github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.11.x/enterprise/auth/oidc/configure-keycloak.md (about) 1 # Configure Pachyderm with Keycloak 2 3 Keycloak is an open-source identity management solution that supports 4 OIDC and provides authentication and authorization. When using Keycloak 5 with Pachyderm, Keycloak is responsible for authorizing user access to 6 your data that is stored in Pachyderm through identity and access tokens. 7 For more information about Keycloak support for OIDC, see the 8 [Keycloak Documentation](https://www.keycloak.org/docs/latest/securing_apps/#openid-connect-2). 9 10 !!! note 11 Although this section describes how to configure Keycloak with 12 OIDC, you can configure SAML as well with the corresponding 13 [SAML auth config](../../saml/saml_setup/#write-pachyderm-config). 14 15 ## Prerequisites 16 17 Before you can configure Pachyderm to work with Keycloak, you need to 18 have the following components up and running: 19 20 * Pachyderm Enterprise 1.11.x or later. The enterprise token must be 21 activated by running `pachctl enterprise activate`. 22 Check the status of your license by running: 23 24 ```shell 25 pachctl enterprise get-state 26 ``` 27 28 For more information, see [Activate Pachyderm Enterprise Edition](../../../deployment/#activate-pachyderm-enterprise-edition). 29 30 * Keycloak must be running in your environment: 31 32 If you are just testing Keycloak with Pachyderm, you can run 33 Keycloak in Minikube on your machine. Follow the instructions 34 on how to set up Keycloak locally as described in 35 [Keycloak on Kubernetes](https://www.keycloak.org/getting-started/getting-started-kube). 36 37 If you are deploying in production, see [Keycloak Documentation](https://www.keycloak.org/getting-started). 38 39 ## Configure Keycloak 40 41 After you have installed Pachyderm and Keycloak, follow the steps 42 below to configure the two components to work together. 43 44 To configure Pachyderm with Keycloak, complete the following steps: 45 46 1. Go to the **Keycloak Administration Console**. If you have deployed 47 Keycloak on Minikube as described above, get the address of the console 48 by running the following script: 49 50 ```shell 51 KEYCLOAK_URL=https://keycloak.$(minikube ip).nip.io/auth && 52 echo "Keycloak Admin Console: $KEYCLOAK_URL/admin" 53 ``` 54 55 **Example of System Response:** 56 57 ```shell 58 Keycloak Admin Console: https://keycloak.192.168.64.36.nip.io/auth/admin 59 ``` 60 61 1. Paste the link above to a browser and log in as admin. If you have 62 used the instructions above to deploy Keycloak on Minikube, use the following 63 credentials: 64 65 * `username:` `admin` 66 * `password:` `admin` 67 68  69 70 1. If you do not have one already, add a new realm. Otherwise, proceed to 71 the next step. 72 73 A realm is a logically isolated group, similar to a tenant. By default, 74 Keycloak predefines a `Master` realm for administrative purposes. You need 75 to create a new realm for Pachyderm. For example, you can call it 76 `pachyderm`. 77 78 1. If you have created a new realm you need to add users to whom you want to 79 grant access to Pachyderm. Create a user by clicking **Users > Add user** and 80 filling out the required fields. Otherwise, proceed to the next step. 81 82 1. Set up a password for this user by clicking **Credentials** and typing 83 your password information. 84 85 You might want to set the temporary password toggle to off so that your 86 password does not expire. 87 88 1. Create a client for Pachyderm: 89 90 1. Click **Clients > Create**. 91 1. Specify a client ID. For example, *pachyderm-test*. 92 1. Set the **Client Protocol** to **openid-connect**. 93 1. Set the **Root URL** to `http://<ip>:30657/authorization-code/callback`. 94 For example: 95 96 ```shell 97 http://192.168.64.36:30657/authorization-code/callback 98 ``` 99 100 You can configure additional settings, such as require consent and so on, 101 as needed, but this minimal configuration is everything you need to make 102 Keycloak work with Pachyderm. 103 104  105 106 1. Proceed to [Configure Pachyderm](#confgiure-pachyderm). 107 108 ## Configure Pachyderm 109 110 Now that you have Keycloak configured, you need to log in to Pachyderm 111 with the user you have created in Keycloak. 112 113 To configure Pachyderm, complete the following steps: 114 115 1. Go to the terminal and forward the `pachd` pod to the OIDC port: 116 117 1. Get the `pachd` pod ID: 118 119 ```shell 120 kubectl get pod 121 ``` 122 123 **Example system response:** 124 125 ```shell 126 dash-5768cb7d98-j6cgt 2/2 Running 0 4h2m 127 etcd-56d897697-xzsqr 1/1 Running 0 4h2m 128 keycloak-857c59449b-htg99 1/1 Running 0 4h6m 129 pachd-79f7f68c65-9qs8g 1/1 Running 0 4h2m 130 ``` 131 132 1. Forward the `pachd` pod to the OIDC port: 133 134 **Example:** 135 136 ```shell 137 kubectl port-forward pachd-79f7f68c65-9qs8g 30657 138 ``` 139 140 1. Enable Pachyderm authentication: 141 142 ```shell 143 pachctl auth activate --initial-admin=robot:admin 144 ``` 145 146 Pachyderm returns a token. 147 148 **WARNING!** You must save the token to a secure location 149 to avoid being locked out of your cluster. 150 151 1. Log in as the admin user with the token you received in the previous 152 step: 153 154 ```shell 155 pachctl auth use-auth-token 156 ``` 157 158 1. Set up the authentication config: 159 160 ```shell 161 pachctl auth set-config <<EOF 162 { 163 "live_config_version": 1, 164 "id_providers": [{ 165 "name": "keycloak", 166 "description": "oidc-based authentication with locally hosted keycloak", 167 "oidc":{ 168 "issuer": "http://keycloak.<ip>.nip.io/auth/realms/<realm-name>", 169 "client_id": "<client-id>", 170 "redirect_uri": "http://<ip>:30657/authorization-code/callback" 171 } 172 }] 173 } 174 EOF 175 ``` 176 177 You need to replace the following placeholders with relevant values: 178 179 - `issuer` — the URL to the location of your Keycloak realm. 180 - `ip` — the IP of the Kubernetes host. If you are using Minikube, you can get the 181 IP address by running `minikube ip`. 182 183 - `realm-name` — the name of the Keycloak realm that you have created for Pachyderm. 184 In the example, above it is called `pachyderm`. 185 186 - `client-id` — the name of the Pachyderm's Keycloak client. In the example above, 187 `pachyderm-test`. 188 189 - `redirect_uri` — the URL that redirects back to Pachyderm. If you are running Pachyderm 190 in Minikube, it is the Minikube IP address. 191 192 1. Log in as the user you have created in the Pachyderm realm: 193 194 1. Run: 195 196 ```shell 197 pachctl auth login 198 ``` 199 200 **Example of System Response:** 201 202 ```shell 203 You will momentarily be directed to your IdP and asked to authorize 204 Pachyderm\'s login app on your IdP. 205 206 Paste the following URL into a browser if not automatically redirected: 207 208 http://keycloak.192.168.64.36.nip.io/auth/realms/pachyderm/protocol/openid-connect/auth?client_id=pachyderm-test&nonce=O-5zWG2v0KKbijzIJMi289V8qUrY8sg&redirect_uri=http%3A%2F%2F192.168.64.36%3A30657%2Fauthorization-code%2Fcallback&response_type=code&scope=openid+profile+email&state=d4lTSkAImVpvEqiQgHIkf6Fp3Y5E9E8 209 210 Retrieving Pachyderm token... 211 ``` 212 213 1. Go to the browser and log in to the Pachyderm realm 214 with the user you have previously created and no the admin 215 user. 216 217 * If you have enabled **Request consent**, grant access to 218 the realm by clicking **Yes**. 219 220 You should see the following message printed out in your browser: 221 222 ``` 223 You are now logged in. Go back to the terminal to use Pachyderm! 224 ``` 225 226 1. In the terminal, check that you are logged in as the Keycloak user: 227 228 ```shell 229 pachctl auth whoami 230 ``` 231 232 **Example of System Response:** 233 234 ```shell 235 You are "keycloak:test@pachyderm.com" 236 session expires: 06 Aug 20 09:23 PDT 237 ``` 238 239 !!! note "See Also" 240 - [Configure SAML authentication with Okta](../../saml/saml_setup/) 241 242 ## Modifying Realm Settings 243 244 If you make any changes, such as changing the protocol from 245 OIDC to SAML in the Keycloak UI, you will have 246 to update the Pachyderm authentication config as well. Just 247 changing the protocol in the Keycloak UI will result in 248 error the next time users log in. 249 250 ## Limitations 251 252 Pachyderm authentication has the following limitations: 253 254 - Only one identity provider can authenticate with Pachyderm at a time. 255 - Group support is not available with OIDC. 256 - Only one Keycloak realm can be configured with Pachyderm.