Re: OIDC role mapping?
Hi This should work, all the roles set up by Keycloak should be recognized: https://github.com/quarkusio/quarkus/blob/master/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java#L29 and if the claim containing the roles is a custom one then a 'quarkus.oidc.roles.role-claim-path' property will help: https://github.com/quarkusio/quarkus/blob/master/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcConfig.java#L111 Does it help ? I'll open an issue to get it documented. Thanks Sergey On Tue, Dec 3, 2019 at 8:21 AM Benjamin Guillon < benjamin.guil...@cc.in2p3.fr> wrote: > Hi, > > I'd gladly know if that's possible as well. > So far in our tests (keycloak OIDC and OKD 3.11 as well) we did not manage > to do it. > > Best regards, > -- > Benjamin Guillon > > - Mail original - > De: "Jon Stanley" > À: "users" > Envoyé: Mardi 3 Décembre 2019 06:20:07 > Objet: OIDC role mapping? > > Is it possible to map roles based on OpenID claims? I've successfully > got a cluster authenticating with OIDC, but I'm wondering if I can do > authorization over there too :). My IDP that I'm using for testing is > Keycloak, so that should be the easiest thing to do, right? :). I > can't find any documentation or enhancement proposal about that. > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: How to refer to the external resource
What I did not understand yet is whether the 'hostfolder' command is needed given that some default PVs are available, but they are called 'pv001', etc, and I could not figure out how to link that with a folder outside of minishift, I'm assuming a 'hostfolder' is a useful mechanism to do it in the Minishift space... Cheers, Sergey On Fri, May 25, 2018 at 4:43 PM, Sergey Beryozkin wrote: > Hi Dan, All > > Combining the 'minishift hostfolder' (to link the minishift folder with > the demo folder) and following the advise from > https://developers.redhat.com/blog/2017/04/05/adding- > persistent-storage-to-minishift-cdk-3-in-minutes/ > > Let me remove the inlined resource from the yaml config... > > Thanks, Sergey > > > On Thu, May 24, 2018 at 10:59 PM, Sergey Beryozkin > wrote: > >> Hi Dan >> >> Thanks for trying to help, I will check tomorrow. specifically. >> oc rsh pod_name_from_above ls -l /opt/sso-demo >> >> I've already had some initial experience with deploying into Minishift. >> It just happens that Keycloak is involved in this case, but I asked on >> this list because I thought the issue was generic. >> >> Yes. my basic understanding is that the 'minishift hostfolder' is for >> syncing with the actual host. I'm not even sure a similar option exists for >> the multi-cluster case. But I'd just like to start with something simple >> enough :-). >> >> I'll update when I get the check done >> >> Cheers, Sergey >> >> >> >> >> >> On Thu, May 24, 2018 at 5:57 PM, Dan Pungă wrote: >> >>> Hi! >>> >>> Does the new deployment run successfully? In the running pod can you >>> check to see if the json file is actually there (mounted). I haven't used >>> the minishift hostfolder option before, but I thought it has to do with the >>> docker-iso VM <-> host interaction and not with the actual pods/containers >>> inside VM. >>> oc get pods >>> will give the the running pod inside the project >>> oc rsh pod_name_from_above ls -l /opt/sso-demo >>> to have a look inside the pod in the /opt/sso-demo dir, if the >>> sso-demo.json file is there >>> >>> In order for oc to work you have to have the binary exported on your >>> path, or alternatively run this from the minishift folder where it is >>> locatedshould be in the cache/oc directory. >>> >>> I'm not sure what you're trying to do. When you say "refer to the the >>> non-encoded Keycloak realm on the disk instead", do you mean you'd like to >>> edit/update that json so that Keycloak uses your version? If this is the >>> case, with the current configuration, this could be done by editing the >>> secret (which should be base64 encoded) and rerolling the deployment to >>> restart the pod. https://docs.openshift.org/lat >>> est/dev_guide/secrets.html#secrets-and-the-pod-lifecycle >>> >>> If the Keycloack server that is running inside the pod (of which I have >>> 0 knowledge..:) ) is able to reread this file without the need to restart >>> and you want to modify this file on the fly, then I guess you can't do that >>> if it's mounted as a secret volume and need to add some configuration to >>> that list of resources from github(add a build configuration that >>> customizes the image used so that the json config is placed and looked for >>> in "pod space", add an imagestream for it and reference this custom >>> imagestream in the deployconfiguration). >>> >>> Hope you'll also get a response from someone that is more familiar with >>> the environment. >>> >>> B0est of luck, >>> Dan >>> >>> On 24.05.2018 13:31, Sergey Beryozkin wrote: >>> >>> Hi, >>> >>> I'm new to Open Shift so apologize for what looks like a fairly basic >>> query, I did do some archive checks, but could not find a simple answer. >>> >>> I'm experimenting with this configuration: >>> https://github.com/wildfly-swarm-openshiftio-boosters/wfswar >>> m-rest-http-secured/blob/master/service.sso.yaml >>> >>> It is part of the demo which shows how a Keycloak server can be easily >>> deployed and it has been optimized to make the deployment very easy to do. >>> I'm currently trying it with Minishift 1.17.0. >>> >>> This configuration inlines several resources. For example,
Re: How to refer to the external resource
Hi Dan, All Combining the 'minishift hostfolder' (to link the minishift folder with the demo folder) and following the advise from https://developers.redhat.com/blog/2017/04/05/adding-persistent-storage-to-minishift-cdk-3-in-minutes/ Let me remove the inlined resource from the yaml config... Thanks, Sergey On Thu, May 24, 2018 at 10:59 PM, Sergey Beryozkin wrote: > Hi Dan > > Thanks for trying to help, I will check tomorrow. specifically. > oc rsh pod_name_from_above ls -l /opt/sso-demo > > I've already had some initial experience with deploying into Minishift. > It just happens that Keycloak is involved in this case, but I asked on > this list because I thought the issue was generic. > > Yes. my basic understanding is that the 'minishift hostfolder' is for > syncing with the actual host. I'm not even sure a similar option exists for > the multi-cluster case. But I'd just like to start with something simple > enough :-). > > I'll update when I get the check done > > Cheers, Sergey > > > > > > On Thu, May 24, 2018 at 5:57 PM, Dan Pungă wrote: > >> Hi! >> >> Does the new deployment run successfully? In the running pod can you >> check to see if the json file is actually there (mounted). I haven't used >> the minishift hostfolder option before, but I thought it has to do with the >> docker-iso VM <-> host interaction and not with the actual pods/containers >> inside VM. >> oc get pods >> will give the the running pod inside the project >> oc rsh pod_name_from_above ls -l /opt/sso-demo >> to have a look inside the pod in the /opt/sso-demo dir, if the >> sso-demo.json file is there >> >> In order for oc to work you have to have the binary exported on your >> path, or alternatively run this from the minishift folder where it is >> locatedshould be in the cache/oc directory. >> >> I'm not sure what you're trying to do. When you say "refer to the the >> non-encoded Keycloak realm on the disk instead", do you mean you'd like to >> edit/update that json so that Keycloak uses your version? If this is the >> case, with the current configuration, this could be done by editing the >> secret (which should be base64 encoded) and rerolling the deployment to >> restart the pod. https://docs.openshift.org/lat >> est/dev_guide/secrets.html#secrets-and-the-pod-lifecycle >> >> If the Keycloack server that is running inside the pod (of which I have 0 >> knowledge..:) ) is able to reread this file without the need to restart and >> you want to modify this file on the fly, then I guess you can't do that if >> it's mounted as a secret volume and need to add some configuration to that >> list of resources from github(add a build configuration that customizes the >> image used so that the json config is placed and looked for in "pod space", >> add an imagestream for it and reference this custom imagestream in the >> deployconfiguration). >> >> Hope you'll also get a response from someone that is more familiar with >> the environment. >> >> B0est of luck, >> Dan >> >> On 24.05.2018 13:31, Sergey Beryozkin wrote: >> >> Hi, >> >> I'm new to Open Shift so apologize for what looks like a fairly basic >> query, I did do some archive checks, but could not find a simple answer. >> >> I'm experimenting with this configuration: >> https://github.com/wildfly-swarm-openshiftio-boosters/wfswar >> m-rest-http-secured/blob/master/service.sso.yaml >> >> It is part of the demo which shows how a Keycloak server can be easily >> deployed and it has been optimized to make the deployment very easy to do. >> I'm currently trying it with Minishift 1.17.0. >> >> This configuration inlines several resources. For example, [1], which is >> a Base64 encoded Keycloak realm >> >> which is then copied to the volume as a secret [2] and is made visible to >> Keycloak [3]. >> >> I'd like to try refer to the the non-encoded Keycloak realm on the disk >> instead. >> >> I've tried a Minishift hostfolder command to mount a demo folder where >> the non-encoded realm exists: >> >> SSO_DEMO sshfs .../boosters/wfswarm-rest-http-secured/minishift >> /opt/sso-demo >> >> where in the local wfswarm-rest-http-secured/minishift folder I have an >> unencoded sso-demo.json file. >> >> Next I removed the [1] block and [2] as well. I managed to import the >> updated config, but the realm file is not visibl
Re: How to refer to the external resource
Hi Dan Thanks for trying to help, I will check tomorrow. specifically. oc rsh pod_name_from_above ls -l /opt/sso-demo I've already had some initial experience with deploying into Minishift. It just happens that Keycloak is involved in this case, but I asked on this list because I thought the issue was generic. Yes. my basic understanding is that the 'minishift hostfolder' is for syncing with the actual host. I'm not even sure a similar option exists for the multi-cluster case. But I'd just like to start with something simple enough :-). I'll update when I get the check done Cheers, Sergey On Thu, May 24, 2018 at 5:57 PM, Dan Pungă wrote: > Hi! > > Does the new deployment run successfully? In the running pod can you check > to see if the json file is actually there (mounted). I haven't used the > minishift hostfolder option before, but I thought it has to do with the > docker-iso VM <-> host interaction and not with the actual pods/containers > inside VM. > oc get pods > will give the the running pod inside the project > oc rsh pod_name_from_above ls -l /opt/sso-demo > to have a look inside the pod in the /opt/sso-demo dir, if the > sso-demo.json file is there > > In order for oc to work you have to have the binary exported on your path, > or alternatively run this from the minishift folder where it is > locatedshould be in the cache/oc directory. > > I'm not sure what you're trying to do. When you say "refer to the the > non-encoded Keycloak realm on the disk instead", do you mean you'd like to > edit/update that json so that Keycloak uses your version? If this is the > case, with the current configuration, this could be done by editing the > secret (which should be base64 encoded) and rerolling the deployment to > restart the pod. https://docs.openshift.org/latest/dev_guide/secrets.html# > secrets-and-the-pod-lifecycle > > If the Keycloack server that is running inside the pod (of which I have 0 > knowledge..:) ) is able to reread this file without the need to restart and > you want to modify this file on the fly, then I guess you can't do that if > it's mounted as a secret volume and need to add some configuration to that > list of resources from github(add a build configuration that customizes the > image used so that the json config is placed and looked for in "pod space", > add an imagestream for it and reference this custom imagestream in the > deployconfiguration). > > Hope you'll also get a response from someone that is more familiar with > the environment. > > B0est of luck, > Dan > > On 24.05.2018 13:31, Sergey Beryozkin wrote: > > Hi, > > I'm new to Open Shift so apologize for what looks like a fairly basic > query, I did do some archive checks, but could not find a simple answer. > > I'm experimenting with this configuration: > https://github.com/wildfly-swarm-openshiftio-boosters/ > wfswarm-rest-http-secured/blob/master/service.sso.yaml > > It is part of the demo which shows how a Keycloak server can be easily > deployed and it has been optimized to make the deployment very easy to do. > I'm currently trying it with Minishift 1.17.0. > > This configuration inlines several resources. For example, [1], which is a > Base64 encoded Keycloak realm > > which is then copied to the volume as a secret [2] and is made visible to > Keycloak [3]. > > I'd like to try refer to the the non-encoded Keycloak realm on the disk > instead. > > I've tried a Minishift hostfolder command to mount a demo folder where the > non-encoded realm exists: > > SSO_DEMO sshfs .../boosters/wfswarm-rest-http-secured/minishift > /opt/sso-demo > > where in the local wfswarm-rest-http-secured/minishift folder I have an > unencoded sso-demo.json file. > > Next I removed the [1] block and [2] as well. I managed to import the > updated config, but the realm file is not visible to KeyCloak. > > If appreciate any advice/guidance. I've seen the docs about persistent > volumes, but I'm not sure it is the right way to go. > > Thanks, Sergey > > > [1] https://github.com/wildfly-swarm-openshiftio-boosters/ > wfswarm-rest-http-secured/blob/master/service.sso.yaml#L11 > [2] > https://github.com/wildfly-swarm-openshiftio-boosters/ > wfswarm-rest-http-secured/blob/master/service.sso.yaml#L147 > [3] https://github.com/wildfly-swarm-openshiftio- > boosters/wfswarm-rest-http-secured/blob/master/service.sso.yaml#L120 > > > > > > ___ > users mailing > listusers@lists.openshift.redhat.comhttp://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
How to refer to the external resource
Hi, I'm new to Open Shift so apologize for what looks like a fairly basic query, I did do some archive checks, but could not find a simple answer. I'm experimenting with this configuration: https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-secured/blob/master/service.sso.yaml It is part of the demo which shows how a Keycloak server can be easily deployed and it has been optimized to make the deployment very easy to do. I'm currently trying it with Minishift 1.17.0. This configuration inlines several resources. For example, [1], which is a Base64 encoded Keycloak realm which is then copied to the volume as a secret [2] and is made visible to Keycloak [3]. I'd like to try refer to the the non-encoded Keycloak realm on the disk instead. I've tried a Minishift hostfolder command to mount a demo folder where the non-encoded realm exists: SSO_DEMO sshfs .../boosters/wfswarm-rest-http-secured/minishift /opt/sso-demo where in the local wfswarm-rest-http-secured/minishift folder I have an unencoded sso-demo.json file. Next I removed the [1] block and [2] as well. I managed to import the updated config, but the realm file is not visible to KeyCloak. If appreciate any advice/guidance. I've seen the docs about persistent volumes, but I'm not sure it is the right way to go. Thanks, Sergey [1] https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-secured/blob/master/service.sso.yaml#L11 [2] https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-secured/blob/master/service.sso.yaml#L147 [3] https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-secured/blob/master/service.sso.yaml#L120 ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
