[ceph.git] / ceph / doc / radosgw / keycloak.rst

.. _radosgw_keycloak:

=================================
Integrating Keycloak with RadosGW
=================================

If Keycloak is set up as an OpenID Connect Identity Provider, it can be used by
mobile apps and web apps to authenticate their users. By using the web token
returned by the authentication process, a mobile app or web app can call
AssumeRoleWithWebIdentity, receive a set of temporary S3 credentials, and use
those credentials to make S3 calls.

Setting up Keycloak
===================

Documentation for installing and operating Keycloak can be found here:
https://www.keycloak.org/guides.

Configuring Keycloak to talk to RGW
===================================

To configure Keycloak to talk to RGW, add the following configurables::

  [client.radosgw.gateway]
  rgw sts key = {sts key for encrypting/ decrypting the session token}
  rgw s3 auth use sts = true

Fetching a web token with Keycloak
==================================

Several examples of apps authenticating with Keycloak can be found here:
https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md.

Here you might consider the example of the app-profile-jee-jsp app (in the link
above). To fetch the access token (web token) for such an application using the
grant type 'client_credentials', one can use client id and client secret as
follows::

    KC_REALM=demo
    KC_CLIENT=<client id>
    KC_CLIENT_SECRET=<client secret>
    KC_SERVER=<host>:8080
    KC_CONTEXT=auth

    # Request Tokens for credentials
    KC_RESPONSE=$( \
    curl -k -v -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "scope=openid" \
    -d "grant_type=client_credentials" \
    -d "client_id=$KC_CLIENT" \
    -d "client_secret=$KC_CLIENT_SECRET" \
    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
    | jq .
    )

    KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)

It is also possible to fetch an access token for a particular user with the
grant type 'password'. To fetch such an access token, use client id, client
secret, username, and password as follows::

    KC_REALM=demo
    KC_USERNAME=<username>
    KC_PASSWORD=<userpassword>
    KC_CLIENT=<client id>
    KC_CLIENT_SECRET=<client secret>
    KC_SERVER=<host>:8080
    KC_CONTEXT=auth

   # Request Tokens for credentials
    KC_RESPONSE=$( \
    curl -k -v -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "scope=openid" \
    -d "grant_type=password" \
    -d "client_id=$KC_CLIENT" \
    -d "client_secret=$KC_CLIENT_SECRET" \
    -d "username=$KC_USERNAME" \
    -d "password=$KC_PASSWORD" \
    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
    | jq .
    )

    KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)

``KC_ACCESS_TOKEN`` can be used to invoke ``AssumeRoleWithWebIdentity``: see
:doc:`STS`.

Adding tags to a user in Keycloak
=================================

To create a user in Keycloak and add tags to it as its attributes, follow these
steps:

#. Add a user:

   .. image:: ../images/keycloak-adduser.png
      :align: center

#. Add user details:

   .. image:: ../images/keycloak-userdetails.png
      :align: center

#. Add user credentials:

   .. image:: ../images/keycloak-usercredentials.png
      :align: center

#. Add tags to the 'attributes' tab of the user:

   .. image:: ../images/keycloak-usertags.png
      :align: center

#. Add a protocol mapper that maps the user attribute to a client:

   .. image:: ../images/keycloak-userclientmapper.png
      :align: center

After these steps have been completed, the tag 'Department' will appear in the
JWT (web token), under the 'https://aws.amazon.com/tags' namespace.

Tags can be verified by performing token introspection on a JWT. To introspect
a token, use ``client id`` and ``client secret`` as follows::

    KC_REALM=demo
    KC_CLIENT=<client id>
    KC_CLIENT_SECRET=<client secret>
    KC_SERVER=<host>:8080
    KC_CONTEXT=auth

    curl -k -v \
    -X POST \
    -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
    -d "token=$KC_ACCESS_TOKEN" \
    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" \
    | jq .
Commit	Line	Data
39ae355f TL	1	.. _radosgw_keycloak:
39ae355f TL	2
9f95a23c	3	=================================
39ae355f	4	Integrating Keycloak with RadosGW
9f95a23c TL	5	=================================
9f95a23c TL	6
39ae355f TL	7	If Keycloak is set up as an OpenID Connect Identity Provider, it can be used by
	8	mobile apps and web apps to authenticate their users. By using the web token
	9	returned by the authentication process, a mobile app or web app can call
	10	AssumeRoleWithWebIdentity, receive a set of temporary S3 credentials, and use
	11	those credentials to make S3 calls.
9f95a23c TL	12
9f95a23c TL	13	Setting up Keycloak
39ae355f	14	===================
9f95a23c	15
39ae355f TL	16	Documentation for installing and operating Keycloak can be found here:
39ae355f TL	17	https://www.keycloak.org/guides.
9f95a23c TL	18
	19	Configuring Keycloak to talk to RGW
	20	===================================
	21
39ae355f	22	To configure Keycloak to talk to RGW, add the following configurables::
9f95a23c TL	23
	24	[client.radosgw.gateway]
	25	rgw sts key = {sts key for encrypting/ decrypting the session token}
	26	rgw s3 auth use sts = true
9f95a23c	27
39ae355f TL	28	Fetching a web token with Keycloak
	29	==================================
	30
	31	Several examples of apps authenticating with Keycloak can be found here:
	32	https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md.
9f95a23c	33
39ae355f TL	34	Here you might consider the example of the app-profile-jee-jsp app (in the link
	35	above). To fetch the access token (web token) for such an application using the
	36	grant type 'client_credentials', one can use client id and client secret as
	37	follows::
9f95a23c TL	38
9f95a23c TL	39	KC_REALM=demo
f67539c2 TL	40	KC_CLIENT=<client id>
f67539c2 TL	41	KC_CLIENT_SECRET=<client secret>
9f95a23c TL	42	KC_SERVER=<host>:8080
	43	KC_CONTEXT=auth
	44
	45	# Request Tokens for credentials
	46	KC_RESPONSE=$( \
	47	curl -k -v -X POST \
	48	-H "Content-Type: application/x-www-form-urlencoded" \
	49	-d "scope=openid" \
	50	-d "grant_type=client_credentials" \
	51	-d "client_id=$KC_CLIENT" \
	52	-d "client_secret=$KC_CLIENT_SECRET" \
	53	"http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
	54	\| jq .
	55	)
	56
	57	KC_ACCESS_TOKEN=$(echo $KC_RESPONSE\| jq -r .access_token)
	58
39ae355f TL	59	It is also possible to fetch an access token for a particular user with the
	60	grant type 'password'. To fetch such an access token, use client id, client
	61	secret, username, and password as follows::
20effc67 TL	62
	63	KC_REALM=demo
	64	KC_USERNAME=<username>
	65	KC_PASSWORD=<userpassword>
	66	KC_CLIENT=<client id>
	67	KC_CLIENT_SECRET=<client secret>
	68	KC_SERVER=<host>:8080
	69	KC_CONTEXT=auth
	70
	71	# Request Tokens for credentials
	72	KC_RESPONSE=$( \
	73	curl -k -v -X POST \
	74	-H "Content-Type: application/x-www-form-urlencoded" \
	75	-d "scope=openid" \
	76	-d "grant_type=password" \
	77	-d "client_id=$KC_CLIENT" \
	78	-d "client_secret=$KC_CLIENT_SECRET" \
	79	-d "username=$KC_USERNAME" \
	80	-d "password=$KC_PASSWORD" \
	81	"http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
	82	\| jq .
	83	)
	84
	85	KC_ACCESS_TOKEN=$(echo $KC_RESPONSE\| jq -r .access_token)
	86
39ae355f	87	``KC_ACCESS_TOKEN`` can be used to invoke ``AssumeRoleWithWebIdentity``: see
9f95a23c	88	:doc:`STS`.
20effc67	89
39ae355f TL	90	Adding tags to a user in Keycloak
39ae355f TL	91	=================================
20effc67	92
39ae355f TL	93	To create a user in Keycloak and add tags to it as its attributes, follow these
39ae355f TL	94	steps:
20effc67	95
39ae355f	96	#. Add a user:
20effc67	97
39ae355f TL	98	.. image:: ../images/keycloak-adduser.png
39ae355f TL	99	:align: center
20effc67	100
39ae355f	101	#. Add user details:
20effc67	102
39ae355f TL	103	.. image:: ../images/keycloak-userdetails.png
39ae355f TL	104	:align: center
20effc67	105
39ae355f	106	#. Add user credentials:
20effc67	107
39ae355f TL	108	.. image:: ../images/keycloak-usercredentials.png
39ae355f TL	109	:align: center
20effc67	110
39ae355f	111	#. Add tags to the 'attributes' tab of the user:
20effc67	112
39ae355f TL	113	.. image:: ../images/keycloak-usertags.png
39ae355f TL	114	:align: center
20effc67	115
39ae355f	116	#. Add a protocol mapper that maps the user attribute to a client:
20effc67	117
39ae355f TL	118	.. image:: ../images/keycloak-userclientmapper.png
39ae355f TL	119	:align: center
20effc67	120
39ae355f TL	121	After these steps have been completed, the tag 'Department' will appear in the
39ae355f TL	122	JWT (web token), under the 'https://aws.amazon.com/tags' namespace.
20effc67	123
39ae355f TL	124	Tags can be verified by performing token introspection on a JWT. To introspect
39ae355f TL	125	a token, use ``client id`` and ``client secret`` as follows::
20effc67 TL	126
	127	KC_REALM=demo
	128	KC_CLIENT=<client id>
	129	KC_CLIENT_SECRET=<client secret>
	130	KC_SERVER=<host>:8080
	131	KC_CONTEXT=auth
	132
	133	curl -k -v \
	134	-X POST \
	135	-u "$KC_CLIENT:$KC_CLIENT_SECRET" \
	136	-d "token=$KC_ACCESS_TOKEN" \
	137	"http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" \
	138	\| jq .