Keycloak Authorization Services based authz prototype #24
Conversation
oauth-common/src/main/java/io/strimzi/kafka/oauth/common/HttpException.java
Outdated
Show resolved
Hide resolved
oauth-common/src/main/java/io/strimzi/kafka/oauth/common/HttpException.java
Outdated
Show resolved
Hide resolved
oauth-common/src/main/java/io/strimzi/kafka/oauth/common/JSONUtil.java
Outdated
Show resolved
Hide resolved
...oak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/JwtKafkaPrincipal.java
Outdated
Show resolved
Hide resolved
...oak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/JwtKafkaPrincipal.java
Outdated
Show resolved
Hide resolved
...oak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/JwtKafkaPrincipal.java
Outdated
Show resolved
Hide resolved
...uthorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.java
Show resolved
Hide resolved
...uthorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.java
Outdated
Show resolved
Hide resolved
oauth-keycloak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/UserSpec.java
Outdated
Show resolved
Hide resolved
oauth-keycloak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/UserSpec.java
Outdated
Show resolved
Hide resolved
| In this case the access token represents the specific user, rather than the client application. | ||
|
|
||
| Before continuing, there is one setting we need to check. | ||
| Due to [a little bug in Keycloak](https://issues.redhat.com/browse/KEYCLOAK-12640) the realm is at this point misconfigured, and we have to fix the configuration manually. |
There was a problem hiding this comment.
I think we should track this bug maybe with an issue here, in order to remember to remove this section when the Keycloak bug will be fixed and the workaround not needed anymore.
There was a problem hiding this comment.
@ppatierno What is the standard practice for tracking external issues 'here'? Creating a new Issue and linking to external one in its description, then just leaving it open and occasionally checking it?
There was a problem hiding this comment.
@mstruk yes, it's the only way I know :-/
...horizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/JwtKafkaPrincipalBuilder.java
Outdated
Show resolved
Hide resolved
| usage() { | ||
| echo "Usage: $0 [USERNAME] [PASSWORD] [ARGUMENTS] ..." | ||
| echo | ||
| echo "$0 is a tool for obtaining an access token or a refresh token for the user or the client." |
There was a problem hiding this comment.
Yes, it would. IIRC we include the jar using the 3rd party jars mechanism, but we don't really have similar mechanism for including tools or scripts.
| usage() { | ||
| echo "Usage: $0 [USERNAME] [PASSWORD] [ARGUMENTS] ..." | ||
| echo | ||
| echo "$0 is a tool for obtaining an access token or a refresh token for the user or the client." |
There was a problem hiding this comment.
Yes, it would. IIRC we include the jar using the 3rd party jars mechanism, but we don't really have similar mechanism for including tools or scripts.
...oak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/JwtKafkaPrincipal.java
Outdated
Show resolved
Hide resolved
...uthorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.java
Outdated
Show resolved
Hide resolved
oauth-keycloak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/UserSpec.java
Outdated
Show resolved
Hide resolved
ppatierno
changed the title
|
I have some more fixes coming, for issues identified while testing with mutual TLS listeners and Kafka 2.4 ... |
| @@ -0,0 +1,37 @@ | |||
| { | |||
There was a problem hiding this comment.
Could you please explain why do we need this file here? How is it used and how is it packaged?
There was a problem hiding this comment.
Currently all the documentation is in examples/docker/README-authz.md which is a walkthrough example. This file is mentioned there. I can add a paragraph that explains how to import it into empty Authorization Services configuration.
|
|
||
| public class AuthzConfig extends Config { | ||
|
|
||
| public static final String STRIMZI_AUTHZ_CLIENT_ID = "strimzi.authz.client.id"; |
There was a problem hiding this comment.
I wonder if we should use authorization intead of authz. Lot of people does not know / use this as shortcut and might be confused.
|
It looks like the tests could use a longer timeout to give enough time to pull down images from docker hub. |
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
…urce for completeness Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
…not enabled Signed-off-by: Marko Strukelj <[email protected]>
…eners Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj [email protected]
This PR introduces authorization support that works hand-in-hand with OAuth2 authentication.
There is an example that allows a step-by-step walkthrough. See README-authz.md
The configuration is explained in JavaDoc of KeycloakRBACAuthorizer class
What's still missing are automated tests in the testsuite.