Configuring RDM Authorization
Keycloak is the only Identity and Access Management (IAM) tool available for the RDM web application. Furthermore, all user-role mapping must be carried out in Keycloak according to the instructions found in Mapping Roles and Users.
As Keycloak can simultaneously manage roles and users for web applications of multiple Ataccama products, roles in Keycloak are automatically mapped to a specific Ataccama web application using the role prefix defined for the application.
For this reason, Keycloak roles for RDM must have the prefix RDM_
.
Roles without a prefix are intended to be composite roles which comprise prefixed roles (the prefix describes what roles should apply in each module).
For example, admin in ONE is a composition of MMM_admin , RDM_admin , and other admin roles.
For more information about composite roles, see Keycloak official documentation.
|
RDM default users
By default, the RDM build is configured to contain the following default users for RDM:
-
RDM_user
, with editing permissions. -
RDM_admin
, with admin permissions.
Due to configuration changes in the Admin Console, it no longer allows access to the role RDM_admin but to the role defined in ataccama.one.rdm.system-group-name , which is where the access to the RDM web application Permissions tab is defined.
This means the role defined in this property has access to both the Permissions tab and Admin Console.
For access to the Permissions tab only, use the property ataccama.one.rdm.permissions-group-name .
|
Otherwise, use the following guide to start working with Keycloak and RDM.
Install and configure Keycloak
Configuring Keycloak as a service
-
Copy the
<keycloak>\docs\contrib\scripts\service
folder into<keycloak>\bin
. -
To configure the Keycloak server startup, add the following code to
<keycloak>\bin\standalone.conf.bat
right before the: JAVA_OPTS_SET
line:<keycloak>\bin\standalone.conf.batrem # Ataccama's configuration set "JAVA_OPTS=%JAVA_OPTS% -Dkeycloak.profile.feature.token_exchange=enabled -Djboss.socket.binding.port-offset=3 -Djava.net.preferIPv4Stack=true -Djboss.tx.node.id=atakeycloak" set "NOPAUSE=true"
-
Djboss.socket.binding.port-offset
: Use this option to change the offset for all ports.For example, in the default configuration, Keycloak uses the following ports: HTTP:8080, HTTPS:8443, MNGMT_HTTP:9990, MNGMT_HTTPS:9993, AJP:8009. Setting the
port-offset=3
shifts all ports by three, so the actual ports used would be HTTP:8083, HTTPS:8446, MNGMT_HTTP:9993, MNGMT_HTTPS:9996, and AJP:8012. -
Djboss.tx.node.id
: Fill in with a unique value for the server.
-
-
Run the following command as an administrator:
Command prompt<keycloak>\bin\service\service.bat install
-
The service is now available under Windows Services with the Wildfly name.
If the service takes too long to restart or fails to start or stop, stop the java.exe process and restart Java.
|
Configuring Keycloak clients
Configure clients under the Ataccamaone realm. Ataccama applications use different clients; for the RDM web application you need to configure the following clients:
-
rdm-admin-client
-
rdm-token-client
-
rdm-webapp-public-client
To see clients in Keycloak:
-
Log in to the Keycloak Admin Console as administrator.
-
Make sure Ataccamaone realm is selected (check the upper-left corner).
-
From the left navigation bar, select Clients.
-
From the list of clients, select the client ID to open the configuration.
-
Depending on the client’s Access Type setting, different configuration fields are available and filled in.
-
Edit all filled-in fields that contain URLs, for example, Valid Redirect URIs, Base URL, and Admin URL. Change the
http://localhost:<port>
port to the actual client location. -
Select Save.
Complete steps 3-7 for all relevant RDM clients. |
Edit client configuration files
To define the configuration for your Keycloak clients, add or edit the KeycloakDeploymentContributor
element in the runtime configuration file.
The settings in the KeycloakDeploymentContributor
should correspond to the Keycloak settings for the client, which are defined in application.properties
.
Keycloak is case sensitive. Make sure to use lowercase if referring to the Keycloak server URL via hostname. |
See Encrypt Passwords for information about how to encrypt passwords. |
Name | Mandatory | Description |
---|---|---|
|
Yes |
Keycloak server URL.
Ending with |
|
Yes |
Keycloak realm. |
|
Yes |
Administration Keycloak client ID. |
|
Yes |
Administration Keycloak client secret. |
|
Yes |
Token Keycloak client ID. |
|
Yes |
Token Keycloak client secret. |
|
Yes |
Token Keycloak issuer. |
|
Yes |
Keycloak public client ID for web application browsing. |
|
Yes |
Security header settings (see Web application security). |
|
Yes |
Security header settings (see Web application security). |
Web application security
You can configure RDM webapp security by adding response headers (security headers) to HTTP responses from the web application.
We recommend setting security headers in case your web application is exposed to potential security attacks. |
The security headers are configured in application.properties
.
The properties are commented out by default: uncomment them to enable.
Name | Default value |
---|---|
|
'self' $\{ataccama.authentication.keycloak.server-url} |
|
* 'unsafe-inline' 'unsafe-eval' |
|
'self' data: |
Was this page useful?