Coder Social home page Coder Social logo

apicurio-registry-authorino's Introduction

Protecting Apicurio Registry with Authorino (on OpenShift)

1. Setup

Clone the repo (▶︎)

git clone [email protected]:guicassolato/apicurio-registry-authorino && cd apicurio-registry-authorino

Set the context

Set the shell variables below to the session where you will all the commands: (▶︎)

OPENSHIFT_DOMAIN=<openshift-domain>
OPENSHIFT_TOKEN=<token>

Log in to the OpenShift cluster and set the context for kubectl: (▶︎)

oc login --token=$OPENSHIFT_TOKEN --server=https://api.$OPENSHIFT_DOMAIN:6443

(Optional) Make it easy to open Firefox from the terminal: (▶︎)

alias firefox="$(which firefox)"

Create the namespace (▶︎)

kubectl create namespace apicurio-registry

(Optional) Watch the workload: (▶︎)

Watch the namespaces of interest in a separate terminal, to follow the state of your workload:

watch -n 3 "kubectl get pods --all-namespaces | grep -E 'apicurio-registry|authorino-operator|limitador-operator' | grep -viE 'Completed|OOMKilled'"

2. Install Apicurio Registry

Install the Apicurio Registry database (▶︎)

kubectl -n apicurio-registry apply -f apicurio-registry-database.yaml

Install Apicurio Registry (▶︎)

sed "s/\${OPENSHIFT_DOMAIN}/$OPENSHIFT_DOMAIN/g" apicurio-registry.yaml | kubectl -n apicurio-registry apply -f -

Try Apicurio Registry without protection (▶︎)

firefox --private-window https://apicurio-registry-unprotected.apps.$OPENSHIFT_DOMAIN

3. Install Keycloak

Install Keycloak (▶︎)

OPENSHIFT_DOMAIN=$OPENSHIFT_DOMAIN ./keycloak/install.sh

Store the Keycloak TLS certificate (▶︎)

OPENSHIFT_DOMAIN=$OPENSHIFT_DOMAIN ./keycloak/create-tls-cert-secret.sh

Keycloak's public TLS certificate will be mounted from a ConfigMap into the chain of trusted certificates in the Authorino pod.

4. Install Authorino

Install the Authorino Operator (▶︎)

curl -sSl https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/config/deploy/manifests.yaml | sed 's/quay.io\/3scale\/authorino-operator:v0.0.1/quay.io\/3scale\/authorino-operator:latest/g' | kubectl apply -f -

Deploy Authorino (▶︎)

kubectl -n apicurio-registry apply -f authorino.yaml

5. Install Limitador

Install the Limitador Operator (▶︎)

kubectl apply -f https://raw.githubusercontent.com/Kuadrant/limitador-operator/main/config/deploy/manfiests.yaml

Deploy Limitador (▶︎)

kubectl -n apicurio-registry apply -f limitador.yaml

6. Deploy Envoy (▶︎)

sed "s/\${OPENSHIFT_DOMAIN}/$OPENSHIFT_DOMAIN/g" envoy.yaml | kubectl -n apicurio-registry apply -f -

Try Apicurio Registry protected with Envoy and Authorino (▶︎)

firefox --private-window https://apicurio-registry.apps.$OPENSHIFT_DOMAIN

Authenticate in Keycloak with any of the user credentials provided:

  • Admin user
    Username: registry-admin ❏
    Password: changeme ❏
  • API developer
    Username: registry-developer ❏
    Password: changeme ❏
  • API user
    Username: registry-user ❏
    Password: changeme ❏

7. Add access control and rate-limit to the Apicurio Registry API

Create the AuthConfig (▶︎)

sed "s/\${OPENSHIFT_DOMAIN}/$OPENSHIFT_DOMAIN/g" authconfig.yaml | kubectl -n apicurio-registry apply -f -

Create the RateLimit (▶︎)

kubectl -n apicurio-registry apply -f ratelimit.yaml

Try Apicurio Registry with access control and rate limits

Authorization

Authorino will apply the same R/W permissions otherwise enforced by Apicurio Registry's built-in authorization based on the user roles:

API Method Path Permission Owner
Groups GET /apis/registry/v2/groups/{gid}/artifacts Read
Groups POST /apis/registry/v2/groups/{gid}/artifacts Write
Groups DELETE /apis/registry/v2/groups/{gid}/artifacts Write
Groups GET /apis/registry/v2/groups/{gid}/artifacts/{aid} Read Y
Groups PUT /apis/registry/v2/groups/{gid}/artifacts/{aid} Write Y
Groups DELETE /apis/registry/v2/groups/{gid}/artifacts/{aid} Write Y
Groups PUT /apis/registry/v2/groups/{gid}/artifacts/{aid}/state Write Y
Groups GET /apis/registry/v2/groups/{gid}/artifacts/{aid}/meta Read Y
Groups PUT /apis/registry/v2/groups/{gid}/artifacts/{aid}/meta Write Y
Groups POST /apis/registry/v2/groups/{gid}/artifacts/{aid}/meta Read Y
Groups GET /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions Read Y
Groups POST /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions Write Y
Groups GET /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid Read Y
Groups PUT /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/state Write Y
Groups GET /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/meta Read Y
Groups PUT /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/meta Write Y
Groups DELETE /apis/registry/v2/groups/{gid}/artifacts/{aid}/versions/vid/meta Write Y
Groups GET /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules Read Y
Groups POST /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules Write Y
Groups DELETE /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules Write Y
Groups GET /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules/{rid} Read Y
Groups PUT /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules/{rid} Write Y
Groups DELETE /apis/registry/v2/groups/{gid}/artifacts/{aid}/rules/{rid} Write Y
Groups PUT /apis/registry/v2/groups/{gid}/artifacts/{aid}/test Read Y
IDs GET /apis/registry/v2/ids/contentIds/{cid} Read
IDs GET /apis/registry/v2/ids/globalIds/{gid} Read
IDs GET /apis/registry/v2/ids/contentHashes/{hash} Read
Search GET /apis/registry/v2/search/artifacts Read
Search POST /apis/registry/v2/search/artifacts Read
Admin GET /apis/registry/v2/admin/rules Admin
Admin POST /apis/registry/v2/admin/rules Admin
Admin GET /apis/registry/v2/admin/rules/{rid} Admin
Admin PUT /apis/registry/v2/admin/rules/{rid} Admin
Admin DELETE /apis/registry/v2/admin/rules/{rid} Admin
Admin DELETE /apis/registry/v2/admin/rules Admin
Admin GET /apis/registry/v2/admin/loggers Admin
Admin GET /apis/registry/v2/admin/loggers/{lid} Admin
Admin PUT /apis/registry/v2/admin/loggers/{lid} Admin
Admin DELETE /apis/registry/v2/admin/loggers/{lid} Admin
Admin GET /apis/registry/v2/admin/export Admin
Admin POST /apis/registry/v2/admin/export Admin
Admin GET /apis/registry/v2/admin/roleMappings Admin
Admin POST /apis/registry/v2/admin/roleMappings Admin
Admin GET /apis/registry/v2/admin/roleMappings/{pid} Admin
Admin PUT /apis/registry/v2/admin/roleMappings/{pid} Admin
Admin DELETE /apis/registry/v2/admin/roleMappings/{pid} Admin
System GET /apis/registry/v2/system/info None
Users GET /apis/registry/v2/users/me None

For the endpoints where an artifact ID is in the path, Authorino will try to match the artifact's createdBy property (fetched from the Apicurio Registry artifact metadata API directly endpoint) to the value of preferred_username claim of the JWT. In cases where Apicurio Registry returns an empty or null createdBy, this authorization rule will be skipped.

Rate-limits

For this demo, only POST requests to /apis/registry/v2/groups/default/artifacts are rate-limited. No more than 1 artifact can be created every 60 seconds across all users.

Signing out

Close the session in Keycloak

To sign out, close the session in Keycloak Account Management: (▶︎)

firefox --private-window https://keycloak-apicurio-registry.apps.$OPENSHIFT_DOMAIN/auth/realms/apicurio-registry/account

(Click on the Sign out button on the top.)

...or by navigating to the logout endpoint: (▶︎)

firefox --private-window https://keycloak-apicurio-registry.apps.$OPENSHIFT_DOMAIN/auth/realms/apicurio-registry/protocol/openid-connect/logout

Clear the session cookies in Envoy

Use the Envoy-provided endpoint to clear the authentication cookies: (▶︎)

firefox --private-window https://apicurio-registry.apps.$OPENSHIFT_DOMAIN/signout

Cleanup

Remove Apicurio Registry from the scope of Authorino: (▶︎)

kubectl -n apicurio-registry delete -f authconfig.yaml

Remove the rate-limits definition: (▶︎)

kubectl -n apicurio-registry delete -f ratelimit.yaml

Decommision Envoy: (▶︎)

kubectl -n apicurio-registry delete -f envoy.yaml

Decommission Authorino: (▶︎)

kubectl -n apicurio-registry delete -f authorino.yaml

Decommission Limitador: (▶︎)

kubectl -n apicurio-registry delete -f limitador.yaml

Uninstall Authorino Operator and the Authorino CRDs: (▶︎)

kubectl delete -f https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/config/deploy/manifests.yaml

Uninstall Limitador Operator and the Limitador CRDs: (▶︎)

kubectl delete -f https://raw.githubusercontent.com/Kuadrant/limitador-operator/main/config/deploy/manfiests.yaml

Uninstall Keycloak and the Keycloak CRDs: (▶︎)

./keycloak/uninstall.sh

Decommission Apicurio Registry: (▶︎)

kubectl -n apicurio-registry delete -f apicurio-registry.yaml

Delete the Apicurio Registry database: (▶︎)

kubectl -n apicurio-registry delete -f apicurio-registry-database.yaml

Delete the namespace: (▶︎)

kubectl delete namespace apicurio-registry

apicurio-registry-authorino's People

Contributors

guicassolato avatar rahulanand16nov avatar

Watchers

avatar avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.