Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keycloak permission manager #387

Merged
merged 15 commits into from
Jul 3, 2024
Merged

Keycloak permission manager #387

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
39a0dd2
enable Keycloak apiKeys
leoraba Nov 15, 2023
9aaf501
setup security config and update mvn dependencies
leoraba Nov 21, 2023
aa66dff
junit missing dependency
leoraba Nov 22, 2023
6442fb0
unit test mock Jwt Decoder
leoraba Nov 22, 2023
9634dfa
fix unit test
leoraba Nov 24, 2023
0e63373
Merge branch 'develop' into keycloak-permission-manager
leoraba Dec 8, 2023
47f006c
code format
leoraba Dec 8, 2023
9aa1f48
test profile
leoraba Jan 11, 2024
cc5bc5d
docker-compose update images
leoraba Jan 16, 2024
a14d641
Merge branch 'develop' into keycloak-permission-manager
leoraba Mar 15, 2024
5d5b9da
add keycloak to docker compose
leoraba May 6, 2024
56284a8
Merge branch 'develop' into keycloak-permission-manager
leoraba Jul 2, 2024
a41b88c
fix merge conflict
leoraba Jul 2, 2024
a7862f3
fix typo curl command
leoraba Jul 2, 2024
3e2ef77
update keycloak system client and apikeys
leoraba Jul 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ _ping_song_server:
--retry 5 \
--retry-delay 0 \
--retry-max-time 40 \
--retry-connrefuse \
--retry-connrefused \
'http://localhost:8080/isAlive'
@echo ""

Expand Down Expand Up @@ -192,10 +192,10 @@ rebuild-server: clean-mvn package
rebuild-all: clean-mvn package
@$(DOCKER_COMPOSE_CMD) build score-server score-client

# Start ego, song, and object-storage.
# Start keycloak, song, and object-storage.
start-deps: _setup package
@echo $(YELLOW)$(INFO_HEADER) "Starting dependencies: ego, song and object-storage" $(END)
@$(DC_UP_CMD) ego-api song-server object-storage
@echo $(YELLOW)$(INFO_HEADER) "Starting dependencies: keycloak, song and object-storage" $(END)
@$(DC_UP_CMD) keycloak-server song-server object-storage

# Start score-server and all dependencies. Affected by DEMO_MODE
start-score-server: _setup package start-deps _setup-object-storage
Expand Down
88 changes: 53 additions & 35 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,36 @@
version: '3.7'
services:
ego-api:
image: "overture/ego:3.1.0"
keycloak-server:
image: docker.io/bitnami/keycloak:22
environment:
SERVER_PORT: 8080
SPRING_DATASOURCE_URL: jdbc:postgresql://ego-postgres:5432/ego?stringtype=unspecified
SPRING_DATASOURCE_USERNAME: postgres
SPRING_DATASOURCE_PASSWORD: password
SPRING_FLYWAY_ENABLED: "true"
SPRING_FLYWAY_LOCATIONS: "classpath:flyway/sql,classpath:db/migration"
SPRING_PROFILES: demo, auth
expose:
- "8080"
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://keycloak-postgresql/bitnami_keycloak
- KC_DB_USERNAME=bn_keycloak
# default expiration days of apiKeys is 365
# - APIKEY_DURATION_DAYS=365
ports:
- "9082:8080"
command: java -jar /srv/ego/install/ego.jar
depends_on:
- ego-postgres
ego-postgres:
image: postgres:9.5
- keycloak-postgresql
volumes:
- type: bind
source: ./docker/keycloak-init/data_import
target: /opt/bitnami/keycloak/data/import
command:
- /bin/bash
- -c
- |
curl -sL https://github.com/oicr-softeng/keycloak-apikeys/releases/download/1.0.1/keycloak-apikeys-1.0.1.jar -o /opt/bitnami/keycloak/providers/keycloak-apikeys-1.0.1.jar
kc.sh start-dev --import-realm
keycloak-postgresql:
image: docker.io/bitnami/postgresql:11
environment:
- POSTGRES_DB=ego
- POSTGRES_PASSWORD=password
# ALLOW_EMPTY_PASSWORD is recommended only for development.
- ALLOW_EMPTY_PASSWORD=yes
- POSTGRESQL_USERNAME=bn_keycloak
- POSTGRESQL_DATABASE=bitnami_keycloak
expose:
- "5432"
volumes:
- "./docker/ego-init:/docker-entrypoint-initdb.d"
ports:
- "9444:5432"
object-storage:
Expand All @@ -36,7 +41,7 @@ services:
MINIO_SECRET_KEY: minio123
command: server /data
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
interval: 30s
timeout: 20s
retries: 3
Expand All @@ -61,11 +66,15 @@ services:
S3_ACCESSKEY: minio
S3_SECRETKEY: minio123
S3_SIGV4ENABLED: "true"
AUTH_SERVER_URL: http://ego-api:8080/o/check_api_key/
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI: http://keycloak-server:8080/realms/myrealm/protocol/openid-connect/certs
AUTH_SERVER_URL: http://keycloak-server:8080/realms/myrealm/apikey/check_api_key/
AUTH_SERVER_TOKENNAME: apiKey
AUTH_SERVER_CLIENTID: score
AUTH_SERVER_CLIENTSECRET: scoresecret
AUTH_SERVER_SCOPE_STUDY_PREFIX: score.
AUTH_SERVER_CLIENTID: system
AUTH_SERVER_CLIENTSECRET: systemsecret
AUTH_SERVER_PROVIDER: keycloak
AUTH_SERVER_KEYCLOAK_HOST: http://keycloak-server:8080
AUTH_SERVER_KEYCLOAK_REALM: myrealm
AUTH_SERVER_SCOPE_STUDY_PREFIX: PROGRAMDATA.
AUTH_SERVER_SCOPE_UPLOAD_SUFFIX: .WRITE
AUTH_SERVER_SCOPE_DOWNLOAD_SUFFIX: .READ
AUTH_SERVER_SCOPE_DOWNLOAD_SYSTEM: score.WRITE
Expand All @@ -86,7 +95,6 @@ services:
depends_on:
- object-storage
- song-server
- ego-api
volumes:
- "./docker/scratch/storage-server-logs:/opt/dcc/storage_server_logs"
score-client:
Expand All @@ -95,7 +103,7 @@ services:
dockerfile: "$DOCKERFILE_NAME"
target: client
environment:
ACCESSTOKEN: f69b726d-d40f-4261-b105-1ec7e6bf04d5
ACCESSTOKEN: 07a5a12e-a85f-4248-a9a1-851a8062b6ac
METADATA_URL: http://song-server:8080
STORAGE_URL: http://score-server:8080
JAVA_TOOL_OPTIONS: -agentlib:jdwp=transport=dt_socket,address=*:5005,server=y,suspend=n
Expand All @@ -107,7 +115,7 @@ services:
command: bin/score-client
user: "$MY_UID:$MY_GID"
song-db:
image: "postgres:9.6"
image: "postgres:11.1"
environment:
POSTGRES_DB: song
POSTGRES_USER: postgres
Expand All @@ -118,6 +126,11 @@ services:
- "12345:5432"
volumes:
- "./docker/song-db-init:/docker-entrypoint-initdb.d"
healthcheck:
test: [ "CMD-SHELL", "pg_isready -U postgres" ]
interval: 15s
timeout: 15s
retries: 5
aws-cli:
image: "mesosphere/aws-cli:latest"
environment:
Expand All @@ -127,18 +140,23 @@ services:
volumes:
- "./docker/object-storage-init/data/oicr.icgc.test/data:/score-data:ro"
song-server:
image: overture/song-server:4.2.2
image: ghcr.io/overture-stack/song-server:438c2c42
environment:
SERVER_PORT: 8080
SPRING_PROFILES_ACTIVE: "prod,secure,default"
AUTH_SERVER_URL: http://ego-api:8080/o/check_token/
AUTH_SERVER_CLIENTID: song
AUTH_SERVER_CLIENTSECRET: songsecret
AUTH_SERVER_SCOPE_STUDY_PREFIX: song.
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI: http://keycloak-server:8080/realms/myrealm/protocol/openid-connect/certs
AUTH_SERVER_INTROSPECTIONURI: http://keycloak-server:8080/realms/myrealm/apikey/check_api_key/
AUTH_SERVER_TOKENNAME: apiKey
AUTH_SERVER_CLIENTID: system
AUTH_SERVER_CLIENTSECRET: systemsecret
AUTH_SERVER_PROVIDER: keycloak
AUTH_SERVER_KEYCLOAK_HOST: http://keycloak-server:8080
AUTH_SERVER_KEYCLOAK_REALM: myrealm
AUTH_SERVER_SCOPE_STUDY_PREFIX: PROGRAMDATA.
AUTH_SERVER_SCOPE_STUDY_SUFFIX: .WRITE
AUTH_SERVER_SCOPE_SYSTEM: song.WRITE
SCORE_URL: http://score-server:8080
SCORE_ACCESSTOKEN: f69b726d-d40f-4261-b105-1ec7e6bf04d5
SCORE_ACCESSTOKEN: 07a5a12e-a85f-4248-a9a1-851a8062b6ac
MANAGEMENT_SERVER_PORT: 8081
ID_USELOCAL: "true"
SPRING_DATASOURCE_USERNAME: postgres
Expand All @@ -149,8 +167,8 @@ services:
ports:
- "8080:8080"
depends_on:
- song-db
- ego-api
song-db:
condition: service_healthy
volumes:
- "./docker/scratch/song-server-logs:/opt/dcc/server_logs"

Expand Down
Loading