Commit e16185f3 authored by Bozidar Proevski's avatar Bozidar Proevski
Browse files

Added Keycloak

Added new role to configure and integrate keycloak openid sso
parent fe04ddda
......@@ -8,7 +8,7 @@ Installation
Edit soctools-inventory and add the desired docker containers to be deployed. The playbook has been tested on CentOS 7.
Edit settings in group_vars/all/main.yml.
The first entry in the nifiadmin variable is the user with full admin privileges in NiFi.
The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.
To build the Docker images needed, run the ansible playbook:
`ansible-playbook -i soctools-inventory buildimages.yml`
......@@ -21,7 +21,9 @@ To start and stop the cluster, run the ansible playbook soctools.yml:
`ansible-playbook -i soctools-inventory soctools.yml -t start` to start the cluster.
`ansible-playbook -i soctools-inventory soctools.yml -t stop` to stop the cluster.
The NiFi interface should now be available on port 443 on the server.
The NiFi interface should now be available on port 9443 on the server.
The OpenDistro for Elasticsearch interface should now be available on port 5601 on the server.
The Keycloak IdP interface should now be available on port 12443 on the server.
License
-------
......
......@@ -4,7 +4,7 @@ soctools_netname: "dslnifinet"
repo: gn43-dsl
version: 7
suffix: a20200516
suffix: a20200520
temp_root: "/tmp/centosbuild"
......@@ -32,14 +32,39 @@ javamem: "384m"
ca_cn: "dsldev test ca"
nifiadmin:
- [ "Bozidar Proevski", "Pass001" ]
- [ "Arne Oslebo", "Pass002" ]
- [ "NifiELKuser", "Pass003" ]
#nifiadmin:
# - [ "Bozidar Proevski", "Pass001" ]
# - [ "Arne Oslebo", "Pass002" ]
# - [ "NifiELKuser", "Pass003" ]
soctools_users:
- firstname: "Arne"
lastname: "Oslebo"
username: "arne.oslebo"
email: "arne.oslebo@uninett.no"
DN: "CN=Arne Oslebo"
CN: "Arne Oslebo"
password: "Pass002"
- firstname: "Bozidar"
lastname: "Proevski"
username: "bozidar.proevski"
email: "bozidar.proevski@finki.ukim.mk"
DN: "CN=Bozidar Proevski"
CN: "Bozidar Proevski"
password: "Pass001"
odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"
odfees_adminpass: "Pass004"
#elk_version: "oss-7.6.1"
#odfeplugin_version: "1.7.0.0"
elk_version: "oss-7.4.2"
odfeplugin_version: "1.4.0.0"
openid_realm: "GN43WP8T31SOC1"
openid_scope: profile
openid_subjkey: preferred_username
keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}"
keycloak_adminpass: "Pass005"
---
- name: Configure the keycloak Dockerfile
template:
src: keycloak/Dockerfile.j2
dest: "{{role_path}}/files/keycloakDockerfile"
- name: Copy tools to build path
command: "cp -av {{role_path}}/templates/keycloak/keycloak-tools/ {{role_path}}/files/keycloak-tools/"
- name: Build keycloak image
command: docker build -t {{repo}}/keycloak:{{version}}{{suffix}} -f {{role_path}}/files/keycloakDockerfile {{role_path}}/files
- name: Remove tools from build path
file:
path: "{{role_path}}/files/keycloak-tools/"
state: absent
......@@ -8,3 +8,4 @@
- include: nifi.yml
- include: odfees.yml
- include: odfekibana.yml
- include: keycloak.yml
FROM {{repo}}/openjdk:{{version}}{{suffix}}
ENV KEYCLOAK_VERSION 10.0.1
ENV JDBC_POSTGRES_VERSION 42.2.5
ENV JBOSS_HOME /opt/jboss/keycloak
ARG KEYCLOAK_DIST=https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz
USER root
#ADD /{{role_path}}/templates/keycloak/keycloak-tools /opt/jboss/tools
ADD keycloak-tools /opt/jboss/tools
#ADD ../templates/keycloak/keycloak-tools /opt/jboss/tools
RUN yum -y install openssl && yum -y clean all && \
mkdir -p /opt/jboss/ && cd /opt/jboss/ && \
curl -L $KEYCLOAK_DIST | tar zx && \
mv /opt/jboss/keycloak-* /opt/jboss/keycloak && \
mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main && \
cd /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main && \
curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/$JDBC_POSTGRES_VERSION/postgresql-$JDBC_POSTGRES_VERSION.jar > postgres-jdbc.jar && \
cp /opt/jboss/tools/databases/postgres/module.xml . && \
cd /opt/jboss/keycloak && \
bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-configuration.cli && \
rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history && \
rm -rf /opt/jboss/keycloak/standalone/tmp/auth && \
rm -rf /opt/jboss/keycloak/domain/tmp/auth && \
adduser -u 1000 -g 0 -d /opt/jboss jboss && \
chown -R jboss:root /opt/jboss && \
chmod -R g+rwX /opt/jboss && \
mkdir -p /etc/x509/{https,ca} && chown -R jboss:root /etc/x509/{https,ca}
ENV PATH="/opt/jboss/keycloak/bin:${PATH}"
WORKDIR /opt/jboss/keycloak
EXPOSE 8080
EXPOSE 8443
USER jboss
ENTRYPOINT ["/bin/bash"]
#!/bin/bash -e
cd /opt/jboss/keycloak
ENTRYPOINT_DIR=/opt/jboss/startup-scripts
if [[ -d "$ENTRYPOINT_DIR" ]]; then
# First run cli autoruns
for f in "$ENTRYPOINT_DIR"/*; do
if [[ "$f" == *.cli ]]; then
echo "Executing cli script: $f"
bin/jboss-cli.sh --file="$f"
elif [[ -x "$f" ]]; then
echo "Executing: $f"
"$f"
else
echo "Ignoring file in $ENTRYPOINT_DIR (not *.cli or executable): $f"
fi
done
fi
#!/bin/bash -e
###########################
# Build/download Keycloak #
###########################
if [ "$GIT_REPO" != "" ]; then
if [ "$GIT_BRANCH" == "" ]; then
GIT_BRANCH="master"
fi
# Install Git
microdnf install -y git
# Install Maven
cd /opt/jboss
curl -s https://apache.uib.no/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz | tar xz
mv apache-maven-3.5.4 /opt/jboss/maven
export M2_HOME=/opt/jboss/maven
# Clone repository
git clone --depth 1 https://github.com/$GIT_REPO.git -b $GIT_BRANCH /opt/jboss/keycloak-source
# Build
cd /opt/jboss/keycloak-source
MASTER_HEAD=`git log -n1 --format="%H"`
echo "Keycloak from [build]: $GIT_REPO/$GIT_BRANCH/commit/$MASTER_HEAD"
$M2_HOME/bin/mvn -Pdistribution -pl distribution/server-dist -am -Dmaven.test.skip clean install
cd /opt/jboss
tar xfz /opt/jboss/keycloak-source/distribution/server-dist/target/keycloak-*.tar.gz
mv /opt/jboss/keycloak-* /opt/jboss/keycloak
# Remove temporary files
rm -rf /opt/jboss/maven
rm -rf /opt/jboss/keycloak-source
rm -rf $HOME/.m2/repository
else
echo "Keycloak from [download]: $KEYCLOAK_DIST"
cd /opt/jboss/
curl -L $KEYCLOAK_DIST | tar zx
mv /opt/jboss/keycloak-* /opt/jboss/keycloak
fi
#####################
# Create DB modules #
#####################
mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
curl -O https://repo1.maven.org/maven2/mysql/mysql-connector-java/$JDBC_MYSQL_VERSION/mysql-connector-java-$JDBC_MYSQL_VERSION.jar
cp /opt/jboss/tools/databases/mysql/module.xml .
sed "s/JDBC_MYSQL_VERSION/$JDBC_MYSQL_VERSION/" /opt/jboss/tools/databases/mysql/module.xml > module.xml
mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/$JDBC_POSTGRES_VERSION/postgresql-$JDBC_POSTGRES_VERSION.jar > postgres-jdbc.jar
cp /opt/jboss/tools/databases/postgres/module.xml .
mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
curl -L https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/$JDBC_MARIADB_VERSION/mariadb-java-client-$JDBC_MARIADB_VERSION.jar > mariadb-jdbc.jar
cp /opt/jboss/tools/databases/mariadb/module.xml .
mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
cp /opt/jboss/tools/databases/oracle/module.xml .
mkdir -p /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
cd /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
curl -L https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/$JDBC_MSSQL_VERSION/mssql-jdbc-$JDBC_MSSQL_VERSION.jar > mssql-jdbc.jar
cp /opt/jboss/tools/databases/mssql/module.xml .
######################
# Configure Keycloak #
######################
cd /opt/jboss/keycloak
bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-configuration.cli
rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-ha-configuration.cli
rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
###########
# Garbage #
###########
rm -rf /opt/jboss/keycloak/standalone/tmp/auth
rm -rf /opt/jboss/keycloak/domain/tmp/auth
###################
# Set permissions #
###################
echo "jboss:x:0:root" >> /etc/group
echo "jboss:x:1000:0:JBoss user:/opt/jboss:/sbin/nologin" >> /etc/passwd
chown -R jboss:root /opt/jboss
chmod -R g+rwX /opt/jboss
/subsystem=datasources/data-source=KeycloakDS: remove()
/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mariadb://${env.DB_ADDR:mariadb}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mariadb)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
/subsystem=datasources/jdbc-driver=mariadb:add(driver-name=mariadb, driver-module-name=org.mariadb.jdbc, driver-xa-datasource-class-name=org.mariadb.jdbc.MySQLDataSource)
embed-server --server-config=standalone.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
stop-embedded-server
embed-server --server-config=standalone-ha.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
stop-embedded-server
/subsystem=datasources/data-source=KeycloakDS: remove()
/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url="jdbc:sqlserver://${env.DB_ADDR:mssql}:${env.DB_PORT:1433};databaseName=${env.DB_DATABASE:keycloak};sendStringParametersAsUnicode=false;integratedSecurity=false;user=${env.DB_USER:keycloak};password=${env.DB_PASSWORD:password};${env.JDBC_PARAMS:}", driver-name=sqlserver)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
/subsystem=datasources/jdbc-driver=sqlserver:add(driver-name=sqlserver,driver-module-name=com.microsoft.sqlserver.jdbc,driver-xa-datasource-class-name=com.microsoft.sqlserver.jdbc.SQLServerXADataSource)
embed-server --server-config=standalone.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
stop-embedded-server
embed-server --server-config=standalone-ha.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
stop-embedded-server
/subsystem=datasources/data-source=KeycloakDS: remove()
/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mysql://${env.DB_ADDR:mysql}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mysql)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql, driver-module-name=com.mysql.jdbc, driver-xa-datasource-class-name=com.mysql.cj.jdbc.MysqlXADataSource)
embed-server --server-config=standalone.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
stop-embedded-server
embed-server --server-config=standalone-ha.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
stop-embedded-server
/subsystem=datasources/data-source=KeycloakDS: remove()
/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:oracle:thin:@${env.DB_ADDR:oracle}:${env.DB_PORT:1521}:${env.DB_DATABASE:XE}${env.JDBC_PARAMS:}, driver-name=oracle)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:SYSTEM})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:oracle})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM dual")
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
/subsystem=datasources/jdbc-driver=oracle:add(driver-name=oracle, driver-module-name=com.oracle.jdbc, driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource)
embed-server --server-config=standalone.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
stop-embedded-server
embed-server --server-config=standalone-ha.xml --std-out=echo
run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
stop-embedded-server
/subsystem=datasources/data-source=KeycloakDS: remove()
/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:postgresql://${env.DB_ADDR:postgres}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=postgresql)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
/subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
/subsystem=keycloak-server/spi=connectionsJpa/provider=default:write-attribute(name=properties.schema,value=${env.DB_SCHEMA:public})
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment