search

epam / edp-keycloak-operator

It is responsible for establishing a connection to provided Keycloak Server, reconciling realms, and clients according to the created CRs
https://docs.kuberocketci.io
Apache License 2.0
36 stars 20 forks source link

userFederationProviders userFederationMappers #43

Closed elimaneg closed 7 months ago

elimaneg commented 7 months ago

It would be nice to be able to define userFederationProviders - userFederationMappers within the realm CR. This is the missing piece that would allow us to streamline a 100% gitops deployment of Keycloak.

zmotso commented 7 months ago

@elimaneg I see these two parameters userFederationProviders, userFederationMappers under RealmRepresentation in API doc. https://www.keycloak.org/docs-api/22.0.1/rest-api/index.html#RealmRepresentation

image

Please clarify how to configure them on the keycloak UI. I don't see any settings related to them in the Realm.

Maybe you mean configuring User federation/mapping as it is here?

Screenshot 2024-04-12 at 12 50 49

But it uses a separate API. https://www.keycloak.org/docs-api/22.0.1/rest-api/index.html#_component

We already have KeycloakComponent CR, which can be configured for this.

elimaneg commented 7 months ago

Hi @zmotso ! Yes...This is exactly what I meant (User federation/mapping as in your screenshot). I managed to use KeycloakComponent CR to configure userFederationProviders but I have no idea on how to proceed for the mappers (do you have an example ?)

apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmComponent metadata: name: userfederationprovider spec: name: userfederationprovider providerId: ldap providerType: org.keycloak.storage.UserStorageProvider realmRef: name: gitops-realm kind: KeycloakRealm config: bindCredential: '["ad-secret:password"]' bindDn: '["ad-secret:username"]' # connectionUrl: '["ldaps://xxxxxxxxxxxxxx"]' customUserSearchFilter: '["memberOf=xxxxxxxxxxx)"]' editMode: '["READ_ONLY"]' rdnLDAPAttribute: '["cn"]' searchScope: '["2"]' trustEmail: '["true"]' useTruststoreSpi: '["Always"]' userObjectClasses: '["person, organizationalPerson, user"]' usernameLDAPAttribute: '["cn"]' usersDn: '["OU=Usersxxxxxxxxxxxxxxx"]' uuidLDAPAttribute: '["objectGUID"]' vendor: '["ad"]'

zmotso commented 7 months ago

@elimaneg Mapper is the KeycloakRealmComponent with providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper". parentRef - Your KeycloakRealmComponent userfederationprovider.

Example:

apiVersion: v1.edp.epam.com/v1
kind: KeycloakRealmComponent
metadata:
  name: user-federation-role-mapper
spec:
  realmRef:
    name: keycloakrealm-sample
    kind: KeycloakRealm
  name: user-federation-role-mapper
  providerId: role-ldap-mapper # Mapper type
  providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
  parentRef:
    name: userfederationprovider
    kind: KeycloakRealmComponent
  config:
    membership.attribute.type: ["DN"]
    mode: ["LDAP_ONLY"]
    user.roles.retrieve.strategy: ["LOAD_ROLES_BY_MEMBER_ATTRIBUTE"]
    roles.dn: ["test"]
    role.name.ldap.attribute: ["cn"]
    role.object.classes: ["group"]
    membership.ldap.attribute: ["member"]
    membership.user.ldap.attribute: ["cn"]
    roles.ldap.filter: [""]
    memberof.ldap.attribute: ["memberOf"]
    use.realm.roles.mapping: ["true"]

Also, you can create a mapper in the UI and check the network console to get the configuration example. POST https:///admin/realms/realm-sample/components

Screenshot 2024-04-12 at 17 27 27
elimaneg commented 7 months ago

awesome !