search

status-im / infra-office-legacy

Infrastructure for cloud office services
0 stars 0 forks source link

Research importing permissions into Keycloak #14

Closed jakubgs closed 2 years ago

jakubgs commented 2 years ago

In order to not go instane we need a way to define and import permissions necessary for SpiffWorkflow into Keycloak.

jakubgs commented 2 years ago

Here are some links on importing realm data into Keycloak:

But this is mostly related to exporting and importing whole realms, not partial entities.

Some kinda relevant discussions:

jakubgs commented 2 years ago

The API exists, as expected:

But the issue is that those documents are quite complex:

Each one contains 10-30 attrbutes, and some of them nested and referring to other objects, for example:

ClientRepresentation contains ResourceServerRepresentation which contains PolicyRepresentation which contains PolicyRepresentation which contains ScopeRepresentation and so on, creating a complex dependency tree of resources which need to be correctly connected.

jakubgs commented 2 years ago

This is a tool used to generate realms and import them for benchmarking keycloak: https://github.com/nmasse-itix/keycloak-import-realm

What they do is they use a JSON template to generate what normally keycloak would generate exporting a realm: https://github.com/nmasse-itix/keycloak-import-realm/blob/main/templates/realm.template

I can't seem to find anything aimed at partial imports.

jakubgs commented 2 years ago

Based on this post: https://keycloak.discourse.group/t/data-missing-when-importing-realm/2276

Apparently one can do partial imports:

./kcadm.sh create partialImport -r myrealm -s ifResourceExists=OVERWRITE -o -f /vagrant/export.json

Which does indeed exist:

admin@node-01.do-ams3.keycloak.office:~ % d exec -it keycloak-app bash
bash-4.4$ /opt/keycloak/bin/kcadm.sh create --help
Usage: kcadm.sh create ENDPOINT_URI [ARGUMENTS]

Command to create new resources on the server.

Use 'kcadm.sh config credentials' to establish an authenticated sessions, or use --no-config with 
CREDENTIALS OPTIONS to perform one time authentication.

Arguments:

  Global options:
    -x                    Print full stack trace when exiting with error
    --config              Path to the config file (~/.keycloak/kcadm.config by default)
    --no-config           Don't use config file - no authentication info is loaded or saved
...

And makes use of the PartialImport interface.

jakubgs commented 2 years ago

This is something interesting on extensions page: https://github.com/adorsys/keycloak-config-cli/

keycloak-config-cli is a Keycloak utility to ensure the desired configuration state for a realm based on a JSON/YAML file. The format of the JSON/YAML file based on the export realm format. Store and handle the configuration files inside git just like normal code. A Keycloak restart isn't required to apply the configuration.

Which sounds about right. And it supports YAML so it could include comments.

Also:

supports variable substitution of config files. This could be enabled by import.var-substitution.enabled=true (disabled by default).

Which means in theory you could have one config to generate a test realm and a prod realm.

jakubgs commented 2 years ago

And apparently keycloak-config-cli has commercial support: https://adorsys.com/en/products/keycloak-config-cli/

Which might be the best option for us:

Our Open Source developer tool keycloak-config-cli is a Keycloak utility to ensure the desired configuration state for a realm based on a JSON file. It allows complete automation of a keycloak realm via a configuration file.

While Keycloak only supports this during the creating stage of the realm, our keycloak-config-cli can also be used to conveniently manage and configure existing realms. Manual configuration via a WebUI is therefore no longer necessary.

Especially in agile software development, the strength of a Configuration as Code – approach of our keycloak-config-cli comes into play: Multiple stages are provided and fully automated or scripted. Subsequent configuration changes are also automatically imported into the environments in the same way as during the initial setup.

The format of the JSON file is based on the export realm format. The configuration files can be stored and handled inside git just like normal code. A Keycloak restart isn’t required to apply the configuration.

jakubgs commented 2 years ago

There are flags like --import.remote-state.enabled which apparently:

Enable remote state management. Purge only resources managed by keycloak-config-cli.

Which I assume means it removed resources that it finds in the existing state that does not exist in the JSON/YAML config.

jakubgs commented 2 years ago

Apparently:

keycloak-config-cli manage some types of resources absolutely. For example if a group isn't defined inside the import json but other groups specified, keycloak-config-cli will calculate the difference and delete the group from keycloak.

In some cases it is required to include some keycloak defaults because keycloak-config-cli can't detect if the entity comes from a user or auto created by keycloak itself.

There are 2 modes to ensure a specific behavior:

1. Keycloak should not manage type of resources:

For example if you don't define any groups inside the import json, keycloak does not touch any groups.

2. Keycloak manage type of resources:

For example define any groups you want inside the import json, keycloak ensure that the groups are available but other groups will be deleted. If you define groups but set an empty array, keycloak will delete all groups in keycloak.

https://github.com/adorsys/keycloak-config-cli/blob/main/docs/MANAGED.md

jakubgs commented 2 years ago

Currently I believe the correct solution is keycloak-config-cli