-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Obtain roles from keycloak #1325
Comments
@Dark3clipse
No, currently we don't have this feature.
I think it's a useful thing, and we could start implementing right now. |
Great to hear! :) I'm happy to help if I can. For sure I can help with testing. |
@Dark3clipse |
@Dark3clipse |
Issue is stale, CC: @artipie/maintainers |
I am deploying artipie in my cluster and I'm using Keycloak authentication. Everything works as expected.
I created these files:
/var/artipie/security/roles/default/keycloak.yml
purpose: default read-only role. works as expected
/var/artipie/security/roles/admin.yml
purpose: admin-role for subset of users. these users have realm-role admin in Keycloak
/var/artipie/repo/docker.yml
purpose: enable docker repo to test push
SCENARIO:
I login with a Keycloak admin user containing the realm role admin:
docker login ...
I try to push an image.
EXPECTED: I can push to the docker registry because my keycloak user has the realm role 'admin'
RESULTS:
access denied, user has no push permissions
In the logs I see this error:
[vert.x-eventloop-thread-1] ERROR com.artipie.asto.ValueNotFoundException - Failed to read or parse file 'users/my-admin-user'
In the wiki I don't see any mention of using keycloak roles for permissions, but in one of the test cases I do see you set a realm role and client role for testing (so I'm assuming based on this that there is support for this)
Could you let me know if roles from Keycloak are supposed to work? Or is this a feature that it not present? And if so, is this on the roadmap?
The text was updated successfully, but these errors were encountered: