Improve keycloak configuration (#69)

Signed-off-by: Christian Berendt <[email protected]>
SovereignCloudStack · Oct 14, 2020 · d81ba3b · d81ba3b
1 parent 917627d
commit d81ba3b
Show file tree

Hide file tree

Showing 4 changed files with 204 additions and 7 deletions.
diff --git a/README.rst b/README.rst
@@ -56,3 +56,22 @@ Webinterfaces & API endpoints
 The web interfaces and API endpoints can be accessed externally via
 the assigned floating IP address of the instance (run
 ``make ENVIRONMENT=betacloud endpoints``).
+
+Notes
+=====
+
+Keystone mapping combinations
+-----------------------------
+
+https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html
+
+The mappings can be found in the file
+``/opt/configuration/environments/openstack/files/keycloak_rules.json``.
+
+To update the mapping on the Keystone, execute the following command.
+
+.. code-block:: console
+
+   $ openstack --os-cloud admin mapping set \
+       --rules /configuration/files/keycloak_rules.json \
+       keycloak_mapping
diff --git a/environments/custom/playbook-configuration.yml b/environments/custom/playbook-configuration.yml
@@ -0,0 +1,40 @@
+---
+- name: Apply role configuration
+  hosts: testbed-gx-iam-manager.osism.test
+  gather_facts: true
+
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+    configuration_git_host: github.com
+    configuration_git_port: 443
+    configuration_git_protocol: https
+    configuration_git_repository: SovereignCloudStack/testbed-gx-iam.git
+    configuration_git_version: master
+
+  collections:
+    - osism.commons
+
+  roles:
+    - role: configuration
+
+- name: Prepare configuration directory
+  hosts: testbed-gx-iam-manager.osism.test
+  gather_facts: false
+
+  vars:
+    endpoint: testbed-gx-iam.osism.test
+
+  tasks:
+    - name: Find all of the files inside the configuration directory
+      find:
+        paths: /opt/configuration
+        patterns: "*"
+        recurse: true
+      register: files
+
+    - name: Set endpoint in all files
+      replace:
+        path: "{{ item.path }}"
+        regexp: testbed-gx-iam.osism.test
+        replace: "{{ endpoint }}"
+      with_items: "{{ files.files }}"
diff --git a/environments/openstack/files/keycloak_rules.json b/environments/openstack/files/keycloak_rules.json
@@ -6,7 +6,7 @@
           "domain": {
             "name": "keycloak"
           },
-          "name": "keycloak_users"
+          "name": "keycloak_all"
         },
         "user": {
           "name": "{0}"
@@ -24,5 +24,104 @@
         ]
       }
     ]
+  },
+  {
+    "local": [
+      {
+        "group": {
+          "domain": {
+            "name": "keycloak"
+          },
+          "name": "keycloak1"
+        },
+        "user": {
+          "name": "{0}"
+        }
+      }
+    ],
+    "remote": [
+      {
+        "type": "OIDC-preferred_username"
+      },
+      {
+        "type": "OIDC-groups",
+        "any_one_of": [
+          ".*keycloak1.*"
+        ],
+        "regex": true
+      },
+      {
+        "type": "HTTP_OIDC_ISS",
+        "any_one_of": [
+          "https://testbed-gx-iam.osism.test:8170/auth/realms/keystone"
+        ]
+      }
+    ]
+  },
+  {
+    "local": [
+      {
+        "group": {
+          "domain": {
+            "name": "keycloak"
+          },
+          "name": "keycloak2"
+        },
+        "user": {
+          "name": "{0}"
+        }
+      }
+    ],
+    "remote": [
+      {
+        "type": "OIDC-preferred_username"
+      },
+      {
+        "type": "OIDC-groups",
+        "any_one_of": [
+          ".*keycloak2.*"
+        ],
+        "regex": true
+      },
+      {
+        "type": "HTTP_OIDC_ISS",
+        "any_one_of": [
+          "https://testbed-gx-iam.osism.test:8170/auth/realms/keystone"
+        ]
+      }
+    ]
+  }
+  {
+    "local": [
+      {
+        "group": {
+          "domain": {
+            "name": "keycloak"
+          },
+          "name": "keycloak3"
+        },
+        "user": {
+          "name": "{0}"
+        }
+      }
+    ],
+    "remote": [
+      {
+        "type": "OIDC-preferred_username"
+      },
+      {
+        "type": "OIDC-groups",
+        "any_one_of": [
+          ".*keycloak3.*"
+        ],
+        "regex": true
+      },
+      {
+        "type": "HTTP_OIDC_ISS",
+        "any_one_of": [
+          "https://testbed-gx-iam.osism.test:8170/auth/realms/keystone"
+        ]
+      }
+    ]
   }
 ]
diff --git a/terraform/manager.tf b/terraform/manager.tf
@@ -129,18 +129,57 @@ write_files:
       sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create realms -s realm=keystone -s enabled=true -s sslRequired=NONE -s displayName='Keystone realm'"
       sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create clients -r keystone -s clientId=keystone -s 'redirectUris=[\"https://${var.endpoint}:5000/*\"]' -s clientAuthenticatorType=client-secret -s secret=11111111-1111-1111-1111-111111111111 -s implicitFlowEnabled=true"
 
-      sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create users -s username=keycloak -s enabled=true -s [email protected] -r keystone"
-      sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh set-password -r keystone --username keycloak --new-password password"
+      kclientid=$(sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh get clients -q clientId=keystone --fields id -r keystone" | jq -r "first | .id")
+      sudo -iu dragon sh -c "docker exec -i keycloak /opt/jboss/keycloak/bin/kcadm.sh create clients/$kclientid/protocol-mappers/models -r keystone -f -" << 'EOF'
+      {
+        "name": "groups",
+        "protocol": "openid-connect",
+        "protocolMapper": "oidc-group-membership-mapper",
+        "consentRequired" : false,
+        "config": {
+          "full.path" : "true",
+          "id.token.claim" : "true",
+          "access.token.claim" : "true",
+          "claim.name" : "groups",
+          "userinfo.token.claim" : "true"
+        }
+      }
+      EOF
+
+      for userid in $(seq 1 3); do
+          sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create users -s username=keycloak$userid -s enabled=true -s [email protected] -r keystone"
+          sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh set-password -r keystone --username keycloak$userid --new-password password"
+      done
+
+      for groupid in $(seq 1 3); do
+          sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create groups -s name=keycloak$groupid -r keystone"
+      done
+
+      for userid in $(seq 1 3); do
+          for groupid in $(seq 1 3); do
+              kuserid=$(sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh get users -q username=keycloak$userid --fields id -r keystone" | jq -r "first | .id")
+              kgroupid=$(sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh get groups -q name=keycloak$groupid --fields id -r keystone" | jq -r "first | .id")
+              sudo -iu dragon sh -c "docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh update users/$kuserid/groups/$kgroupid -r keystone"
+          done
+      done
 
       # NOTE: https://jdennis.fedorapeople.org/doc/rhsso-tripleo-federation/html/rhsso-tripleo-federation.html
 
       # FIXME: Migrate this to environments/openstack/playbook-bootstrap-keystone.yml
       # NOTE: Bootstrap keystone
       openstack --os-cloud admin domain create keycloak
-      openstack --os-cloud admin project create  --domain keycloak keycloak_project
-      openstack --os-cloud admin group create keycloak_users --domain keycloak
-      openstack --os-cloud admin role add --group keycloak_users --group-domain keycloak --domain keycloak member
-      openstack --os-cloud admin role add --group keycloak_users --group-domain keycloak --project keycloak_project --project-domain keycloak member
+
+      openstack --os-cloud admin project create --domain keycloak keycloak_common
+      openstack --os-cloud admin group create keycloak_all --domain keycloak
+      openstack --os-cloud admin role add --group keycloak_all --group-domain keycloak --domain keycloak member
+      openstack --os-cloud admin role add --group keycloak_all --group-domain keycloak --project keycloak_common --project-domain keycloak member
+
+      for project in $(seq 1 3); do
+          openstack --os-cloud admin project create --domain keycloak keycloak$project
+          openstack --os-cloud admin group create keycloak$project --domain keycloak
+          openstack --os-cloud admin role add --group keycloak$project --group-domain keycloak --domain keycloak member
+          openstack --os-cloud admin role add --group keycloak$project --group-domain keycloak --project keycloak$project --project-domain keycloak member
+      done
 
       openstack --os-cloud admin identity provider create --remote-id https://${var.endpoint}:8170/auth/realms/keystone keycloak
       openstack --os-cloud admin mapping create --rules /configuration/files/keycloak_rules.json keycloak_mapping