Merge pull request #136 from usnistgov/user-management

feat: access control and user management with Keycloak
usnistgov · Oct 5, 2020 · c6522d0 · c6522d0
2 parents f345907 + 1577cf3
commit c6522d0
Show file tree

Hide file tree

Showing 135 changed files with 9,556 additions and 224 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -6,7 +6,7 @@ EXPOSE 8080
 ARG BACKEND_NAME="wipp-backend-application"
 ARG EXEC_DIR="/opt/wipp"
 ARG DATA_DIR="/data/WIPP-plugins"
-ARG ARGO_VERSION="v2.3.0"
+ARG ARGO_VERSION="v2.4.3"
 ARG APM_VERSION="1.9.0"
 
 COPY deploy/docker/VERSION /VERSION

diff --git a/README.md b/README.md
@@ -12,6 +12,15 @@ Requirements for development environment setup.
 ### Database
 * MongoDB 3.6
 
+### Identity and Access Management
+* Keycloak 11.0.2
+* Default dev configuration expects Keycloak at `http://localhost:8081/auth` (see 
+`wipp-backend-application/src/main/resources/application.properties`. Sample 
+Docker run command:
+`docker run -p 8081:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:11.0.2` (see https://www.keycloak.org/getting-started/getting-started-docker)
+* Import WIPP realm available in folder `docs/auth-acl`
+* RBAC-ACLs descriptions available in file `docs/auth-acl/acl.md`
+
 ### Kubernetes cluster
 * For development purposes, a single-node cluster can be easily installed using [Minikube](https://github.com/kubernetes/minikube) or [Docker for Mac on macOS](https://docs.docker.com/docker-for-mac/#kubernetes)
 * We are using [Argo workflows](https://argoproj.github.io/argo/) to manage workflows on a Kubernetes cluster, please install the Argo UI and Controller using the following commands:

diff --git a/deploy/docker/VERSION b/deploy/docker/VERSION
@@ -1 +1 @@
-3.0.0-beta2
+3.0.0-rc1
diff --git a/deploy/docker/application.properties b/deploy/docker/application.properties
@@ -46,3 +46,20 @@ server.tomcat.accessLogEnabled=true
 
 # Server configuration
 server.forward-headers-strategy=framework
+
+# Keycloak configuration
+# Name of the Keycloak realm
+keycloak.realm=WIPP
+# URL of Keycloak's auth server
+keycloak.auth-server-url=@keycloak_auth_url@
+keycloak.cors=true
+# SSL 
+keycloak.ssl-required=@keycloak_ssl_required@
+keycloak.disable-trust-manager=@keycloak_disable_trust_manager@
+keycloak.bearer-only=true
+# Name of Keycloak client
+keycloak.resource=wipp-public-client
+keycloak.public-client=true
+logging.level.org.keycloak=INFO
+# This will map principal.name to the connected user's username
+keycloak.principal-attribute=preferred_username
diff --git a/deploy/docker/entrypoint.sh b/deploy/docker/entrypoint.sh
@@ -10,10 +10,26 @@ MONGO_HOST=$1
 MONGO_PORT=$2
 SHARED_PVC=$3
 
+if [[ -z $KEYCLOAK_AUTH_URL ]]; then
+  echo "Missing Keycloak auth server URL env var."
+  exit 1
+fi
+
+if [[ -z $KEYCLOAK_SSL_REQUIRED ]]; then
+  KEYCLOAK_SSL_REQUIRED="external"
+fi
+
+if [[ -z $KEYCLOAK_DISABLE_TRUST_MANAGER ]]; then
+  KEYCLOAK_DISABLE_TRUST_MANAGER="false"
+fi
+
 sed -i \
   -e 's/@mongo_host@/'"${MONGO_HOST}"'/' \
   -e 's/@mongo_port@/'"${MONGO_PORT}"'/' \
   -e 's/@shared_pvc@/'"${SHARED_PVC}"'/' \
+  -e 's|@keycloak_auth_url@|'"${KEYCLOAK_AUTH_URL}"'|' \
+  -e 's|@keycloak_ssl_required@|'"${KEYCLOAK_SSL_REQUIRED}"'|' \
+  -e 's|@keycloak_disable_trust_manager@|'"${KEYCLOAK_DISABLE_TRUST_MANAGER}"'|' \
   -e 's|@workflow_nodeSelector@|'"${NODE_SELECTOR}"'|' \
   -e 's|@workflow_tolerations@|'"${TOLERATIONS}"'|' \
   /opt/wipp/config/application.properties