Reputation: 961
Keycloak custom Docker ProtocolMapper deployment
I'm experimenting with keycloak and the integrated docker registry v2 auth. Everything is working fine with that. However, currently there is no real authorization layer and having a look at the sourcecode on github I can see that there is a class AllowAllDockerProtocolMapper which automatically grants all permissions for the docker registry to the logged-in user.
I'd like to implement a namespace based authorization mechanism, i.e. that the logged in user does only have push/pull permissions inside his own namespace (e.g. https://myregistry.local/username).
Right now, however I am struggling to get a simple working example up and running. I read the keycloak guide for spi at https://www.keycloak.org/docs/latest/server_development/index.html#_providers and had a look at some examples on github but right now the deployed module does not seem to be picked up by keycloak.
What i did:
Created class UserNamespaceMapper that extends DockerAuthV2ProtocolMapper and implements DockerAuthV2AttributeMapper (I basically copied the example from AllowAllDockerProtocolMapper)
Created dirs META-INF/services on classpath and placed file there named org.keycloak.protocol.ProtocolMapper which contains the fully qualified name for my UserNamespaceMapper class
Created a jar docker-user-namespace-mapper.jar out of my sourcecode
Created a module, by executing the following command:
KEYCLOAK_HOME/bin/jboss-cli.sh --command="module add --name=a.b.c.d.docker-user-namespace-mapper --resources=/build/libs/docker-user-namespace-mapper.jar --dependencies=org.keycloak:keycloak-services,org.keycloak.keycloak-server-spi-private,org.keycloak:keycloak-server-spi".Modified standalone.xml :
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<!-- THIS IS WHAT I ADDED -->
<provider>module:a.b.c.d.docker-user-namespace-mapper</provider>
</providers>
...
- Restarted keycloak
When i go to the Admin cli, and try to add a new mapper to a a docker-v2 client, the new mapper does not show up and everything seems to be the same as before the deployment. During deployment and server restart no errors are thrown. Can anybody help me to get this docker mapper correctly deployed?
Any help is highly appreciated!
Thanks, -Ivan
Upvotes: 1
Views: 1595
Answers (1)
Reputation: 961
I finally found out why it was not working.
The module was not picked up by Keycloak because I was editing the wrong config file. Instead of adding the provider to standalone.xml I had to add it to standalone-ha.xml. This is because I actually use the official Keycloak docker image jboss/keycloak and having a look at their startup script docker-entrypoint.sh it becomes clear that standalone-ha.xml is used. You can find more information here : Keycloak SPI Providers and layers not loading when using Docker.
In case anybody is interested in how to implement/deploy a custom Keycloak mapper - based on user namespace - for the DockerV2 registry: have a look my code here: https://github.com/ieggel/DockerRegistryKeycloakUserNamespaceMapper
Cheers!
Upvotes: 2
Related Questions
- Keycloak SSL setup using docker image
- How to register a custom ProtocolMapper in Keycloak?
- How to configure keycloak in kubernetes?
- How to deploy keycloak on kubernetes with custom configuration?
- Keycloak getting config from admin console
- Keycloak with custom user federation docker deployment
- Keycloak docker container throws `java.net.UnknownHostException` during startup
- Keycloak authentication problems when using docker and java spring
- communication between docker containers (keycloak and spring)
- JHipster keycloak docker configuration for production