search

apache / incubator-kie-kogito-apps

Kogito Apps - Kogito is a cloud-native business automation technology for building cloud-ready business applications.
http://kogito.kie.org
Apache License 2.0
61 stars 129 forks source link

Management Console/Task Console support for custom Security #1580

Open debu999 opened 1 year ago

debu999 commented 1 year ago

Description

Current implementation for Console applications is to use keycloak and we have already been using all kogito apps. Have custom built our apps for interacting with kogito APIs. Can Managment Console and Task Console be made available with support for quarkus-oidc. We have been using custom apps. for this. Need help from Kogito Team to add some light to this

Data Index is already supporting quarkus-oidc. Need this to be extended to other kogito-apps in console

https://issues.redhat.com/browse/KOGITO-8419 Created now if added will help use more components from kogito ecosystem.

Implementation ideas

Refer to the details at https://issues.redhat.com/browse/KOGITO-8419 We have seen in data index how it handles custom security.

org.kie.kogito.index.auth.MultiTenantResolver class helps integration quarkus-oidc client though keycloak is default.

Can the same be added to all web apps applications.

/*
 * Copyright 2020 Red Hat, Inc. and/or its affiliates.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *       http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.kie.kogito.index.auth;

import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;

import org.eclipse.microprofile.config.inject.ConfigProperty;

import io.quarkus.oidc.TenantResolver;
import io.vertx.ext.web.RoutingContext;

@ApplicationScoped
public class MultiTenantResolver implements TenantResolver {

    @Inject
    @ConfigProperty(name = "kogito.data-index.vertx-graphql.ui.path", defaultValue = "/graphiql")
    String graphUIPath;

    @Inject
    @ConfigProperty(name = "kogito.data-index.vertx-graphql.ui.tenant", defaultValue = "web-app-tenant")
    String graphUITenantId;

    @Override
    public String resolve(RoutingContext context) {
        if (context.request().path().equals("/") || context.request().path().startsWith(graphUIPath)) {
            return graphUITenantId;
        }
        return null;
    }
}

So to enable security only the following to be tweaked in DI

  1. kogito.data-index.vertx-graphql.ui.tenant=default
  2. quarkus.oidc.tenant-enabled=true Can something similar be added on the mgmt console/task console as well. or is there a way to disable security in the console apps
ricardozanini commented 1 year ago

cc @pefernan

pefernan commented 1 year ago

@debu999 thanks for reaching with this issue (and rise the JIRA). At this point we are reviewing the security of the consoles due to a different issue and move the responsibility to quarkus oidc again... I'll try to prioritize this, but I don't think we will do this in a short term.

debu999 commented 1 year ago

even if it cant be removed, is is possible to have option to disable security will also help. As we can tweak in our security at the gateway

debu999 commented 1 year ago

@pefernan is there any update on this. Can there be something done. We are building our own apps but cant use MC and TC now due to this as the firm use inhouse platform.