[Hawkular-dev] OpenShift OAuth authentication and authorization for Hawkular APM
Juraci Paixão Kröhling
jpkroehling at redhat.com
Thu Apr 27 11:57:47 EDT 2017
Lars,
Indeed, the security mechanism for APM is very simple at the moment: it
uses JAAS, which is concretely implemented by the file-based auth from
Wildfly. The idea was that Red Hat SSO / Keycloak could be used in a
production setup, as the Wildfly Adapter is also implementing JAAS. In
fact, Keycloak *was* used in a previous iteration of the project.
At this point, however, we are focused on collaborating with Jaeger:
http://www.hawkular.org/blog/2017/04/19/hawkular-apm-jaeger.html
Even though we have not started discussing yet how we'll manage security
in Jaeger, I chatted with some colleagues from the Keycloak team last
week to see whether or not the usage of Keycloak Proxy as a sidecar
would make sense in an OpenShift deployment. There's no conclusion yet,
but it's something to be tested :)
At this moment, we have other priorities for Jaeger and the Keycloak
team is also busy with other tasks, but if this is a topic you'd be
interested in contributing, I'd be more than happy to share what I have
in mind.
- Juca.
On 04/27/2017 04:45 PM, Lars Milland wrote:
> Hi
>
> It would be really great if a functionality for Hawkular APM could be
> found/established, matching the one that exists for Hawkular Metrics
> wise for OpenShift, where the metrics are stored per tenant/namespace,
> and then Hawkular security wise is integrated to the OAuth based
> security model of OpenShift.
>
> Is that a requirement/feature that have been considered? Or would it
> maybe already be possible to integrate the Hawkular APM components to
> OpenShift OAuth based security. Even if the Hawkular APM storage and
> security model would not fit to the fully multitenant way of OpenShift,
> if just the security model of a Hawkular APM installation could be
> connected to the OpenShift OAuth model, then one Hawkular APM instance
> could be setup with “service account tokens” used for sending metrics to
> the instance, and users could log into the Hawkular APM UI with again
> OpenShift OAuth managed credentials, mapped to roles coming from the
> OAuth ticket. Much the same way that the security model of the OpenShift
> integrated Jenkins works - see:
>
> https://github.com/openshift/jenkins-openshift-login-plugin
>
> The current security model of APM is rather limited as far as I
> understand – and based solely on a single manually fixed
> username/password for both contributing application performance
> metrics/log entries, and same for the Hawkular APM UI.
>
> Best regards
>
> Lars Milland
>
>
>
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>
More information about the hawkular-dev
mailing list