[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC
Karel Piwko
kpiwko at redhat.com
Wed Feb 5 10:08:29 EST 2014
On Wed, 05 Feb 2014 09:23:06 -0500
Bill Burke <bburke at redhat.com> wrote:
>
>
> On 2/5/2014 8:35 AM, Karel Piwko wrote:
> > On Tue, 04 Feb 2014 13:51:37 -0500
> > Bill Burke <bburke at redhat.com> wrote:
> >
> >>
> >>
> >> On 2/4/2014 12:13 PM, Karel Piwko wrote:
> >>> Hey,
> >>>
> >>> I've combined Aerogear UPS and Keycloak cartridges together. You can check
> >>> the results at:
> >>>
> >>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> >>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> >>>
> >>> For keycloak, I have used original cart [1]:
> >>>
> >>> $ rhc app create -g small --no-git keycloak
> >>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
> >>>
> >>> For UPS, I have modified matzew's one stored in my repo [2] and modified
> >>> UPS [3]:
> >
> > Given your comments, I'll modify setup to have (primarily) single cart
> > option. Should I keep two carts setup? It at least seems as a good QE test
> > case ;-)
> >
> > Note, I will either have to wait for WF8 Final (due to Hibernate bug in
> > CR1) or base cart on AS7.
> >
> >>>
> >>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> >>> 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
> >>>
> >>> There are some gotchas though:
> >>>
> >>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
> >>> We still need a way how to pass keycloak.json to UPS cartridge, which is
> >>> AS7 and we can't ask user to modify standalone.xml anyway. However, we
> >>> could make a hook on OpenShift - user will add keycloak.json to git repo
> >>> and it will automagically put at right location. Could we have a hook in
> >>> Keycloak to load keycloak.json from external location? Or should we
> >>> rather do some war exploding magic?
> >>
> >> I need to go through Stan's work. I want to be able to configure the
> >> subsystem from the keycloak admin console without having to create a
> >> keycloak.json file. I just don't know yet if the subsystem will work on
> >> AS7.
> >
> >
> > This will work for app and Keycloak being deployed on a single server. It
> > does not solve SaaS scenario - keycloak admin console can configure
> > subsystem of current WF(AS) only. Keycloak would need to manage subsystem
> > of a remote WF - I doubt this would ever be possible with AS7 on OpenShift
> > and I think security concerns of such setup are not even allowing this on
> > WF8.
> >
>
> You can make authenticated HTTP requests to the WF/AS7 admin interface.
> Maybe Openshift is disallowing this, but its certainly not the case
> with WF. My understanding is that the new WF admin console will be a
> pure HTML 5 application making CORS requests to the admin REST interface
> of WF.
>
> What I'm saying is, this will work in the SaaS scenario if Openshift has
> not turned off the AS7/WF admin interface.
>
OpenShift disabled most of the ports but 8080, admin interface port being on
of disabled. WF provides port multiplexing, I have no idea whether they
allowed management port there. Ports can be reached using port forwarding [1]
though but this will add much to complexity of cart setup steps.
I'll need to go through Stan's work and get more info.
[1] https://www.openshift.com/forums/openshift/jboss-as7-management-in-openshift
> >>
> >>
> >>> * AS7-3227 I worked this around by doing parameter injection for
> >>> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> >>> Keycloak package for AS7? Any better option?
> >>
> >> This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
> >> excludes built in one.
> >
> > Well, it is either keycloak packaging issue or documentation issue (or
> > problem here in Brno in between chair and keyboard). I've added
> > keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
> > cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
> > if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
> > Keycloak WAR. IIRC this was setup pre alpha-1.
>
> There are two things:
>
> * The keycloak auth-server.war which is the authentication server
> * The adapter zip which installs "client" modules and used only for
> WF/AS7 instances that want to interact with a Keycloak auth server.
>
> The adapter does not have a dependency on Resteasy, only on Apache HTTP
> Client 4.1.x (or higher). The auth-server does have a dependency on
> Resteasy.
>
So the point is, if UPS does injection via @javax.ws.rs.core.Context, it should
bundle newer RESTEasy in WAR instead of relying on 2.3.2.Final in AS7, right?
>
More information about the keycloak-dev
mailing list