git clone [email protected]:guicassolato/apicurio-registry-authorino && cd apicurio-registry-authorino
Set the shell variables below to the session where you will all the commands: (▶︎)
OPENSHIFT_DOMAIN=<openshift-domain>
OPENSHIFT_TOKEN=<token>
Log in to the OpenShift cluster and set the context for kubectl: (▶︎)
oc login --token=$OPENSHIFT_TOKEN --server=https://api.$OPENSHIFT_DOMAIN:6443
alias firefox="$(which firefox)"
kubectl create namespace apicurio-registry
Watch the namespaces of interest in a separate terminal, to follow the state of your workload:
watch -n 3 "kubectl get pods --all-namespaces | grep -E 'apicurio-registry|authorino-operator|limitador-operator' | grep -viE 'Completed|OOMKilled'"
kubectl -n apicurio-registry apply -f apicurio-registry-database.yaml
sed "s/\${OPENSHIFT_DOMAIN}/$OPENSHIFT_DOMAIN/g" apicurio-registry.yaml | kubectl -n apicurio-registry apply -f -
firefox --private-window https://apicurio-registry-unprotected.apps.$OPENSHIFT_DOMAIN
OPENSHIFT_DOMAIN=$OPENSHIFT_DOMAIN ./keycloak/install.sh
OPENSHIFT_DOMAIN=$OPENSHIFT_DOMAIN ./keycloak/create-tls-cert-secret.sh
Keycloak's public TLS certificate will be mounted from a ConfigMap into the chain of trusted certificates in the Authorino pod.
curl -sSl https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/config/deploy/manifests.yaml | sed 's/quay.io\/3scale\/authorino-operator:v0.0.1/quay.io\/3scale\/authorino-operator:latest/g' | kubectl apply -f -
kubectl -n apicurio-registry apply -f authorino.yaml
kubectl apply -f https://raw.githubusercontent.com/Kuadrant/limitador-operator/main/config/deploy/manfiests.yaml
kubectl -n apicurio-registry apply -f limitador.yaml
sed "s/\${OPENSHIFT_DOMAIN}/$OPENSHIFT_DOMAIN/g" envoy.yaml | kubectl -n apicurio-registry apply -f -
firefox --private-window https://apicurio-registry.apps.$OPENSHIFT_DOMAIN
Authenticate in Keycloak with any of the user credentials provided:
- Admin user
Username: registry-admin ❏
Password: changeme ❏ - API developer
Username: registry-developer ❏
Password: changeme ❏ - API user
Username: registry-user ❏
Password: changeme ❏
sed "s/\${OPENSHIFT_DOMAIN}/$OPENSHIFT_DOMAIN/g" authconfig.yaml | kubectl -n apicurio-registry apply -f -
kubectl -n apicurio-registry apply -f ratelimit.yaml
Authorino will apply the same R/W permissions otherwise enforced by Apicurio Registry's built-in authorization based on the user roles:
API | Method | Path | Permission | Owner |
---|---|---|---|---|
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts | Read | |
Groups | POST | /apis/registry/v2/groups/{gid}/artifacts | Write | |
Groups | DELETE | /apis/registry/v2/groups/{gid}/artifacts | Write | |
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts/{aid} | Read | Y |
Groups | PUT | /apis/registry/v2/groups/{gid}/artifacts/{aid} | Write | Y |
Groups | DELETE | /apis/registry/v2/groups/{gid}/artifacts/{aid} | Write | Y |
Groups | PUT | /apis/registry/v2/groups/{gid}/artifacts/{aid}/state | Write | Y |
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts/{aid}/meta | Read | Y |
Groups | PUT | /apis/registry/v2/groups/{gid}/artifacts/{aid}/meta | Write | Y |
Groups | POST | /apis/registry/v2/groups/{gid}/artifacts/{aid}/meta | Read | Y |
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions | Read | Y |
Groups | POST | /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions | Write | Y |
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid | Read | Y |
Groups | PUT | /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/state | Write | Y |
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/meta | Read | Y |
Groups | PUT | /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/meta | Write | Y |
Groups | DELETE | /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/meta | Write | Y |
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules | Read | Y |
Groups | POST | /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules | Write | Y |
Groups | DELETE | /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules | Write | Y |
Groups | GET | /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules/{rid} | Read | Y |
Groups | PUT | /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules/{rid} | Write | Y |
Groups | DELETE | /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules/{rid} | Write | Y |
Groups | PUT | /apis/registry/v2/groups/{gid}/artifacts/{aid}/test | Read | Y |
IDs | GET | /apis/registry/v2/ids/contentIds/{cid} | Read | |
IDs | GET | /apis/registry/v2/ids/globalIds/{gid} | Read | |
IDs | GET | /apis/registry/v2/ids/contentHashes/{hash} | Read | |
Search | GET | /apis/registry/v2/search/artifacts | Read | |
Search | POST | /apis/registry/v2/search/artifacts | Read | |
Admin | GET | /apis/registry/v2/admin/rules | Admin | |
Admin | POST | /apis/registry/v2/admin/rules | Admin | |
Admin | GET | /apis/registry/v2/admin/rules/{rid} | Admin | |
Admin | PUT | /apis/registry/v2/admin/rules/{rid} | Admin | |
Admin | DELETE | /apis/registry/v2/admin/rules/{rid} | Admin | |
Admin | DELETE | /apis/registry/v2/admin/rules | Admin | |
Admin | GET | /apis/registry/v2/admin/loggers | Admin | |
Admin | GET | /apis/registry/v2/admin/loggers/{lid} | Admin | |
Admin | PUT | /apis/registry/v2/admin/loggers/{lid} | Admin | |
Admin | DELETE | /apis/registry/v2/admin/loggers/{lid} | Admin | |
Admin | GET | /apis/registry/v2/admin/export | Admin | |
Admin | POST | /apis/registry/v2/admin/export | Admin | |
Admin | GET | /apis/registry/v2/admin/roleMappings | Admin | |
Admin | POST | /apis/registry/v2/admin/roleMappings | Admin | |
Admin | GET | /apis/registry/v2/admin/roleMappings/{pid} | Admin | |
Admin | PUT | /apis/registry/v2/admin/roleMappings/{pid} | Admin | |
Admin | DELETE | /apis/registry/v2/admin/roleMappings/{pid} | Admin | |
System | GET | /apis/registry/v2/system/info | None | |
Users | GET | /apis/registry/v2/users/me | None |
For the endpoints where an artifact ID is in the path, Authorino will try to match the artifact's createdBy
property (fetched from the Apicurio Registry artifact metadata API directly endpoint) to the value of preferred_username
claim of the JWT. In cases where Apicurio Registry returns an empty or null createdBy
, this authorization rule will be skipped.
For this demo, only POST requests to /apis/registry/v2/groups/default/artifacts
are rate-limited. No more than 1 artifact can be created every 60 seconds across all users.
To sign out, close the session in Keycloak Account Management: (▶︎)
firefox --private-window https://keycloak-apicurio-registry.apps.$OPENSHIFT_DOMAIN/auth/realms/apicurio-registry/account
(Click on the Sign out button on the top.)
...or by navigating to the logout endpoint: (▶︎)
firefox --private-window https://keycloak-apicurio-registry.apps.$OPENSHIFT_DOMAIN/auth/realms/apicurio-registry/protocol/openid-connect/logout
Use the Envoy-provided endpoint to clear the authentication cookies: (▶︎)
firefox --private-window https://apicurio-registry.apps.$OPENSHIFT_DOMAIN/signout
Remove Apicurio Registry from the scope of Authorino: (▶︎)
kubectl -n apicurio-registry delete -f authconfig.yaml
Remove the rate-limits definition: (▶︎)
kubectl -n apicurio-registry delete -f ratelimit.yaml
Decommision Envoy: (▶︎)
kubectl -n apicurio-registry delete -f envoy.yaml
Decommission Authorino: (▶︎)
kubectl -n apicurio-registry delete -f authorino.yaml
Decommission Limitador: (▶︎)
kubectl -n apicurio-registry delete -f limitador.yaml
Uninstall Authorino Operator and the Authorino CRDs: (▶︎)
kubectl delete -f https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/config/deploy/manifests.yaml
Uninstall Limitador Operator and the Limitador CRDs: (▶︎)
kubectl delete -f https://raw.githubusercontent.com/Kuadrant/limitador-operator/main/config/deploy/manfiests.yaml
Uninstall Keycloak and the Keycloak CRDs: (▶︎)
./keycloak/uninstall.sh
Decommission Apicurio Registry: (▶︎)
kubectl -n apicurio-registry delete -f apicurio-registry.yaml
Delete the Apicurio Registry database: (▶︎)
kubectl -n apicurio-registry delete -f apicurio-registry-database.yaml
Delete the namespace: (▶︎)
kubectl delete namespace apicurio-registry