Changeset View
Changeset View
Standalone View
Standalone View
sysadm/user-management/keycloak/how-to-set-user-perms.rst
- This file was moved from docs/keycloak/index.rst.
.. _keycloak: | |||||
Keycloak | |||||
======== | |||||
.. contents:: | |||||
:depth: 3 | |||||
.. | |||||
Software Heritage uses `Keycloak <https://www.keycloak.org/>`__, an open | |||||
source identity and access management solution, to identify and | |||||
authenticate users on its services (for instance the | |||||
`archive's Web API <https://archive.softwareheritage.org/api/>`_ | |||||
and the :ref:`deposit server <swh-deposit>`). | |||||
Keycloak implements the `OpenID Connect <https://openid.net/connect/>`__ | |||||
specification, a simple identity layer on top of the OAuth 2.0 protocol. | |||||
It allows to get single sign-on (SSO) on various services. | |||||
The base URL to interact with that authentication service is | |||||
https://auth.softwareheritage.org/auth/. | |||||
Introduction | |||||
------------ | |||||
Keycloak defines three important concepts to know about: | |||||
Realm | |||||
It manages a set of users, credentials, roles, and groups. A user belongs | |||||
to and logs into a realm. Realms are isolated from one another and can only manage and | |||||
authenticate the users that they control. | |||||
Client | |||||
Entities that can request Keycloak to authenticate a user. Most often, | |||||
clients are applications and services that want to use Keycloak to secure themselves and | |||||
provide a single sign-on solution. Clients can also be entities that just want to | |||||
request identity information or an access token so that they can securely invoke other | |||||
services on the network that are secured by Keycloak. | |||||
Role | |||||
It identifies a type or category of users. Applications (e.g. webapp, | |||||
deposit) often assign access and permissions to specific roles rather than individual | |||||
users as dealing with users can be too fine grained and hard to manage. There is a | |||||
global namespace for roles and each client also has its own dedicated namespace where | |||||
roles can be defined. | |||||
.. _software_heritage_realms: | |||||
Software Heritage Realms | |||||
------------------------ | |||||
Two realms are available for Software Heritage: | |||||
- `SoftwareHeritageStaging <https://auth.softwareheritage.org/auth/admin/SoftwareHeritageStaging/console/>`__, | |||||
for testing purposes | |||||
- `SoftwareHeritage <https://auth.softwareheritage.org/auth/admin/SoftwareHeritage/console/>`__, | |||||
for production use | |||||
The links above target the Admin console of each realm from which | |||||
everything can be configured. | |||||
.. _realm_administration: | .. _realm_administration: | ||||
Realm administration | Realm administration | ||||
-------------------- | ==================== | ||||
.. admonition:: Intended audience | |||||
:class: important | |||||
Operation Staff members | |||||
.. _user_registration: | .. _user_registration: | ||||
User registration | User registration | ||||
^^^^^^^^^^^^^^^^^ | ^^^^^^^^^^^^^^^^^ | ||||
While public user registration is available by clicking on the "Register" link from the | While public user registration is available by clicking on the "Register" link from the | ||||
login page, realm administrators can still manually create a new user by following that | login page, realm administrators can still manually create a new user by following that | ||||
guide. | guide. | ||||
To register and invite a new user in a realm, click on the **Users** menu entry on the | To register and invite a new user in a realm, click on the **Users** menu entry on the | ||||
left part of the admin interface, then click on the **Add user** button on the top right | left part of the admin interface, then click on the **Add user** button on the top right | ||||
part of the users page. | part of the users page. | ||||
.. figure:: keycloak_add_user_01.jpg | .. figure:: ../../images/keycloak_add_user_01.jpg | ||||
:alt: keycloak_add_user_01.jpg | :alt: keycloak_add_user_01.jpg | ||||
:width: 1000px | :width: 1000px | ||||
Click on the Add user button | Click on the Add user button | ||||
Then fill in the form with basic information about the user: username, | Then fill in the form with basic information about the user: username, | ||||
email, first name and last name. | email, first name and last name. | ||||
Save the user and then go to the **Credentials** tab. | Save the user and then go to the **Credentials** tab. | ||||
.. figure:: keycloak_add_user_02.jpg | .. figure:: ../../images/keycloak_add_user_02.jpg | ||||
:alt: keycloak_add_user_02.jpg | :alt: keycloak_add_user_02.jpg | ||||
Fill in information on user | Fill in information on user | ||||
We are now going to send a mail to the user telling him that an account | We are now going to send a mail to the user telling him that an account | ||||
has been created for him with a link to verify his email, set his | has been created for him with a link to verify his email, set his | ||||
password and update its profile if needed. | password and update its profile if needed. | ||||
Go to **Credential Reset** section and insert the **Verify Email** , **Update Password** | Go to **Credential Reset** section and insert the **Verify Email** , **Update Password** | ||||
and **Update Profile** actions into the **Reset Actions** field. Increase the **Expires | and **Update Profile** actions into the **Reset Actions** field. Increase the **Expires | ||||
In** value to 24 hours and then click on **Send Mail**. | In** value to 24 hours and then click on **Send Mail**. | ||||
.. figure:: keycloak_add_user_03.jpg | .. figure:: ../../images/keycloak_add_user_03.jpg | ||||
:alt: keycloak_add_user_03.jpg | :alt: keycloak_add_user_03.jpg | ||||
:width: 1000px | :width: 1000px | ||||
Send the invite and reset password email | Send the invite and reset password email | ||||
The user account will be active once the email verified, the password changed and the | The user account will be active once the email verified, the password changed and the | ||||
profile validated. | profile validated. | ||||
Show All 10 Lines | |||||
To edit a user, click on the **Users** menu entry on the left part of the admin | To edit a user, click on the **Users** menu entry on the left part of the admin | ||||
interface, then click on the **View all users** button on the top left part of the users | interface, then click on the **View all users** button on the top left part of the users | ||||
page. | page. | ||||
Then select the user you want to set permission and click on the | Then select the user you want to set permission and click on the | ||||
**Edit** action. | **Edit** action. | ||||
.. figure:: keycloak_add_user_permission_01.jpg | .. figure:: ../../images/keycloak_add_user_permission_01.jpg | ||||
:alt: keycloak_add_user_permission_01.jpg | :alt: keycloak_add_user_permission_01.jpg | ||||
:width: 1400px | :width: 1400px | ||||
List and select user for edition | List and select user for edition | ||||
Once the user details interface is displayed, click on the **Role Mappings** tab then | Once the user details interface is displayed, click on the **Role Mappings** tab then | ||||
type the name of the client containing the roles to add for the user in the **Client | type the name of the client containing the roles to add for the user in the **Client | ||||
roles** combobox and select it. | roles** combobox and select it. | ||||
The client roles will then be displayed in multiple lists. | The client roles will then be displayed in multiple lists. | ||||
.. figure:: keycloak_add_user_permission_02.jpg | .. figure:: ../../images/keycloak_add_user_permission_02.jpg | ||||
:alt: keycloak_add_user_permission_02.jpg | :alt: keycloak_add_user_permission_02.jpg | ||||
:width: 1400px | :width: 1400px | ||||
Edit the client role | Edit the client role | ||||
To add a client role for the user, select the one of interest in the **Available Roles** | To add a client role for the user, select the one of interest in the **Available Roles** | ||||
list and click on the **Add selected** button. | list and click on the **Add selected** button. | ||||
To remove a client role for the user, select the one of interest in the **Assigned | To remove a client role for the user, select the one of interest in the **Assigned | ||||
Roles** list and click on the **Removed selected** button. | Roles** list and click on the **Removed selected** button. | ||||
And that's it, assigned roles can then be found in the JSON Web Tokens generated by | And that's it, assigned roles can then be found in the JSON Web Tokens generated by | ||||
Keycloak. | Keycloak. | ||||
.. figure:: keycloak_add_user_permission_03.jpg | .. figure:: ../../images/keycloak_add_user_permission_03.jpg | ||||
:alt: keycloak_add_user_permission_03.jpg | :alt: keycloak_add_user_permission_03.jpg | ||||
:width: 1400px | :width: 1400px | ||||
Assign client role | Assign client role | ||||
.. figure:: keycloak_add_user_permission_04.jpg | .. figure:: ../../images/keycloak_add_user_permission_04.jpg | ||||
:alt: keycloak_add_user_permission_04.jpg | :alt: keycloak_add_user_permission_04.jpg | ||||
:width: 1400px | :width: 1400px | ||||
Client role assigned | Client role assigned |