Extract new keycloak_realm role out of keycloak

main
Guido Grazioli 2021-12-22 10:05:48 +01:00
parent 1ded0a1cfe
commit 702d09c731
13 changed files with 197 additions and 15 deletions

View File

@ -8,3 +8,35 @@
name: ../../roles/keycloak name: ../../roles/keycloak
vars: vars:
keycloak_admin_password: "changeme" keycloak_admin_password: "changeme"
- name: Keycloak Realm Role
include_role:
name: ../../roles/keycloak_realm
vars:
keycloak_admin_password: "changeme"
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- client: TestClient
role: TestRoleAdmin
realm: "{{ keycloak_realm }}"
keycloak_realm: TestRealm
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"

View File

@ -11,3 +11,26 @@
name: keycloak name: keycloak
vars: vars:
keycloak_admin_password: "changeme" keycloak_admin_password: "changeme"
- name: Keycloak Realm Role
include_role:
name: keycloak_realm
vars:
keycloak_admin_password: "changeme"
keycloak_realm: TestRealm
keycloak_clients:
- name: TestClient1
roles:
- TestClient1Admin
- TestClient1User
realm: "{{ keycloak_realm }}"
public_client: True
web_origins:
- http://testclient1origin/application
- http://testclient1origin/other
users:
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: "{{ keycloak_realm }}"

View File

@ -0,0 +1,59 @@
keycloak_realm
==============
Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
Role Defaults
-------------
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_admin_user`| Administration console user account | `admin` |
Role Variables
--------------
The following are a set of _required_ variables for the role:
| Variable | Description |
|:---------|:------------|
|`keycloak_admin_password`| Password for the administration console user account |
The following variables are _required_ only when keycloak_ha_enabled is True:
| Variable | Description | Default |
|:---------|:------------|:---------|
Example Playbook
----------------
The following is an example playbook that makes use of the role to install keycloak
```yaml
---
- hosts: ...
collections:
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak_realm
vars:
keycloak_admin_password: "changeme"
```
License
-------
Apache License 2.0
Author Information
------------------
* [Guido Grazioli](https://github.com/guidograzioli)
* [Romain Pelisse](https://github.com/rpelisse)

View File

@ -0,0 +1,44 @@
---
### Keycloak configuration settings
keycloak_host: localhost
keycloak_http_port: 8080
keycloak_https_port: 8443
### Keycloak administration console user
keycloak_admin_user: admin
keycloak_auth_realm: master
keycloak_auth_client: admin-cli
### Keycloak realm client defaults
# list of clients to create in the realm
#
# Refer to the playbook for a comprehensive example.
#
# Each client has the form:
# { name: '', roles: [], realm: '', public_client: bool, web_origins: '', users: [] }
# where roles is a list of default role names for the client
# and users is a list of account, see below for the format definition
# an empty name will skip the creation of the client
keycloak_clients:
- name: ''
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
# list of roles to create in the client
keycloak_client_default_roles: []
# if True, create a public client; otherwise, a confidetial client
keycloak_client_public: True
# allowed web origins for the client
keycloak_client_web_origins: '+'
# list of user and role mappings to create in the client
# Each user has the form:
# { username: '', password: '', email: '', firstName: '', lastName: '', client_roles: [] }
# where each client_role has the form:
# { client: '', role: '', realm: '' }
keycloak_client_users: []

View File

@ -0,0 +1 @@
---

View File

@ -51,6 +51,7 @@
state: present state: present
register: create_client_result register: create_client_result
loop: "{{ keycloak_clients | flatten }}" loop: "{{ keycloak_clients | flatten }}"
when: item.name|length > 0
- name: Create client roles - name: Create client roles
include_tasks: manage_client_roles.yml include_tasks: manage_client_roles.yml
@ -59,15 +60,8 @@
loop_control: loop_control:
loop_var: client loop_var: client
- name: Manage Users - name: Create client users
include_tasks: manage_user.yml include_tasks: manage_client_users.yml
loop: "{{ keycloak_users }}" loop: "{{ keycloak_clients | flatten }}"
loop_control: loop_control:
loop_var: user loop_var: client
- name: Manage User Roles
include_tasks: manage_user_roles.yml
loop: "{{ keycloak_users | flatten }}"
loop_control:
loop_var: user
when: "'client_roles' in user"

View File

@ -0,0 +1,13 @@
---
- name: Manage Users
include_tasks: manage_user.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user
- name: Manage User Roles
include_tasks: manage_user_roles.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user
when: "'client_roles' in user"

View File

@ -5,7 +5,7 @@
validate_certs: no validate_certs: no
headers: headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user_serach_result register: keycloak_user_search_result
- name: "Create User" - name: "Create User"
uri: uri:
@ -23,7 +23,7 @@
headers: headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 201 status_code: 201
when: keycloak_user_serach_result.json | length == 0 when: keycloak_user_search_result.json | length == 0
- name: "Get User" - name: "Get User"
uri: uri:

View File

@ -0,0 +1,16 @@
---
# vars file for keycloak_realm
# administrator console password, this is a required variable
keycloak_admin_password:
# name of the realm to create, this is a required variable
keycloak_realm:
# keycloak realm clients, this is a required variable
keycloak_clients:
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"