Merge pull request #2 from maheshyaddanapudi/oauth2

Oauth2

SECURITY.md

@@ -0,0 +1,134 @@
+## Conductor Server Authentication & Authorization - Roles
+
+All the roles mentioned below are generic and can be overridden as per the need, from conductor-server application.properties --> security.oauth2.resource.mapping
+
+Depending on the OAuth2.0 provider, the UserInfoUrl needs to be configued, in conductor-server application.properties --> security.oauth2.resource.userInfoUri
+
+Finally the path from which to extract roles, from the response json of UserInfoUrl needs to be configured, in conductor-server application.properties --> security.oauth2.resource.userInfoUriParserPath
+
+##### Category of APIs available at Conductor level.
+
+		☐  Event Services - For Event Handling APIs
+		
+		☐  Workflow Management - For workflow executing, rerun, terminate, pause etc. functionalities.
+		
+		☐  Metadata Management - Workflow or task creation / updation / deletion etc. functionalities.
+		
+		☐  Health Check - Ignore for now
+		
+		☐  Admin - Ignore for now
+		
+		☐  Workflow Bulk Management - For workflow bulk executing, rerun, terminate, pause etc. functionalities.
+		
+		☐  Task Management - For task executing, rerun, terminate, pause etc. functionalities.
+		
+
+##### Roles that are mapped to APIs
+		
+		role_conductor_super_manager
+		role_conductor_super_viewer
+		role_conductor_core_manager
+		role_conductor_core_viewer
+		role_conductor_execution_manager
+		role_conductor_execution_viewer
+		role_conductor_event_manager
+		role_conductor_event_view
+		role_conductor_metadata_manager
+		role_conductor_metadata_viewer
+		role_conductor_metadata_workflow_manager
+		role_conductor_metadata_workflow_viewer
+		role_conductor_metadata_taskdefs_manager
+		role_conductor_metadata_taskdefs_viewer
+		role_conductor_workflow_manager
+		role_conductor_workflow_viewer
+		role_conductor_task_manager
+		role_conductor_task_viewer
+
+Technically a Worker would need role_conductor_task_manager, role_conductor_event_manager and role_conductor_execution_manager roles.
+
+##### Technical mapping to roles.
+		
+		☐  All Manager roles will be able to Create/Update/Delete the mentioned API implemented functionalities.
+		
+		☐  All Viewer roles will be able to View existing API implemented functionalities.
+		
+		☐  A default user for each role is created while the flyway migration happens and the username is same as the role (example - 'role_conductor_super_manager') and the password is 'password'
+	  		
+			1) role_conductor_super_manager - POST / PUT / DELETE
+				
+			    Event Services
+			    Workflow Management
+			    Metadata Management
+			    Health Check
+			    Admin
+			    Workflow Bulk Management
+			    Task Management
+			
+			2) role_conductor_super_viewer - GET
+				
+			    Event Services
+			    Workflow Management
+			    Metadata Management
+			    Health Check
+			    Admin
+			    Workflow Bulk Management
+			    Task Management
+			
+			3) role_conductor_core_manager - POST / PUT / DELETE
+			    Event Services
+			    Workflow Management
+			    Metadata Management
+			    Workflow Bulk Management
+			    Task Management
+			
+			4) role_conductor_core_viewer - GET
+				
+			    Event Services
+			    Workflow Management
+			    Metadata Management
+			    Workflow Bulk Management
+			    Task Management
+			
+			5) role_conductor_execution_manager - POST / PUT / DELETE
+				
+			    Event Services
+			    Workflow Management
+			    Task Management
+			
+			6) role_conductor_execution_viewer - GET
+				
+			    Event Services
+			    Workflow Management
+			    Task Management
+			
+			7) role_conductor_event_manager - POST / PUT / DELETE
+				
+			  	Event Services
+			  
+			8) role_conductor_event_viewer - GET
+			  	
+			  	Event Services
+			
+			9) role_conductor_metadata_manager - POST / PUT / DELETE
+				
+			    Metadata Management
+			
+			10) role_conductor_metadata_viewer - GET
+			
+			    Metadata Management
+			
+			11) role_conductor_workflow_manager - POST / PUT / DELETE
+				
+			  	Workflow Management
+			  
+			12) role_conductor_workflow_viewer - GET
+			  	
+			  	Workflow Management
+			
+			13) role_conductor_task_manager - POST / PUT / DELETE
+				
+			  	Task Management
+			  
+			14) role_conductor_task_viewer - GET
+				
+			  	Task Management

build.gradle

@@ -90,6 +90,7 @@ allprojects {
     dependencyManagement {
         imports {
             mavenBom("org.springframework.boot:spring-boot-dependencies:2.3.1.RELEASE")
+            mavenBom("org.springframework.cloud:spring-cloud-dependencies:Hoxton.SR10")
         }
     }
 

dependencies.gradle

@@ -60,4 +60,5 @@ ext {
     revSpock = '1.3-groovy-2.5'
     revSpotifyCompletableFutures = '0.3.3'
     revTestContainer = '1.15.1'
+    revGson = '2.8.6'
 }

docker/docker-compose-alt-secure.yaml

@@ -0,0 +1,188 @@
+version: '2.3'
+
+services:
+  postgres:
+    image: postgres
+    #volumes:
+    #  - postgres_data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=keycloak
+      - POSTGRES_USER=keycloak
+      - POSTGRES_PASSWORD=Keycloak@1234
+    ports:
+      - 5432:5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U keycloak -d keycloak"]
+      interval: 30s
+      timeout: 15s
+      retries: 10
+    networks:
+      - internal
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1k"
+        max-file: "3"
+
+  keycloak:
+    image: jboss/keycloak:latest
+    healthcheck:
+      test: ["CMD", "curl", "-I", "-XGET", "http://localhost:8080/auth/realms/master"]
+      interval: 30s
+      timeout: 30s
+      retries: 15
+    links:
+      - postgres:postgres
+    environment:
+      - DB_VENDOR=POSTGRES
+      - DB_ADDR=postgres
+      - DB_DATABASE=keycloak
+      - DB_USER=keycloak
+      - DB_SCHEMA=public
+      - DB_PASSWORD=Keycloak@1234
+      - KEYCLOAK_USER=admin
+      - KEYCLOAK_PASSWORD=Admin@1234
+      # Uncomment the line below if you want to specify JDBC parameters. The parameter below is just an example, and it shouldn't be used in production without knowledge. It is highly recommended that you read the PostgreSQL JDBC driver documentation in order to use it.
+      #JDBC_PARAMS: "ssl=true"
+    volumes:
+      - keycloak_realm_data:/tmp/migration
+    command:
+      - "-b 0.0.0.0"
+      - "-Dkeycloak.migration.action=import"
+      - "-Dkeycloak.migration.provider=dir"
+      - "-Dkeycloak.migration.dir=/tmp/migration"
+      - "-Dkeycloak.migration.strategy=IGNORE_EXISTING"
+      - "-Dkeycloak.profile.feature.upload_scripts=enabled"
+    ports:
+      - 9990:8080
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - internal
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1k"
+        max-file: "3"
+
+  mysql:
+    image: mysql:5.7
+    restart: on-failure
+    networks:
+      - internal
+    ports:
+      - 3306:3306
+      - 33060:33060
+    environment:
+      MYSQL_ROOT_PASSWORD: Root@1234
+      MYSQL_DATABASE: conductor
+      MYSQL_USER: conductor
+      MYSQL_PASSWORD: conductor
+      MYSQL_INITDB_SKIP_TZINFO: NONE
+    healthcheck:
+      test: ["CMD", 'mysqladmin', 'ping', '-h', 'localhost', '-u', 'root', '-pRoot@1234' ]
+      interval: 30s
+      timeout: 10s
+      retries: 15
+    mem_limit: "512000000"
+    #volumes:
+     # - mysql_data:/var/lib/mysql
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1k"
+        max-file: "3"
+
+  conductor-server:
+    environment:
+      - CONFIG_PROP=config-mysql-secure.properties
+    image: conductor:server
+    build:
+      context: ../
+      dockerfile: docker/server/Dockerfile
+    networks:
+      - internal
+    ports:
+      - 8080:8080
+    healthcheck:
+      test: ["CMD", "curl","-I" ,"-XGET", "http://localhost:8080/health"]
+      interval: 60s
+      timeout: 30s
+      retries: 12
+    links:
+      - elasticsearch:es
+      - mysql:mysql
+      - keycloak:keycloak
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+      mysql:
+        condition: service_healthy
+      keycloak:
+        condition: service_healthy
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1k"
+        max-file: "3"
+
+  elasticsearch:
+    image: elasticsearch:6.8.15
+    environment:
+      - "ES_JAVA_OPTS=-Xms512m -Xmx1024m"
+      - transport.host=0.0.0.0
+      - discovery.type=single-node
+      - xpack.security.enabled=false
+      - cluster.name=conductor
+    networks:
+      - internal
+    ports:
+      - 9200:9200
+      - 9300:9300
+    healthcheck:
+      test: timeout 5 bash -c 'cat < /dev/null > /dev/tcp/localhost/9300'
+      interval: 15s
+      timeout: 10s
+      retries: 12
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1k"
+        max-file: "3"
+
+  conductor-ng-ui:
+    environment:
+      - WF_SERVER=http://localhost:8080
+      - OAUTH_ENABLED=Y
+      - OAUTH_TOKEN_URL=http://localhost:9990/auth/realms/conductor/protocol/openid-connect/token
+      - OAUTH_USER_INFO_URL=http://localhost:8080/api/user/userinfo
+      - OAUTH_LOGOUT_URL=http://localhost:9990/auth/realms/conductor/protocol/openid-connect/logout
+      - OAUTH_CLIENT_ID=conductor_user_client
+      - OAUTH_CLIENT_SECRET=205bf09a-7df8-4c4a-9a79-c27efae878ab
+    image: zzzmahesh/conductor-ng-ui:version-4.0.3
+    networks:
+      - internal
+    depends_on:
+      conductor-server:
+        condition: service_healthy
+      keycloak:
+        condition: service_healthy
+    ports:
+      - 80:80
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1k"
+        max-file: "3"
+
+volumes:
+  keycloak_realm_data:
+    driver: local
+    driver_opts:
+      type: none
+      device: $PWD/docker/security/keycloak/migration
+      o: bind
+
+networks:
+  internal: