User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Configuring RDM Authorization

Keycloak is the only Identity and Access Management (IAM) tool available for the RDM web application. Furthermore, all user-role mapping must be carried out in Keycloak according to the instructions found in Mapping Roles and Users.

As Keycloak can simultaneously manage roles and users for web applications of multiple Ataccama products, roles in Keycloak are automatically mapped to a specific Ataccama web application using the role prefix defined for the application. For this reason, Keycloak roles for RDM must have the prefix RDM_.

Roles without a prefix are intended to be composite roles which comprise prefixed roles (the prefix describes what roles should apply in each module). For example, admin in ONE is a composition of MMM_admin, RDM_admin, and other admin roles. For more information about composite roles, see Keycloak official documentation.

RDM default users

By default, the RDM build is configured to contain the following default users for RDM:

  • RDM_user, with editing permissions.

  • RDM_admin, with admin permissions.

Due to configuration changes in the Admin Console, it no longer allows access to the role RDM_admin but to the role defined in ataccama.one.rdm.system-group-name, which is where the access to the RDM web application Permissions tab is defined. This means the role defined in this property has access to both the Permissions tab and Admin Console. For access to the Permissions tab only, use the property ataccama.one.rdm.permissions-group-name.

Otherwise, use the following guide to start working with Keycloak and RDM.

Install and configure Keycloak

Configuring Keycloak as a service

  1. Copy the <keycloak>\docs\contrib\scripts\service folder into <keycloak>\bin.

  2. To configure the Keycloak server startup, add the following code to <keycloak>\bin\standalone.conf.bat right before the : JAVA_OPTS_SET line:

    <keycloak>\bin\standalone.conf.bat
    rem # Ataccama's configuration
    set "JAVA_OPTS=%JAVA_OPTS% -Dkeycloak.profile.feature.token_exchange=enabled -Djboss.socket.binding.port-offset=3 -Djava.net.preferIPv4Stack=true -Djboss.tx.node.id=atakeycloak"
    set "NOPAUSE=true"
    • Djboss.socket.binding.port-offset: Use this option to change the offset for all ports.

      For example, in the default configuration, Keycloak uses the following ports: HTTP:8080, HTTPS:8443, MNGMT_HTTP:9990, MNGMT_HTTPS:9993, AJP:8009. Setting the port-offset=3 shifts all ports by three, so the actual ports used would be HTTP:8083, HTTPS:8446, MNGMT_HTTP:9993, MNGMT_HTTPS:9996, and AJP:8012.

    • Djboss.tx.node.id: Fill in with a unique value for the server.

  3. Run the following command as an administrator:

    Command prompt
    <keycloak>\bin\service\service.bat install
  4. The service is now available under Windows Services with the Wildfly name.

If the service takes too long to restart or fails to start or stop, stop the java.exe process and restart Java.

Configuring Keycloak clients

Configure clients under the Ataccamaone realm. Ataccama applications use different clients; for the RDM web application you need to configure the following clients:

  • rdm-admin-client

  • rdm-token-client

  • rdm-webapp-public-client

To see clients in Keycloak:

  1. Log in to the Keycloak Admin Console as administrator.

  2. Make sure Ataccamaone realm is selected (check the upper-left corner).

  3. From the left navigation bar, select Clients.

  4. From the list of clients, select the client ID to open the configuration.

  5. Depending on the client’s Access Type setting, different configuration fields are available and filled in.

  6. Edit all filled-in fields that contain URLs, for example, Valid Redirect URIs, Base URL, and Admin URL. Change the http://localhost:<port> port to the actual client location.

  7. Select Save.

Complete steps 3-7 for all relevant RDM clients.

Edit client configuration files

To define the configuration for your Keycloak clients, add or edit the KeycloakDeploymentContributor element in the runtime configuration file. The settings in the KeycloakDeploymentContributor should correspond to the Keycloak settings for the client, which are defined in application.properties.

Keycloak is case sensitive. Make sure to use lowercase if referring to the Keycloak server URL via hostname.
See Encrypt Passwords for information about how to encrypt passwords.
Name Mandatory Description

ataccama.authentication.keycloak.server-url

Yes

Keycloak server URL. Ending with /auth.

ataccama.authentication.keycloak.realm

Yes

Keycloak realm.

ataccama.authentication.keycloak.admin.client-id

Yes

Administration Keycloak client ID.

ataccama.authentication.keycloak.admin.secret

Yes

Administration Keycloak client secret.

ataccama.authentication.keycloak.token.client-id

Yes

Token Keycloak client ID.

ataccama.authentication.keycloak.token.secret

Yes

Token Keycloak client secret.

ataccama.authentication.keycloak.token.issuer

Yes

Token Keycloak issuer.

ataccama.authentication.keycloak.public.client-id

Yes

Keycloak public client ID for web application browsing.

ataccama.client.connection.keycloak.http.enabled

Yes

Security header settings (see Web application security).

ataccama.client.connection.keycloak.http.tls.enabled

Yes

Security header settings (see Web application security).

Web application security

You can configure RDM webapp security by adding response headers (security headers) to HTTP responses from the web application.

We recommend setting security headers in case your web application is exposed to potential security attacks.

The security headers are configured in application.properties. The properties are commented out by default: uncomment them to enable.

Name Default value

one.security.header.content-security-policy.connect-src

'self' $\{ataccama.authentication.keycloak.server-url}

one.security.header.content-security-policy.script-src

* 'unsafe-inline' 'unsafe-eval'

one.security.header.content-security-policy.img-src

'self' data:

Was this page useful?