User Federation changes

main
root 2022-01-17 15:53:16 -06:00
parent ead4688ce6
commit 247d8b8a22
6 changed files with 86 additions and 5 deletions

View File

@ -69,18 +69,18 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
### Config Playbook ### Config Playbook
`playbooks/keycloak-realm.yml` creates provided realm, client(s), client role(s) and client user(s) if they don't exist. `playbooks/keycloak-realm.yml` creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist.
### Config role ### Config role
* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, with clients and users, in an installed service. * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
### Example configuration command ### Example configuration command
Execute the following command from the source root directory Execute the following command from the source root directory
``` ```
ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
``` ```
- `keycloak_admin_password` password for the administration console user account. - `keycloak_admin_password` password for the administration console user account.

View File

@ -8,6 +8,46 @@
vars: vars:
keycloak_admin_password: "changeme" keycloak_admin_password: "changeme"
keycloak_realm: TestRealm keycloak_realm: TestRealm
keycloak_user_federation:
- realm: TestRealm
name: my-ldap
provider_id: ldap
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: '0'
enabled: true
cachePolicy: DEFAULT
batchSizeForSync: '1000'
editMode: READ_ONLY
importEnabled: true
syncRegistrations: false
vendor: other
usernameLDAPAttribute: uid
rdnLDAPAttribute: uid
uuidLDAPAttribute: entryUUID
userObjectClasses: inetOrgPerson, organizationalPerson
connectionUrl: ldaps://ldap.example.com:636
usersDn: ou=Users,dc=example,dc=com
authType: simple
bindDn: cn=directory reader
bindCredential: password
searchScope: '1'
validatePasswordPolicy: false
trustEmail: false
useTruststoreSpi: ldapsOnly
connectionPooling: true
pagination: true
allowKerberosAuthentication: false
debug: false
useKerberosForPasswordAuthentication: false
mappers:
- name: "full name"
providerId: "full-name-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.full.name.attribute: cn
read.only: true
write.only: false
keycloak_clients: keycloak_clients:
- name: TestClient1 - name: TestClient1
roles: roles:

View File

@ -14,6 +14,8 @@ Role Defaults
|`keycloak_http_port` | HTTP port | `8080` | |`keycloak_http_port` | HTTP port | `8080` |
|`keycloak_https_port` | TLS HTTP port | `8443` | |`keycloak_https_port` | TLS HTTP port | `8443` |
|`keycloak_auth_realm` | Name of the main authentication realm | `master` | |`keycloak_auth_realm` | Name of the main authentication realm | `master` |
|`keycloak_rhsso_enable` | Define service is an upstream(Keycloak) or RHSSO | `master` |
Role Variables Role Variables
@ -35,10 +37,29 @@ The following variables are available for creating clients:
|`keycloak_client_default_roles` | List of default role name for clients | `[]` | |`keycloak_client_default_roles` | List of default role name for clients | `[]` |
|`keycloak_client_users` | List of user/role mappings for a client | `[]` | |`keycloak_client_users` | List of user/role mappings for a client | `[]` |
The following variable are available for creating user federation:
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_user_federation` | List of _keycloak_user_federation_ for the realm | `[]` |
Variable formats Variable formats
---------------- ----------------
* `keycloak_user_federation`, a list of:
```yaml
- realm: <name of the realm in which user federation should be configured, required>
name: <name of the user federation provider, required>
provider_id: <Type of the user federation provider, required>
provider_type: < Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
config: <Dictionary of supported configuration values, required>
mappers: <List of supported configuration values, required>
```
Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
* `keycloak_clients`, a list of: * `keycloak_clients`, a list of:
```yaml ```yaml
@ -71,7 +92,6 @@ Variable formats
For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml). For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml).
Example Playbook Example Playbook
---------------- ----------------

View File

@ -9,6 +9,9 @@ keycloak_admin_user: admin
keycloak_auth_realm: master keycloak_auth_realm: master
keycloak_auth_client: admin-cli keycloak_auth_client: admin-cli
### List of Keycloak User Federation
keycloak_user_federation: []
### Keycloak realm client defaults ### Keycloak realm client defaults
# list of clients to create in the realm # list of clients to create in the realm
# #

View File

@ -34,6 +34,24 @@
status_code: 201 status_code: 201
when: keycloak_realm_exists.status == 404 when: keycloak_realm_exists.status == 404
- name: Create user federation
community.general.keycloak_user_federation:
auth_keycloak_url: "{{ keycloak_url }}/auth"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ item.realm }}"
name: "{{ item.name }}"
state: present
provider_id: "{{ item.provider_id }}"
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
config: "{{ item.config }}"
mappers: "{{ item.mappers | default(omit) }}"
register: create_user_federation_result
loop: "{{ keycloak_user_federation | flatten }}"
when: keycloak_user_federation is defined
- name: Create Client - name: Create Client
community.general.keycloak_client: community.general.keycloak_client:
auth_client_id: "{{ keycloak_auth_client }}" auth_client_id: "{{ keycloak_auth_client }}"

View File

@ -13,4 +13,4 @@ keycloak_clients:
# other settings # other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}" keycloak_rhsso_enable: False