[HAL-1832] Activate OIDC in the console #525
Conversation
console/HAL-1832_Activate_OIDC.adoc
Outdated
|
|
||
| The UI makes it possible to configure the necessary resources as described in the Elytron admin guide: `docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc`, section "Securing the management console with OpenID Connect". | ||
|
|
||
| If the console is secured by the Keycloak OpenID Connect (OIDC) adapter, the "Access Control" top level category shows a screen which summarizes the basic settings. This screen, contains also a link to the Keycloak admin console. |
There was a problem hiding this comment.
If the console is secured by the Keycloak OpenID Connect (OIDC) adapter, ...
I believe you mean secured by Keycloak OpenID Connect (OIDC) provider, as the client part is covered by the native support.
There was a problem hiding this comment.
Thanks, I fixed that and added a bit more context.
console/HAL-1832_Activate_OIDC.adoc
Outdated
|
|
||
| == Test Plan | ||
|
|
||
| Additional tests are added to the test suite that verify that the hash is visible in the deployment preview. |
There was a problem hiding this comment.
Are you going to add the new tests to the new Berg test suite?
There was a problem hiding this comment.
Well, I thought someone from QE would be able to add the tests 😬
console/HAL-1832_Activate_OIDC.adoc
Outdated
|
|
||
| == Test Plan | ||
|
|
||
| Additional tests are added to the test suite that verify that the hash is visible in the deployment preview. |
There was a problem hiding this comment.
Additional tests are added to the test suite that verify that the hash is visible in the deployment preview.
I haven't read this thoroughly, now I can't imagine what meant by this/what will be verified (which hash, which deployment preview)
There was a problem hiding this comment.
Sorry, this is a copy/paste issue. Going to fix this...
|
|
||
| The console shows the new `elytron-oidc-client` subsystem. The UI for this subsystem is backed by the https://hal.github.io/documentation/concepts/#applications[model browser] which generates a UI based on the resource descriptions. | ||
|
|
||
| The UI makes it possible to configure the necessary resources as described in the Elytron admin guide: `docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc`, section "Securing the management console with OpenID Connect". In particular, this means the console makes it possible to add the following resources: |
There was a problem hiding this comment.
Is possible configure RBAC via HAL console?
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)
There was a problem hiding this comment.
This is actually a good question as the scenario with RBAC access-control is valid in this context, see the documented CLI steps from the base RFE: https://github.com/wildfly/wildfly/pull/16856/files#diff-82d49f155de7505904b2e963e7ecb31f2ab37132f5fb93c2e74dddb6d5a7497dR347
There was a problem hiding this comment.
Yes, it is possible to configure RBAC in the console.
There was a problem hiding this comment.
Where? I can't find this setup. Is there also possibility to configure use-identity-roles?
There was a problem hiding this comment.
To modify the attribute use-identity-roles you need to use the generic model browser:
| * `/subsystem=elytron-oidc-client/secure-deployment=wildfly-management` | ||
| * `/subsystem=elytron-oidc-client/secure-server=wildfly-console` | ||
|
|
||
| If the console is secured by the Keycloak OpenID Connect (OIDC) provider, the "Access Control" top level category shows a summary of the basic settings. This contains a link to the Keycloak admin console. |
There was a problem hiding this comment.
The "Access Control" top level category is not visible when RBAC access-control is set.
There was a problem hiding this comment.
Does the authenticated user have permission to configure access control themselves once roles are mapped?
There was a problem hiding this comment.
yes, I had user with ADMINISTRATOR role. I didn't saw the "Access Control" tab when RBAC was correctly configured.
There is 7 predefined roles which user can have assigned (monitor, operator, maintainer, deployer, superuser, adminsitrator, auditor)
There was a problem hiding this comment.
The link behind the "Access Control" top-level category depends on whether SSO is enabled.
- SSO enabled → Show a summary of the basic SSO settings and a link to the Keycloak admin console.
- SSO disabled → Show a finder-based UI to configure the users, roles, and groups.
Both options provide a way to enable/disable RBAC. That's independent of SSO. With SSO enabled, the users, groups, and roles are assumed to be configured in Keycloack, though.
https://issues.redhat.com/browse/HAL-1832