RBAC and Security with the registry

[runningmanGBG]

Hi

I am trying to find information on how you handle RBAC in the registry but I can not find anything. What we need to achieve is control over the different schemas? Since being able to change a schema is tied to the owner of that schema but the ability to view and download it is for everyone using it.

Also I noticed that the integration for OAuth specifies the need to use Keycloak? We use either Azure AD or Curity in our company and I am wondering how we can use these with the Oauth integration?

Regards
Peter

[EricWittmann]

Registry currently has two separate authorization approaches. You can use one, both, or neither if you want. These are documented here:

https://www.apicur.io/registry/docs/apicurio-registry/2.0.1.Final/getting-started/assembly-configuring-the-registry.html#registry-security-settings

The two approaches are role-based authorization and owner-only authorization.

The second question about authentication using something other than Keycloak: we have not tested any OAuth servers besides Keycloak, so I cannot say what will work and what won't (out of the box). If your auth server supports OpenId Connect then I think you should be all set, but certainly your mileage may vary.

@carlesarnal Do you have any additional insight into using a non-Keycloak auth server?

[EricWittmann]

Also sorry for the delay. Just catching up on my GH email stream now. :)

[carlesarnal]

No additional insight for the auth server besides that it's on my to-do list to test the application with another OIDC server.

[carlesarnal]

Sorry about that, I completely misunderstood this then.

The way Quarkus works is that it automatically creates an env var for each configuration property. Since we're using default quarkus oidc capabilities for authentication, you can use the standard Quarkus properties. So, even if we're not constructing it by default, you should be able to override the value by setting an environment variable like QUARKUS_OIDC_AUTH_SERVER_URL. So even if the pattern is completely different, you should be able to set it using environment variables.

That said, using Apicurio Registry with other OIDC serves has not been tested yet, so you might find other issues. If that is the case, let me know and I will try to help!

[KarolisCibulskis]

Hello,

Most likely you were referring to quarkus.oidc.auth-server-url. I've tried to set it to our Azure AD tenant, however it seems that default values from application.properties file are picked up and following url is constructed:
http://localhost:8090/auth/realms/apicurio-local/protocol/openid-connect/auth?client_id=apicurio-registry&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fui%2F&state=c0a95d7a-4918-4150-b0e0-a67a7e640572&response_mode=fragment&response_type=code&scope=openid&nonce=2c9dbf54-417f-4c25-9525-6b4fb781af50

For me it seems that Apicurio default properties has more power than setting actual Quarkus properties. I assume that it is somewhere constructed, because in Apicurio appliaction.properties file /auth does not exist. My assumption is that it happens somewhere in code level or Quarkus by default assumes that by default OIDC is Keycloak.

Thanks

[EricWittmann]

What value did you use for the environment variable? I think for that property you would need to set this ENV var:

QUARKUS_OIDC_AUTH-SERVER-URL

[KarolisCibulskis]

Hello,

I think, the problem is in React based UI module, not Quarkus.
ui/src/services/auth/auth.service.ts has only one method for authentication: authenticateUsingKeycloak() and this authorization method is based on keycloak-js module which picks up "url", "realm", "clientId" config options and then constructs redirect url.
quarkus.oidc.auth-server-url/QUARKUS_OIDC_AUTH-SERVER-URL is ignored and instead registry.ui.config.auth.keycloak.url is picked up and then keycloak-js is used to create auth redirect according to Keycloak standard: ${url}/realm/{$realm}/protocol/openid-connect/auth. Therefore, it's not enough to change application property as anyway url would be constricted in Keycloak fashion.

As I'm not React specialist I might misunderstood something in the code, so please correct me if I'm wrong, but my assumption now is that Apicurio registry can't work without without Keycloak at the moment.

Thanks,
Karolis

[carlesarnal]

Ah, yes. For now, the UI won't work with any other OIDC server, I assumed you were only using the API, not the UI. It's on our to-do list to address that, but unfortunately, I don't have an ETA for that.