Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obtain roles from keycloak #1325

Open
Dark3clipse opened this issue Nov 4, 2023 · 6 comments
Open

Obtain roles from keycloak #1325

Dark3clipse opened this issue Nov 4, 2023 · 6 comments
Assignees
@dgarus
Labels
enhancement New feature or request stale

Comments

@Dark3clipse
Copy link

Dark3clipse commented Nov 4, 2023
edited

I am deploying artipie in my cluster and I'm using Keycloak authentication. Everything works as expected.

I created these files:

/var/artipie/security/roles/default/keycloak.yml
purpose: default read-only role. works as expected

enabled: true
permissions:
  adapter_basic_permissions:
    "*": # any repository
      - read
  docker_repository_permissions:
    "*": # any repository
      "*": # any image/tag
        - pull
  docker_registry_permissions:
    "*": # any repository
      - base
      - catalog
  api_storage_alias_permissions:
    - read
  api_repository_permissions:
    - read
  api_role_permissions:
    - read
  api_user_permissions:
    - read

/var/artipie/security/roles/admin.yml
purpose: admin-role for subset of users. these users have realm-role admin in Keycloak

enabled: true
permissions:
  all_permission: {}

/var/artipie/repo/docker.yml
purpose: enable docker repo to test push

repo:
  type: docker
  port: 9000
  storage:
    type: fs
    path: /var/artipie/data/docker

SCENARIO:
I login with a Keycloak admin user containing the realm role admin:
docker login ...

I try to push an image.

EXPECTED: I can push to the docker registry because my keycloak user has the realm role 'admin'

RESULTS:
access denied, user has no push permissions

In the logs I see this error:
[vert.x-eventloop-thread-1] ERROR com.artipie.asto.ValueNotFoundException - Failed to read or parse file 'users/my-admin-user'

In the wiki I don't see any mention of using keycloak roles for permissions, but in one of the test cases I do see you set a realm role and client role for testing (so I'm assuming based on this that there is support for this)

Could you let me know if roles from Keycloak are supposed to work? Or is this a feature that it not present? And if so, is this on the roadmap?
@Dark3clipse Dark3clipse added the enhancement New feature or request label Nov 4, 2023
@dgarus dgarus self-assigned this Nov 10, 2023
@dgarus
Copy link
Contributor

dgarus commented Nov 17, 2023

@Dark3clipse
Hello!
Thanks for the issue.

is this a feature that it not present?

No, currently we don't have this feature.

And if so, is this on the roadmap?

I think it's a useful thing, and we could start implementing right now.

@Dark3clipse
Copy link
Author

Great to hear! :) I'm happy to help if I can. For sure I can help with testing.

@dgarus
Copy link
Contributor

dgarus commented Nov 22, 2023

@Dark3clipse
I dived deeper into this issue.
I think we can't map a user's roles defined in Keycloak and roles defined in artipie's policy.
Getting roles from Keycloak requires admin access. Giving to an application the admin access to Keycloak looks wrong, isn't it?

@Dark3clipse
Copy link
Author

Dark3clipse commented Nov 23, 2023
edited

So in my keycloak I can go to here:
image

Where you can test the access token and ID token. I see the client role is present in my access token:

{
  "exp": xxx,
  "iat": xxx,
  "jti": "xxx",
  "iss": "https://keycloak.example.org/realms/example-prod",
  "aud": [
    "some-client",
    "account"
  ],
  "sub": "xxx",
  "typ": "Bearer",
  "azp": "artipie",
  "session_state": "xxx",
  "allowed-origins": [
    "https://artipie.example.org"
  ],
  "realm_access": {
    "roles": [
      "default-roles-example-prod",
      "bot",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "artipie": {
      "roles": [
        "access-gui"   # I created a client-role called 'access-gui', which is added by keycloak to the access token
      ]
    }
  },
  "scope": "openid email profile",
  "sid": "xxx",
  "email_verified": true,
  "preferred_username": "xxx",
  "given_name": "",
  "family_name": "",
  "email": "xxx@example.org"
}

And you can even, with a little configuration, add the roles to the ID token like this:

{
  "exp": xxx,
  "iat": xxx,
  "auth_time": 0,
  "jti": "xxx",
  "iss": "https://keycloak.example.org/realms/example-prod",
  "aud": "artipie",
  "sub": "xxx",
  "typ": "ID",
  "azp": "artipie",
  "session_state": "xxx",
  "sid": "xxx",
  "email_verified": true,
  "roles": [
    "access-gui"
  ],
  "groups": [
    "default-roles-example-prod",
    "bot",
    "offline_access",
    "uma_authorization"
  ],
  "preferred_username": "xxx",
  "given_name": "",
  "family_name": "",
  "email": "xxx@example.org"
}

So I think it should be possible to look for these properties when you process the ID or access token.

@dgarus
Copy link
Contributor

dgarus commented Dec 1, 2023

@Dark3clipse
We use keycloak-authz-client for client's authentication.
As I understand from examples, the right way to authorize operations is to send a request to a keycloak server.
It doesn't seem to be a common approach to map keycloak roles on Artipie's roles.
But I could offer assistance in implementing a policy which satisfies your needs.

@github-actions GitHub Actions
Copy link

Issue is stale, CC: @artipie/maintainers

@github-actions github-actions bot added the stale label Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dgarus dgarus

Labels
enhancement New feature or request stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Dark3clipse @dgarus