Начало Каталог Помощ
Регистрация Вход
siwei
/
web-server
1
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
Клон: master
Клонове Маркери
web-server
/
doc
/
en
/
user
/
source
/
community
/
keycloak
/
keycloak_role_service.rst

keycloak_role_service.rst 4.4 KB
Постоянна връзка История Директен файл

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. .. _security_tutorials_keycloak_role_service:
    2. 

  2. 

  3. Keycloak Role Service
    4. 

  4. =====================
    5. 

  5. 

  6. This tutorial walks through how to set up Keycloak as a role service for GeoServer.
    7. 

  7. 

  8. .. note:: In this example the Keycloak service runs on port `8080` while GeoServer runs on port `8181`.
    9. 

  9. 

  10. The Keycloak Role Service uses the Keycloak REST api in order to retrieve the roles for its various operations. By default it will retrieve roles with ``realm`` scope.
    11. 

  11. However it can be configured to retrieve roles with a client scope in a specific realm.
    12. 

  12. 

  13. Keycloak Client Configuration
    14. 

  14. -----------------------------
    15. 

  15. 

  16. Follow the `Authentication with Keycloak <https://docs.geoserver.org/latest/en/user/community/keycloak/index.html>`_
    17. 

  17. guide to configure GeoServer to allow logging in via Keycloak. The Keycloak Role Service needs a client to be configured on Keycloak side having ``Access Type`` set to ``confidential``.
    18. 

  18. 

  19. 

  20. If for your Keycloak Authentication Filter you have used a different ``Access Type`` i.e. ``barer-only``, a separate client will have then to be configured for the Keycloak Role Service.
    21. 

  21. 

  22. 

  23. For the client, ensure that:
    24. 

  24. 

  25. * Standard flow, implicit flow, and direct access grants are enabled
    26. 

  26. * The base URL is set to ``http://localhost:8181/geoserver/web``
    27. 

  27. * The following redirect URIs are enabled:
    28. 

  28. 

  29.   * ``http://localhost:8181/geoserver*``
    30. 

  30.   * ``http://localhost:8080/auth/realms/master/broker/keycloak-oidc/endpoint*``
    31. 

  31. 

  32. * The ``Access Type`` is set to **confidential** and the ``Service Accounts Enabled`` option is enabled.
    33. 

  33. 

  34. .. figure:: images/role_service/access_type_confidential.png
    35. 

  35.    :align: center
    36. 

  36. 

  37. * Under the ``Service Account Roles`` tab, ensure that the realm-admin, from the realm-management client role is addedd to the ``Assigned roles``.
    38. 

  38. 

  39. .. figure:: images/role_service/service_account_roles.png
    40. 

  40.    :align: center
    41. 

  41. 

  42. To assign a user a role:
    43. 

  43. 

  44. #. Under the users section in Keycloak, click the user's ID (if there are missing users, click "View all users").
    45. 

  45. #. In the role mappings tab, select the GeoStore client from the client roles dropdown.
    46. 

  46. #. Select the role from the available roles, and click add selected.
    47. 

  47. 

  48. .. figure:: images/role_service/keycloak_client002.png
    49. 

  49.    :align: center
    50. 

  50. 

  51.    *An example set of role mappings for a user.*
    52. 

  52. 

  53. When creating custom roles, ensure they begin with ``ROLE_`` e.g. ROLE_STAFF.
    54. 

  54. 

  55. GeoServer Configuration for Role Syncing
    56. 

  56. ----------------------------------------
    57. 

  57. Role syncing with Keycloak will be tied to the confidential client.
    58. 

  58. 

  59. #. In GeoServer as an admin, on the 'Users, Groups, Roles' page, add a new role service.
    60. 

  60. #. Select Keycloak from the list of provided options. All fillable fields are required, excluding the ``Comma separated list of ID of client (not client-id)``.
    61. 

  61. 

  62.    * ``Base URL for Keycloak`` is the keycloak host name eg. http://localhost:8080.
    63. 

  63.    * The ``Realm Name`` is the realm from which the roles should be retrieved eg. master.
    64. 

  64.    * The ``Client ID`` can be retrieved from the ``Settings`` tab of the client configuration on Keycloak.
    65. 

  65.    * The ``Client secret`` can be retrieved from the ``Credentials`` tab of the client configuration on Keycloak.
    66. 

  66.    * The ``Comma separated list of ID of client (not client-id)`` is meant to allow the Role Service to retrieve also roles with client scope. By default indeed the Keycloak Role Service will retrieve realm roles only. The id of a client can be retrieved from the URL when viewing the client configuration page in Keycloak. URL format: eg. ``/auth/admin/master/console/#/realms/master/clients/{ID of client}``
    67. 

  67. 

  68.  ``Administrator Role`` and ``Group administator`` role dropdown should be empty at the beginning. They can be filled once saved the role service with the Keycloak role that we want to map to the GeoServer ADMIN and GROUP ADMIN.
    69. 

  69. 

  70. #. Ensure you click save to create the Keycloak role service.
    71. 

  71. #. Once the Role Service has been created and configured to have it active:
    72. 

  72.    * it can be assigned as a RoleSource to the Keycloak Filter,
    73. 

  73.    * it can be set as the ``Active Role Service``  in the ``Security Settings`` page.
    74. 

  74. 

  75. .. figure:: images/role_service/keycloak_role_service001.png
    76. 

  76.    :align: center
    77. 

  77. 

  78.    *An example of a fully configured Keycloak role service.*
    79. 

  79. 

  80. GeoServer Configuration for Keycloak Authentication Filters
    81. 

  81. -----------------------------------------------------------
    82. 

  82. 

  83. Under the Authentication section of GeoServer:
    84. 

  84. 

  85. * Add the Keycloak authentication filter to the top of the web and default filter chains.
    86. 

  86. * Add keycloak to the selected provider chains, and place it above the default.
    87.