search

spring-cloud / spring-cloud-dataflow

A microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes
https://dataflow.spring.io
Apache License 2.0
1.12k stars 583 forks source link

group-claim configuration parameter is ignored #5750

Open taxone opened 8 months ago

taxone commented 8 months ago

Description: SCDF supports OAuth 2.0 authentication and provides the Groups Mappings feature. It's possible to map group claims defined in the JWT token into server roles. The JWT claim name used for retrieving the roles can defined using the property below

spring.cloud.dataflow.security.authorization.provider-role-mappings.<PROVIDER_ID>.group-claim

The property is ignored, in fact the claim name can be "roles" only. In fact, analyzing and debugging the source code, I can see that the claim names are hard-code:

image

and the property org.springframework.cloud.common.security.ProviderRoleMapping.groupClaim is never used.

Release versions:

{"featureInfo":{"analyticsEnabled":true,"streamsEnabled":false,"tasksEnabled":true,"schedulesEnabled":true,"monitoringDashboardType":"NONE"},"versionInfo":{"implementation":{"name":"spring-cloud-dataflow-server","version":"2.11.1"},"core":{"name":"Spring Cloud Data Flow Core","version":"2.11.1"},"dashboard":{"name":"Spring Cloud Dataflow UI","version":"3.4.1"},"shell":{"name":"Spring Cloud Data Flow Shell","version":"2.11.1","url":"https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-dataflow-shell/2.11.1/spring-cloud-dataflow-shell-2.11.1.jar"}},"securityInfo":{"authenticationEnabled":true,"authenticated":true,"username":"claudiano3","roles":["ROLE_CREATE","ROLE_DEPLOY","ROLE_DESTROY","ROLE_MANAGE","ROLE_MODIFY","ROLE_SCHEDULE","ROLE_VIEW"]},"runtimeEnvironment":{"appDeployer":{"deployerImplementationVersion":null,"deployerName":null,"deployerSpiVersion":null,"javaVersion":null,"platformApiVersion":null,"platformClientVersion":null,"platformHostVersion":null,"platformSpecificInfo":{},"platformType":null,"springBootVersion":null,"springVersion":null},"taskLaunchers":[{"deployerImplementationVersion":"unknown","deployerName":"KubernetesTaskLauncher","deployerSpiVersion":"unknown","javaVersion":"11.0.19","platformApiVersion":"v1","platformClientVersion":"unknown","platformHostVersion":"unknown","platformSpecificInfo":{"namespace":"int-gpp-credem","master-url":"https://10.43.0.1:443/"},"platformType":"Kubernetes","springBootVersion":"2.7.16","springVersion":"5.3.30"}]},"monitoringDashboardInfo":{"url":"","refreshInterval":15,"dashboardType":"NONE","source":"default-scdf-source"},"_links":{"self":{"href":"https://scdf-int-gpp-credem.qlt-sispag.k8s.dev.int.master.lan/about"}}}

Steps to reproduce: Launch SCDF using the configuration below:

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: dataflow
            client-secret: XXXXXXXXXXX
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            authorization-grant-type: authorization_code
            scope:
            - openid
        provider:
          keycloak:
            jwk-set-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/certs
            token-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/token
            user-info-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/userinfo
            user-name-attribute: preferred_username
            authorization-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/auth
      resourceserver:
        opaquetoken:
          introspection-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/token/introspect
          client-id: dataflow
          client-secret: XXXXXXX
      authorization:
        check-token-access: isAuthenticated()
  cloud:
    dataflow:
      security:
        authorization:
          provider-role-mappings:
            keycloak:
              map-oauth-scopes: false
              group-claim: gpp_roles
              map-group-claims: true
              group-mappings:
                ROLE_VIEW: ADMINISTRATOR
                ROLE_CREATE: ADMINISTRATOR
                ROLE_MANAGE: ADMINISTRATOR
                ROLE_DEPLOY: ADMINISTRATOR
                ROLE_DESTROY: ADMINISTRATOR
                ROLE_MODIFY: ADMINISTRATOR
                ROLE_SCHEDULE: ADMINISTRATOR

Configure the Identity Provider returning a JWT token which contains this claim:

"gpp_roles": [
    "ADMINISTRATOR"
  ]

After a successful login, the user is redirected to the SCDF UI, but a 403 HTTP status code is returned.

jvalkeal commented 5 months ago

Looks like I originally missed few things in this and thus is a bug.