From: Pritha Srivastava Date: Fri, 20 Aug 2021 09:51:24 +0000 (+0530) Subject: rgw/sts: configuration steps to add tags to a user in X-Git-Tag: v17.1.0~969^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4c4c7e3f13dd8d1bfda56a75665268a6bd7c9a7b;p=ceph.git rgw/sts: configuration steps to add tags to a user in Keycloak. Signed-off-by: Pritha Srivastava --- diff --git a/doc/images/keycloak-adduser.png b/doc/images/keycloak-adduser.png new file mode 100644 index 0000000000000..03d9048f37837 Binary files /dev/null and b/doc/images/keycloak-adduser.png differ diff --git a/doc/images/keycloak-userclientmapper.png b/doc/images/keycloak-userclientmapper.png new file mode 100644 index 0000000000000..814b5e07e25cd Binary files /dev/null and b/doc/images/keycloak-userclientmapper.png differ diff --git a/doc/images/keycloak-usercredentials.png b/doc/images/keycloak-usercredentials.png new file mode 100644 index 0000000000000..a01ab7922d679 Binary files /dev/null and b/doc/images/keycloak-usercredentials.png differ diff --git a/doc/images/keycloak-userdetails.png b/doc/images/keycloak-userdetails.png new file mode 100644 index 0000000000000..3251a39072631 Binary files /dev/null and b/doc/images/keycloak-userdetails.png differ diff --git a/doc/images/keycloak-usertags.png b/doc/images/keycloak-usertags.png new file mode 100644 index 0000000000000..ee3fecf4817df Binary files /dev/null and b/doc/images/keycloak-usertags.png differ diff --git a/doc/radosgw/keycloak.rst b/doc/radosgw/keycloak.rst index ccb156d20da54..534c4733abb46 100644 --- a/doc/radosgw/keycloak.rst +++ b/doc/radosgw/keycloak.rst @@ -15,8 +15,7 @@ Installing and bringing up Keycloak can be found here: https://www.keycloak.org/ Configuring Keycloak to talk to RGW =================================== -The following configurables have to be added for RGW to talk to Keycloak. -The format of token inspection url is https://[base-server-url]/token/introspect:: +The following configurables have to be added for RGW to talk to Keycloak:: [client.radosgw.gateway] rgw sts key = {sts key for encrypting/ decrypting the session token} @@ -26,8 +25,8 @@ Example showing how to fetch a web token from Keycloak ====================================================== Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md -Taking the example of app-profile-jee-jsp app given in the link above, its client secret and client password, can be used to fetch the -access token (web token) as given below:: +Taking the example of app-profile-jee-jsp app given in the link above, its client id and client secret, can be used to fetch the +access token (web token) for an application using grant type 'client_credentials' as given below:: KC_REALM=demo KC_CLIENT= @@ -49,5 +48,80 @@ access token (web token) as given below:: KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) +An access token can also be fetched for a particular user with grant type 'password', using client id, client secret, username and its password +as given below:: + + KC_REALM=demo + KC_USERNAME= + KC_PASSWORD= + KC_CLIENT= + KC_CLIENT_SECRET= + KC_SERVER=:8080 + KC_CONTEXT=auth + + # Request Tokens for credentials + KC_RESPONSE=$( \ + curl -k -v -X POST \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "scope=openid" \ + -d "grant_type=password" \ + -d "client_id=$KC_CLIENT" \ + -d "client_secret=$KC_CLIENT_SECRET" \ + -d "username=$KC_USERNAME" \ + -d "password=$KC_PASSWORD" \ + "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \ + | jq . + ) + + KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) + + KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in :doc:`STS`. + +Attaching tags to a user in Keycloak +==================================== + +We need to create a user in keycloak, and add tags to it as its attributes. + +Add a user as shown below: + +.. image:: ../images/keycloak-adduser.png + :align: center + +Add user details as shown below: + +.. image:: ../images/keycloak-userdetails.png + :align: center + +Add user credentials as shown below: + +.. image:: ../images/keycloak-usercredentials.png + :align: center + +Add tags to the 'attributes' tab of the user as shown below: + +.. image:: ../images/keycloak-usertags.png + :align: center + +Add a protocol mapper for the user attribute to a client as shown below: + +.. image:: ../images/keycloak-userclientmapper.png + :align: center + + +After following the steps shown above, the tag 'Department' will appear in the JWT (web token), under 'https://aws.amazon.com/tags' namespace. +The tags can be verified using token introspection of the JWT. The command to introspect a token using client id and client secret is shown below:: + + KC_REALM=demo + KC_CLIENT= + KC_CLIENT_SECRET= + KC_SERVER=:8080 + KC_CONTEXT=auth + + curl -k -v \ + -X POST \ + -u "$KC_CLIENT:$KC_CLIENT_SECRET" \ + -d "token=$KC_ACCESS_TOKEN" \ + "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" \ + | jq . diff --git a/doc/radosgw/session-tags.rst b/doc/radosgw/session-tags.rst index ee8d42bb17794..abfb89e87cfc0 100644 --- a/doc/radosgw/session-tags.rst +++ b/doc/radosgw/session-tags.rst @@ -43,6 +43,8 @@ An example of the session tags that are passed in by the IDP in the web token is "active": true } +Steps to configure Keycloak to pass tags in the web token are described here:doc:`keycloak`. + The trust policy must have 'sts:TagSession' permission if the web token passed in by the federated user contains session tags, otherwise the AssumeRoleWithWebIdentity action will fail. An example of the trust policy with sts:TagSession is as follows: