User Tools
сервис_keycloak
Table of Contents
Сервис Keycloak
Установка и запуск
Bare metal
server# wget https://github.com/keycloak/keycloak/releases/download/22.0.5/keycloak-22.0.5.zip server:~/keycloak-22.0.5# KEYCLOAK_ADMIN=root KEYCLOAK_ADMIN_PASSWORD='strongpassword' bin/kc.sh start-dev --https-certificate-file=/root/server.crt --https-certificate-key-file=/root/server.key
docker-compose
- Процессы в контейнере работают от имени пользователя с UID=1000, это совпадает с УЗ student в host системе
cp /root/wild.crt /etc/ssl/certs/ cp /root/wild.key /etc/ssl/private/ chmod 750 /etc/ssl/private/ chmod 640 /etc/ssl/private/wild.key chgrp -R student /etc/ssl/private/ mkdir -p /opt/keycloak/data/ chown -R student /opt/keycloak/ ###chgrp student /etc/krb5.keytab ###chmod 640 /etc/krb5.keytab ###cat /opt/keycloak/themes/mytheme/login/theme.properties parent=keycloak ###cat /opt/keycloak/themes/mytheme/login/messages/messages_en.properties usernameOrEmail=Login loginAccountTitle=OpenID SSO CorpX # cat keycloak.yml
version: '3'
services:
keycloak:
image: quay.io/keycloak/keycloak:22.0.5
container_name: keycloak
restart: always
user: 1000:1000
ports:
- 80:8080
- 443:8443
volumes:
- "/etc/ssl/certs/wild.crt:/wild.crt:"
- "/etc/ssl/private/wild.key:/wild.key"
- "/opt/keycloak/data/:/opt/keycloak/data/"
#- "/opt/keycloak/themes/:/opt/keycloak/themes/"
#- "/etc/krb5.keytab:/etc/krb5.keytab"
environment:
- KEYCLOAK_ADMIN=root
- KEYCLOAK_ADMIN_PASSWORD=strongpassword
- KC_HTTPS_CERTIFICATE_FILE=/wild.crt
- KC_HTTPS_CERTIFICATE_KEY_FILE=/wild.key
command:
- start-dev
# docker-compose -f keycloak.yml up -d # docker logs keycloak -f
Kubernetes
~/$ mkdir keycloak; cd keycloak ~/keycloak$ ###helm pull oci://registry-1.docker.io/bitnamicharts/keycloak ~/keycloak$ helm template my-keycloak oci://registry-1.docker.io/bitnamicharts/keycloak | tee keycloak.yaml | less /PersistentVolumeClaim
- Kubernetes Volumes
~/keycloak$ helm show values oci://registry-1.docker.io/bitnamicharts/keycloak | tee values.yaml.orig ~/keycloak$ cat values.yaml
image: tag: 23.0.7-debian-12-r5 auth: adminUser: admin adminPassword: strongpassword proxy: edge ingress: enabled: true ingressClassName: nginx hostname: keycloak.corp13.un #global: # storageClass: local-path # storageClass: longhorn #replicaCount: 2 #postgresql: # enabled: true # auth: # postgresPassword: "strongpassword" # username: bn_keycloak # password: "strongpassword"
~/keycloak$ helm upgrade my-keycloak -i -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --create-namespace ~/keycloak$ kubectl -n my-keycloak-ns get pods -o wide --watch ~/keycloak$ ###kubectl -n my-keycloak-ns exec -ti my-keycloak-postgresql-0 -- psql -U postgres $ ###helm delete my-keycloak -n my-keycloak-ns
Подключение
Базовая конфигурация
Create Realm->corpX
Users
Add User
user1/kcpassword1
Страница для проверки учетных записей
Аутентификация пользователей WEB приложения
Clients
Create Client
Client ID: test-cgi
Valid redirect URIs: http://gate.corpX.un/cgi-bin/test-cgi
или
Client ID: any-client
Valid redirect URIs: *
Проверка
curl
webinar# curl -d "client_id=any-client" \
-d "client_secret=anystring" \
-d "grant_type=password" \
-d "username=user1" \
-d 'password=kcpassword1' \
https://keycloak.corp13.un/realms/corp13/protocol/openid-connect/token
{"access_token":"..." ...
Apache CGI приложение
Подключение БД пользователей
Kerberos
- Как настроить Kerberos аутентификации в Keycloak пока не заработало
- Создание принципала HTTP/server.corpX.un@CORPX.UN по аналогии с Аутентификация доступа к SQUID
User federation
Kerberos
UI display name: CORPX
Kerberos realm: CORPX.UN
Server principal: HTTP/server.corpX.un@CORPX.UN
Key tab: /etc/krb5.keytab
Allow password authentication: yes
Authentication
browser
Kerberos: Disabled
(иначе появляется всплывающее окно аутентификации, можно оставить если пользователи в домене)
LDAP
Active Directory
Vendor: Active Directory
Connection URL: ldap://server
Bind type: simple
Bind DN: cn=Administrator,cn=Users,dc=corpX,dc=un
Bind credentials: ...
Edit mode: READ_ONLY #WRITABLE for add minio attributes
Users DN: cn=Users,dc=corpX,dc=un
Username LDAP attribute: sAMAccountName
...
Mappers ->
username ->
LDAP Attribute: sAMAccountName
OpenLDAP
Vendor: Other Connection URL: ldap://server Bind type: none Edit mode: READ_ONLY Users DN: ou=People,dc=corpX,dc=un ... UUID LDAP attribute: uid
+ Kerberos
пока не заработало
Kerberos principal attribute: uid Use Kerberos for password authentication: yes
Добавление атрибутов
MinIO
<code>
Client scopes: Create client scores
Name: minio-authorization
Save
Mappers
Configure a new mapper
User Attribute
Name: minio-policy-mapper
User Attribute: policy
Token Claim Name: policy
Multivalued: On
Aggregate attribute values: On
Clients
any-client
Client scopes
Add client scopes
minio-authorization
Add->Default
Users
user2
Attributes
Add an attribute
Key: policy
Value: readwrite
Дополнительные материалы
K8S
kube1:~/keycloak# diff keycloak.yaml keycloak.yaml.orig
457,458c457
< #kind: StatefulSet
< kind: Deployment
---
> kind: StatefulSet
472,476c471,475
< # podManagementPolicy: Parallel
< # serviceName: my-keycloak-headless
< # updateStrategy:
< # rollingUpdate: {}
< # type: RollingUpdate
---
> podManagementPolicy: Parallel
> serviceName: my-keycloak-headless
> updateStrategy:
> rollingUpdate: {}
> type: RollingUpdate
сервис_keycloak.txt · Last modified: 2024/04/07 08:53 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
