KeycloakService and friends #13355
KeycloakService and friends #13355
Conversation
|
|
||
| from confluent_kafka import Producer | ||
|
|
||
| class OAuthProducer: |
There was a problem hiding this comment.
do we plan to integrate oauth support into other kafka clients we use in ducktape (at least the ones that support it)?
There was a problem hiding this comment.
Good question. There's a line item on the epic to add oauth support to a Java client, but that's it afaik.
oleiman
force-pushed
the
keycloak-DT
branch
from
d7424b0
to
67c73ef
Compare
There was a problem hiding this comment.
Looks great.
It might be worth integrating this with https://github.com/redpanda-data/redpanda/blob/dev/tests/rptest/clients/python_librdkafka.py
oleiman
force-pushed
the
keycloak-DT
branch
from
67c73ef
to
4769ceb
Compare
There was a problem hiding this comment.
This is looking pretty good! Can you maybe reorder/squash up your commits? I can't speak for everyone else, but I like to review PRs one commit at a time, and if there are substantial changes in architecture between commits (i.e. you dropped oauth_producer in favor of using python_librdkafka, which is good!), it makes it a little bit confusing to do that.
tests/rptest/services/keycloak.py
Outdated
| return len(self.pids(node)) > 0 | ||
|
|
||
| def start_node(self, node, **kwargs): | ||
| self.logger.warn("Starting Keycloak service") |
There was a problem hiding this comment.
nit: info level I think is the typical level we use for these sort of messages (if not debug)
There was a problem hiding this comment.
if not debug
So it is. Must have misread kerberos.py
@michael-redpanda - yeah, sorry. made those structural changes after Noah and maybe Ben had already taken a look. I'll squash 'em up now. |
oleiman
force-pushed
the
keycloak-DT
branch
from
ef0c5b1
to
03c4ab9
Compare
| self.keycloak.clean_node(kc_node) | ||
| assert False, "Keycloak failed to start" | ||
|
|
||
| self.rpk.create_topic('foo') |
There was a problem hiding this comment.
You'll also need to create an ACL for the principal over this topic. The default mapping from the token to a principal is that the principal is extracted from the sub claim of the access token (until that becomes more configurable).
In this case that might be service-account-{CLIENT_ID}, depending on how Keycloak works.
tests/rptest/services/keycloak.py
Outdated
| # 'standardFlowEnabled': True, # authorization flow grant | ||
| # 'directAccessGrantsEnabled': True, # resource owner password grant | ||
| # 'implicitFlowEnabled': True, # implicit grant |
There was a problem hiding this comment.
nit: Any reason these should remain here? For code clarity can we remove commented out code.
There was a problem hiding this comment.
These are the flags to enable different grant types on the client; left them in for pseudo-documentation purposes because they're slightly obtuse. PRD calls exclusively for client-credentials though; will remove.
oleiman
force-pushed
the
keycloak-DT
branch
2 times, most recently
from
f47a0fa
to
9141ded
Compare
oops, not sure what happened there. done |
oleiman
force-pushed
the
keycloak-DT
branch
3 times, most recently
from
e931538
to
baaaa30
Compare
|
/cdt |
|
/cdt |
|
/cdt |
oleiman
force-pushed
the
keycloak-DT
branch
from
b9f7021
to
1182e7d
Compare
|
/cdt |
oleiman
force-pushed
the
keycloak-DT
branch
from
1182e7d
to
7a971a1
Compare
|
/cdt |
oleiman
force-pushed
the
keycloak-DT
branch
2 times, most recently
from
b22a158
to
a8552fe
Compare
|
/cdt |
|
force push to (actually) fix CDT finally |
| # assert len(self.produce_messages) == 3, f"Expected 3 messages, got {len(self.produce_messages)}" | ||
| # assert len(self.produce_errors) == 0, f"Expected 0 errors, got {len(self.produce_errors)}" |
There was a problem hiding this comment.
THe idea is that these will be uncommented once paired with a working OIDC implementation in RP?
There was a problem hiding this comment.
So my feeling with this is, uncommented them, mark the test @ok_to_fail and then remove it once OIDC is integrated. Thoughts @BenPope ?
There was a problem hiding this comment.
Eh, maybe better to remove them? I still think the other assertions here have some value in terms of testing the test.
There was a problem hiding this comment.
Other option would be to just have this test be a simple service test (does this service actually work) and remove any comms with Redpanda and add them back later.
There was a problem hiding this comment.
Ripped a bunch of it out. Left a few things in to demonstrate service user manipulation and that librdkafka does the correct thing when passed the OAUTHBEARER algorithm, but the rest, I agree, was just noise.
oleiman
force-pushed
the
keycloak-DT
branch
from
a8552fe
to
08b2399
Compare
- Makes use of keycloak-python
- Requires a lightly patched fork to get around a urllib3
version mismatch.
- Methods for creating and updating users, clients
- Spins up a redpanda cluster and a KeycloakService
- Creates a user under the demo realm, with realm-admin priv
- Registers a client with keycloak
- Update client's service account to include an email address
- This will appear in the access token as the grant includes
the 'email' scope.
- Initializes PythonLibrdkafka with appropriate info (client ID, secret)
- Sends some messages (this will fail without backend support)
oleiman
force-pushed
the
keycloak-DT
branch
from
08b2399
to
8660699
Compare
|
force pushed a rebase on dev - I think the branch fell a bit too far behind for CI |
|
/ci-repeat 1 |
|
/cdt |
As work adding OIDC authentication to Redpanda gets underway, we would like to have
access to a locally installable/configurable identity provider service for the purposes of
experimentation and integration testing. This PR introduces a new ducktape service
(
KeycloakService) to this end, built around the open source KeycloakIAM application.
Additionally, this PR integrates OAuth/OIDC support into the existing
PythonLibrdkafkaducktape client and adds a
redpanda_oauth_test.py. The latter contains a simple testto spin up a keycloak service and demonstrate that it is alive and servicing requests.
Fixes: https://github.com/redpanda-data/core-internal/issues/748 https://github.com/redpanda-data/core-internal/issues/755
Backports Required
Release Notes