Skip to content

Commit

Permalink
fix(RHIDP-3671): Reduce user and group name sizes to support bigger R…
Browse files Browse the repository at this point in the history
…BAC policies (#91)

Signed-off-by: Pavel Macík <[email protected]>
  • Loading branch information
pmacik authored Oct 1, 2024
1 parent 232ad28 commit 1f0a4ea
Show file tree
Hide file tree
Showing 9 changed files with 31 additions and 25 deletions.
10 changes: 5 additions & 5 deletions ci-scripts/rhdh-setup/create_resource.sh
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ create_group() {
attempt=1
while ((attempt <= max_attempts)); do
token=$(get_token)
groupname="group${0}"
groupname="g${0}"
response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer '"$token" \
Expand All @@ -189,7 +189,7 @@ create_group() {
create_groups() {
log_info "Creating Groups in Keycloak"
for i in $(seq 1 "$GROUP_COUNT"); do
echo " g, group:default/group${i}, role:default/perf_admin" >>"$TMP_DIR/group-rbac.yaml"
echo " g, group:default/g${i}, role:default/a" >>"$TMP_DIR/group-rbac.yaml"
done
sleep 5
seq 1 "${GROUP_COUNT}" | xargs -n1 -P"${POPULATION_CONCURRENCY}" bash -c 'create_group'
Expand All @@ -202,8 +202,8 @@ create_user() {
token=$(get_token)
grp=$(echo "${0}%${GROUP_COUNT}" | bc)
[[ $grp -eq 0 ]] && grp=${GROUP_COUNT}
username="test${0}"
groupname="group${grp}"
username="t${0}"
groupname="g${grp}"
response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer '"$token" \
Expand Down Expand Up @@ -264,7 +264,7 @@ keycloak_token() {
rhdh_token() {
REDIRECT_URL="$(backstage_url)/oauth2/callback"
REFRESH_URL="$(backstage_url)/api/auth/oauth2Proxy/refresh"
USERNAME="test1"
USERNAME="guru"
PASSWORD=$(oc -n "${RHDH_NAMESPACE}" get secret perf-test-secrets -o template --template='{{.data.keycloak_user_pass}}' | base64 -d)
REALM="backstage"
CLIENTID="backstage"
Expand Down
5 changes: 3 additions & 2 deletions ci-scripts/rhdh-setup/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,8 @@ keycloak_install() {
fi
fi
envsubst <template/keycloak/keycloakClient.yaml | $clin apply -f -
envsubst <template/keycloak/keycloakUser.yaml | $clin apply -f -
# shellcheck disable=SC2016
envsubst '${KEYCLOAK_USER_PASS}' <template/keycloak/keycloakUser.yaml | $clin apply -f -
}

create_users_groups() {
Expand Down Expand Up @@ -235,7 +236,7 @@ backstage_install() {
if ${ENABLE_RBAC}; then
cp template/backstage/rbac-config.yaml "${TMP_DIR}"
cat "$TMP_DIR/group-rbac.yaml" >>"$TMP_DIR/rbac-config.yaml"
$clin apply -f "$TMP_DIR/rbac-config.yaml" --namespace="${RHDH_NAMESPACE}"
until $clin create -f "$TMP_DIR/rbac-config.yaml"; do $clin delete configmap rbac-policy --ignore-not-found=true; done
fi
envsubst <template/backstage/plugin-secrets.yaml | $clin apply -f -
if [ "$INSTALL_METHOD" == "helm" ]; then
Expand Down
4 changes: 2 additions & 2 deletions ci-scripts/rhdh-setup/template/backstage/app-rbac-patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
permission:
enabled: true
rbac:
policies-csv-file: './rbac/rbac-policy.csv'
policies-csv-file: "./rbac/rbac-policy.csv"
admin:
users:
- name: user:default/test1
- name: user:default/guru
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ permission:
policies-csv-file: "./rbac/rbac-policy.csv"
admin:
users:
- name: user:default/test1
- name: user:default/guru
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ permission:
policies-csv-file: "./rbac-policy.csv"
admin:
users:
- name: user:default/test1
- name: user:default/guru
13 changes: 7 additions & 6 deletions ci-scripts/rhdh-setup/template/backstage/rbac-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@ metadata:
name: rbac-policy
data:
rbac-policy.csv: |
p, role:default/perf_admin, kubernetes.proxy, use, allow
p, role:default/perf_admin, catalog-entity, read, allow
p, role:default/perf_admin, catalog.entity.create, create, allow
p, role:default/perf_admin, catalog.location.create, create, allow
p, role:default/perf_admin, catalog.location.read, read, allow
g, user:development/guest, role:default/perf_admin
p, role:default/a, kubernetes.proxy, use, allow
p, role:default/a, catalog-entity, read, allow
p, role:default/a, catalog.entity.create, create, allow
p, role:default/a, catalog.location.create, create, allow
p, role:default/a, catalog.location.read, read, allow
g, user:default/guru, role:default/a
g, user:development/guest, role:default/a
2 changes: 1 addition & 1 deletion ci-scripts/rhdh-setup/template/component/api.template
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@ metadata:
spec:
type: openapi
lifecycle: production
owner: group${grp_indx}
owner: g${grp_indx}
definition:
$text: https://github.com/APIs-guru/openapi-directory/blob/main/APIs/archive.org/wayback/1.0.0/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ metadata:
spec:
type: library
lifecycle: experimental
owner: group${grp_indx}
owner: g${grp_indx}
system: audio-playback
16 changes: 10 additions & 6 deletions ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml
Original file line number Diff line number Diff line change
@@ -1,17 +1,21 @@
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
name: demo
name: guru
labels:
app: sso
spec:
realmSelector:
matchLabels:
app: sso
user:
username: demo
firstName: John
lastName: Doe
email: demo@example.com
username: guru
firstName: Guru
lastName: RHDH Admin
email: guru@test.com
enabled: true
emailVerified: false
emailVerified: true
temporary: false
credentials:
- type: password
value: ${KEYCLOAK_USER_PASS}

0 comments on commit 1f0a4ea

Please sign in to comment.