Skip to content

Lab: Enabling Authorization in Keycloak

Lab Exercise: Configuring Additional Clients

Step 1: Adding Clients

Similar to the previous exercise, add two more clients (oauth-kafka-broker, oauth-client-02) to your Keycloak realm, but this time activate both Client Authentication and Authorization.

Screenshots

Step 2: Creating Client Config

Only for oauth-client-02, add a new properties section to your client configuration ConfigMap.

Solution

Add the following value to your client configuration ConfigMap, replacing:

  • 1 occurrence of MY_NAMESPACE with the name of your namespace
  • 1 occurrence of YOUR_CLIENT_SECRET with the client secret of your Keycloak client
  • 2 occurrence of YOUR_REALM with the name of your personal Keycloak realm
client-tls-oauth-client02.properties: |
    bootstrap.servers=cluster-1-kafka-bootstrap.MY_NAMESPACE:9095

    security.protocol=SASL_SSL
    sasl.mechanism=OAUTHBEARER
    sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;
    sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
    oauth.client.id=oauth-client-02
    oauth.client.secret=YOUR_CLIENT_SECRET
    oauth.token.endpoint.uri=https://keycloak.keycloak/realms/YOUR_REALM/protocol/openid-connect/token
    oauth.valid.issuer.uri=https://keycloak.keycloak/realms/YOUR_REALM
    oauth.username.claim=preferred_username

    ssl.truststore.location=/run/secrets/ca/truststore.jks
    ssl.truststore.type=JKS
    ssl.truststore.password=changeit
    javax.net.ssl.trustStore=/run/secrets/ca/truststore.jks
    javax.net.ssl.trustStorePassword=changeit
    parse.key=true
    key.separator=:

Lab Exercise: Enable Keycloak Authorization

Step 1: Configure your Cluster

Configure your cluster to enable Keycloak authorization:

  • Use the ClientID of your broker client (kafka-broker)
  • enable Keycloak metrics
  • set the token endpoint of your Keycloak realm
  • add the CA certificate of the secret cluster-1-tls-managed as trusted TLS certificate
  • enable delegating to Kafka ACLs
  • remove all service-account-* users from the list of SuperUsers
Hint: Keycloak Endpoints

You can view all endpoint URLs of your Keycloak realm using the following URL: 

https://keycloak.sebastian.spielwiese.k8s.workshop.thinkport.cloud/realms/{YOUR_REALM}(1)/.well-known/openid-configuration

  1. replace with your Keycloak realm
Solution

Replace {YOUR_REALM} with your personal keycloak realm. 

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
# ...
spec:
  kafka:
    # ...
    authorization:
      type: keycloak
      enableMetrics: true
      clientId: oauth-kafka-broker
      tokenEndpointUri: https://keycloak.keycloak/realms/{YOUR_REALM}/protocol/openid-connect/token
      tlsTrustedCertificates:
        - secretName: cluster-1-tls-managed
          certificate: ca.crt
      delegateToKafkaAcls: true

Step 2: Define Authorization in Keycloak

Step 2.1: Create a Group for Topic test-0

Create a new group topic-write-test-0 in your Keycloak realm and add the service user of oauth-client-02 as a member. NOTE: you can add this user only by navigating to User -> <open user> -> Groups -> Join Group.

Screenshot: adding the group

Screenshot: adding the user as member

Step 2.2: Create Scopes

Open the client oauth-kafka-broker -> Authorization -> Scopes tab and import the following JSON after saving it as a file:

scopes.json 
{
  "scopes": [
    {
      "name": "Read"
    },
    {
      "name": "Write"
    },
    {
      "name": "Describe"
    },
    {
      "name": "Alter"
    },
    {
      "name": "AlterConfigs"
    },
    {
      "name": "ClusterAction"
    },
    {
      "name": "Delete"
    },
    {
      "name": "DescribeConfigs"
    },
    {
      "name": "IdempotentWrite"
    }
  ]
}

Step 2.3: Create Resources

Import the following JSON definition to define a resource for topic test-0:

resource_topic_test-0.json 
{
  "resources": [
    {
      "name": "Topic:test-0",
      "type": "Topic",
      "ownerManagedAccess": false,
      "displayName": "Topic:test-0",
      "attributes": {},
      "uris": [],
      "scopes": [
        {
          "name": "Write"
        },
        {
          "name": "Describe"
        },
        {
          "name": "Read"
        },
        {
          "name": "DescribeConfigs"
        }
      ],
      "icon_uri": ""
    }
  ]
}

Step 2.4: Create Permission and Policy

As you have defined a resource for the topic test-0 as well as scopes (read, write, etc.), you can now create a policy to allow members of the group topic-write-test-0 to be granted permissions on the resource. Import the following JSON:

policies.json 
{
  "policies": [
    {
      "name": "Allow Member of topic-write-test-0 to Write Topic:test-0",
      "type": "group",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "groups": "[{\"path\":\"/topic-write-test-0\",\"extendChildren\":false}]"
      }
    },
    {
      "name": "Members of Group topic-write-test-0 can read and write",
      "description": "",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"Topic:test-0\"]",
        "applyPolicies": "[\"Allow Member of topic-write-test-0 to Write Topic:test-0\"]"
      }
    }
  ]
}

Step 3: Test your Client

Test your client permissions on topic test-0 by publishing some messages or subscribing.

Lab Exercise (optional): Restore Client-01 as SuperUser

Configure the Keycloak client oauth-client-01 to become SuperUser by implementing appropriate policies and permissions on the client oauth-kafka-broker.

Hint: Resources

It is possible to use wildcard patterns for resources.