Add keycloak example

Author: Haarolean

rbac-keycloak/README.md

@@ -0,0 +1,37 @@
+# Keycloak setup
+
+1. Run the example compose file provided in this directory
+2. Go to keycloak admin console at http://localhost:8080/admin and create a new realm (myrealm)
+3. Create users "admin" and "readonly", set passwords for them
+4. Create realms roles "ops" and "ronly". You can use client roles instead if you want to, but this guide won't cover this.
+5. Go to users, assign ops role to admin user and ronly role to readonly user
+
+## Creating a client
+
+Let's create an "openid connect" client:
+
+1. Go to "clients" menu of "myrealm" realm
+2. Create a client, use name (client id) "kafbat-ui-client"
+3. Set "client authentication" to "on" and "authorization" to "on", allow the "standard" (authorization code) flow. 
+4. Set the redirect url to http://localhost:9091/login/oauth2/code/keycloak
+Obtain client secret in "credentials" tab, save it somewhere
+5. Go to "client scopes" tab in our client -> kafbat-ui-client-dedicated -> mappers tab -> add mapper -> from predefined -> find "realm roles", edit added mapper, "token claim name" = "groups", "Claim JSON Type" = String, "Multivalued" = true
+
+This is a simple setup with users assigned to roles directly. You can use groups with roles instead, but this guide doesn't cover it.
+
+## Kafbat UI setup
+
+1. In config.yml example provided, replace client-id and client-secret (obtained earlier) from keycloak
+2. Adjust the roles configuration if needed
+
+When logging in, you should see the following in the logs:
+
+```log
+DEBUG [reactor-http-nio-6] i.k.u.s.r.e.OauthAuthorityExtractor: Principal name is: [name surname]
+DEBUG [reactor-http-nio-6] i.k.u.s.r.e.OauthAuthorityExtractor: Token's groups: [default-roles-myrealm,ops,offline_access,uma_authorization]
+DEBUG [reactor-http-nio-6] i.k.u.s.r.e.OauthAuthorityExtractor: Matched group roles: [admins]
+```
+
+User info is also available at http://localhost:9090/api/authorization endpoint.
+
+Voilà!

rbac-keycloak/config.yml

@@ -0,0 +1,100 @@
+logging:
+  level:
+    org.springframework.security: TRACE
+    io.kafbat.ui.service.rbac: TRACE
+
+dynamic.config.enabled: true
+
+server:
+  port: 9090 # prevent clashes with keycloak ports
+
+auth:
+  type: OAUTH2
+  oauth2:
+    client:
+      keycloak:
+        clientId: kafbat-ui-client
+        clientSecret: # CLIENT SECRET OBTAINED FROM KEYCLOAK
+        scope: openid,roles
+        client-name: keycloak
+        provider: keycloak
+        redirect-uri: http://localhost:9090/login/oauth2/code/keycloak
+        authorization-grant-type: authorization_code
+        issuer-uri: http://localhost:8080/realms/myrealm
+        user-name-attribute: name
+        custom-params:
+          type: oauth
+          roles-field: groups
+
+rbac:
+  roles:
+    - name: "admins"
+      clusters:
+        - local
+      subjects:
+        - provider: oauth
+          type: role
+          value: "ops"
+
+      permissions:
+        - resource: applicationconfig
+          actions: all
+
+        - resource: clusterconfig
+          actions: all
+
+        - resource: topic
+          value: ".*"
+          actions: all
+
+        - resource: consumer
+          value: ".*"
+          actions: all
+
+        - resource: schema
+          value: ".*"
+          actions: all
+
+        - resource: connect
+          value: ".*"
+          actions: all
+
+        - resource: ksql
+          actions: all
+
+        - resource: acl
+          actions: all
+
+        - resource: audit
+          actions: all
+    - name: "readonly"
+      clusters:
+        - local
+      subjects:
+        - provider: oauth
+          type: role
+          value: "ronly"
+      permissions:
+        - resource: clusterconfig
+          actions: [ "view" ]
+
+        - resource: topic
+          value: ".*"
+          actions:
+            - VIEW
+            - MESSAGES_READ
+
+        - resource: consumer
+          value: ".*"
+          actions: [ view ]
+
+        - resource: schema
+          value: ".*"
+          actions: [ view ]
+
+        - resource: connect
+          value: ".*"
+          actions: [ view ]
+
+        - resource: acl
+          actions: [ view ]

rbac-keycloak/docker-compose.yaml

@@ -0,0 +1,27 @@
+---
+version: '3.8'
+name: "kafbat-ui-keycloak"
+
+services:
+
+  kafbat-ui:
+    container_name: kafbat-ui
+    image: ghcr.io/kafbat/kafka-ui:latest
+    network_mode: host  # WON'T WORK ON MACOS UNLESS ORBSTACK IS USED
+    environment:
+      SPRING_CONFIG_ADDITIONAL-LOCATION: /config.yml
+    volumes:
+      - ./config.yml:/config.yml # BEWARE, this might need to be an absolute path instead
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:25.0.0
+    network_mode: host # WON'T WORK ON MACOS UNLESS ORBSTACK IS USED
+    ports:
+      - 8081:8080
+      - 8082:8443 #ssl
+    command: start-dev
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    volumes:
+      - /tmp/keycloak:/opt/keycloak/data/ # don't forget to save it somewhere, not in /tmp