_id=${CLIENT_ID}"
+fi
+
+if [ "$SCOPES" == "" ] && [ DEFAULT_SCOPES != "" ]; then
+    [ "$QUIET" == "" ] && >&2 echo "ENV var SCOPES not set. Using default value: ${DEFAULT_SCOPES}"
+    SCOPES="${DEFAULT_SCOPES}"
+fi
+
+if [ "$CLIENT_SECRET" != "" ]; then
+    AUTH_VALUE=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)
+    AUTHORIZATION="-H 'Authorization: Basic ""$AUTH_VALUE'"
+fi
+
+[ "$QUIET" == "" ] && >&2 echo curl -s -X POST $TOKEN_ENDPOINT \
+    $AUTHORIZATION \
+    -H 'Content-Type: application/x-www-form-urlencoded' \
+    -d "grant_type=${GRANT_TYPE}${USER_PASS_CLIENT}&scope=${SCOPES}"
+
+result=$(curl -s -X POST $TOKEN_ENDPOINT \
+    $AUTHORIZATION \
+    -H 'Content-Type: application/x-www-form-urlencoded' \
+    -d "grant_type=${GRANT_TYPE}${USER_PASS_CLIENT}&scope=${SCOPES}")
+
+echo $result | awk -F "$CLAIM\":\"" '{printf $2}' | awk -F "\"" '{printf $1}'

examples/docker/kafka-oauth-strimzi/kafka/pom.xml

@@ -33,9 +33,12 @@
                                         <include>functions.sh</include>
                                         <include>start.sh</include>
                                         <include>start_with_hydra.sh</include>
+                                        <include>jwt.sh</include>
+                                        <include>oauth.sh</include>
                                         <include>simple_kafka_config.sh</include>
                                         <include>Dockerfile</include>
                                         <include>config/</include>
+                                        <include>certificates/</include>
                                     </includes>
                                     <filtering>false</filtering>
                                 </resource>
@@ -70,6 +73,10 @@
                             <groupId>io.strimzi</groupId>
                             <artifactId>kafka-oauth-common</artifactId>
                         </artifactItem>
+                        <artifactItem>
+                            <groupId>io.strimzi</groupId>
+                            <artifactId>kafka-oauth-keycloak-authorizer</artifactId>
+                        </artifactItem>
                         <artifactItem>
                             <groupId>org.keycloak</groupId>
                             <artifactId>keycloak-core</artifactId>
@@ -90,4 +97,4 @@
             </plugin>
         </plugins>
     </build>
-</project>
+</project>

examples/docker/kafka-oauth-strimzi/kafka/start.sh

@@ -12,7 +12,13 @@ wait_for_url $URI "Waiting for Keycloak to start"
 
 wait_for_url "$URI/realms/${REALM:-demo}" "Waiting for realm '${REALM}' to be available"
 
-./simple_kafka_config.sh | tee /tmp/strimzi.properties
+if [ "$SERVER_PROPERTIES_FILE" == "" ]; then
+  echo "Generating a new strimzi.properties file using ENV vars"
+  ./simple_kafka_config.sh | tee /tmp/strimzi.properties
+else
+  echo "Using provided server.properties file: $SERVER_PROPERTIES_FILE"
+  cp $SERVER_PROPERTIES_FILE /tmp/strimzi.properties
+fi
 
 # add Strimzi kafka-oauth-* jars and their dependencies to classpath
 export CLASSPATH="/opt/kafka/libs/strimzi/*:$CLASSPATH"

examples/docker/kafka-oauth-strimzi/zookeeper/Dockerfile

@@ -1,4 +1,4 @@
-FROM strimzi/zookeeper:0.11.4-kafka-2.1.0
+FROM strimzi/kafka:latest-kafka-2.4.0
 
 COPY start.sh /opt/kafka/
 COPY simple_zk_config.sh /opt/kafka/