From e31c2b92a9d117b14b0ab36b96aebe69938414de Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 4 Oct 2016 15:51:40 +0200 Subject: [PATCH 1/4] KEYCLOAK-3643 Update fuse-admin README about hawtio integration --- examples/fuse/fuse-admin/README.md | 33 +++++++++++++++--------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/examples/fuse/fuse-admin/README.md b/examples/fuse/fuse-admin/README.md index 050d709250..796cc415c6 100644 --- a/examples/fuse/fuse-admin/README.md +++ b/examples/fuse/fuse-admin/README.md @@ -3,15 +3,19 @@ How to secure Fuse admin services Fuse admin console authentication --------------------------------- -Fuse admin console is Hawt.io. See [Hawt.io documentation](http://hawt.io/docs/index.html) for more info about how to secure it with keycloak. +Fuse admin console is Hawt.io. See [Hawt.io documentation](http://hawt.io/docs/index.html) for more info about how to secure it with keycloak. The demo realm +has users `root` , `john` and `mary`, which you can test in similar way like described in the [Hawt.io README](https://github.com/hawtio/hawtio/blob/master/sample-keycloak-integration/README.md) . + +WARN: Hawt.io version bundled in JBoss Fuse has Keycloak support from JBoss Fuse 6.3.1 . For JBoss Fuse 6.3.0 or older, if you want Keycloak integration, you need to uninstall the provided Hawt.io +version and replace it with the different one, which has Keycloak support. You can ideally use the Hawt.io community version 1.4.66 or newer. -SSH authentication with keycloak credentials on JBoss Fuse 6.1 --------------------------------------------------------------- +SSH authentication with keycloak credentials on JBoss Fuse 6.2 or newer +----------------------------------------------------------------------- Keycloak mainly addresses usecases for authentication of web applications, however if your admin services (like fuse admin console) are protected with Keycloak, it may be good to protect non-web services like SSH with Keycloak credentials too. It's possible to do it by using JAAS login module, which -allows to remotely connect to Keycloak and verify credentials based on [Direct access grants](http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/direct-access-grants.html). +allows to remotely connect to Keycloak and verify credentials based on [Direct grants](http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/direct-access-grants.html). Example steps for enable SSH authentication: @@ -42,11 +46,17 @@ features:install keycloak-jaas ssh -o PubkeyAuthentication=no -p 8101 admin@localhost ``` +6) In JBoss Fuse 6.2 you may need to install `ssh` feature as it doesn't seem to be installed here by default. + +``` +features:install ssh +``` + And login with password `password` . Note that other users from "demo" realm like bburke@redhat.com don't have SSH access as they don't have `admin` role. -JMX authentication with keycloak credentials on JBoss Fuse 6.1 --------------------------------------------------------------- +JMX authentication with keycloak credentials on JBoss Fuse 6.2 or newer +----------------------------------------------------------------------- This may be needed in case if you really want to use jconsole or other external tool to perform remote connection to JMX through RMI. Otherwise it may be better to use just hawt.io/jolokia as jolokia agent is installed in hawt.io by default. @@ -69,16 +79,7 @@ Note again that users without `admin` role are not able to login as they are not may be still able to access MBeans remotely via HTTP (Hawtio). So make sure to protect Hawt.io web console with same roles like JMX through RMI to really protect JMX mbeans. - -SSH and JMX on JBoss Fuse 6.2 ------------------------------ -For SSH steps are very similar to above for 6.1. In JBoss Fuse 6.2 you may need to install `ssh` feature as it doesn't seem to be installed here by default. - -``` -features:install ssh -``` - -For JMX, the steps are similar like for Fuse 6.1, however there is more fine grained authorization for JMX access in Fuse 6.2. +For JMX, there is fine grained authorization for JMX access in Fuse 6.2. Actually if you login as user `admin`, you have very limited privileges without possibility to do much JMX operations as this user has just `admin` role, which is not allowed to do much in JMX. From 7af125247c2bde412b5dc83b5c815781258a26e8 Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 4 Oct 2016 16:41:12 +0200 Subject: [PATCH 2/4] KEYCLOAK-3643 minor README update --- examples/fuse/fuse-admin/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/fuse/fuse-admin/README.md b/examples/fuse/fuse-admin/README.md index 796cc415c6..d29875d3a2 100644 --- a/examples/fuse/fuse-admin/README.md +++ b/examples/fuse/fuse-admin/README.md @@ -15,7 +15,7 @@ SSH authentication with keycloak credentials on JBoss Fuse 6.2 or newer Keycloak mainly addresses usecases for authentication of web applications, however if your admin services (like fuse admin console) are protected with Keycloak, it may be good to protect non-web services like SSH with Keycloak credentials too. It's possible to do it by using JAAS login module, which -allows to remotely connect to Keycloak and verify credentials based on [Direct grants](http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/direct-access-grants.html). +allows to remotely connect to Keycloak and verify credentials based on [Direct grants](https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/sso-protocols/oidc.html). Example steps for enable SSH authentication: @@ -36,7 +36,7 @@ This file contains configuration of the client application, which is used by JAA in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version in this command with the current version): ``` -features:addurl mvn:org.keycloak/keycloak-osgi-features/1.2.0.Beta1/xml/features +features:addurl mvn:org.keycloak/keycloak-osgi-features/2.2.1.Final/xml/features features:install keycloak-jaas ``` From b5a1b0bc50d388e533d12a51d45d609bd1110959 Mon Sep 17 00:00:00 2001 From: Stan Silvert Date: Tue, 4 Oct 2016 15:10:13 -0400 Subject: [PATCH 3/4] KEYCLOAK-3650: Empty state for User Federation --- .../partials/realm-identity-provider.html | 2 +- .../resources/partials/user-federation.html | 74 ++++++++++++------- 2 files changed, 50 insertions(+), 26 deletions(-) diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider.html b/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider.html index 0de7894caa..a7c9e5d64d 100755 --- a/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider.html +++ b/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider.html @@ -5,7 +5,7 @@

- Identity Providers + {{:: 'identity-providers' | translate}}

Through Identity Brokering it's easy to allow users to authenticate to Keycloak using external Identity Providers or Social Networks.
We have built-in support for OpenID Connect and SAML 2.0 as well as a number of social networks such as Google, GitHub, Facebook and Twitter. diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/user-federation.html b/themes/src/main/resources/theme/base/admin/resources/partials/user-federation.html index cdf18b877e..2b4a94fb45 100755 --- a/themes/src/main/resources/theme/base/admin/resources/partials/user-federation.html +++ b/themes/src/main/resources/theme/base/admin/resources/partials/user-federation.html @@ -3,39 +3,63 @@ {{:: 'user-federation' | translate}} - - - - - - - - - - - + + + + +
-
-
-
-
{{:: 'id' | translate}}{{:: 'provider-name' | translate}}{{:: 'priority' | translate}}{{:: 'actions' | translate}}
+ + + + + + + + + + - - - - - - - - - - + + + + + + + + + +
+
+
+ +
+
+
{{:: 'id' | translate}}{{:: 'provider-name' | translate}}{{:: 'priority' | translate}}{{:: 'actions' | translate}}
{{getInstanceName(instance)}}{{getInstanceProvider(instance)|capitalize}}{{getInstancePriority(instance)}}{{:: 'edit' | translate}}{{:: 'delete' | translate}}
{{:: 'no-user-federation-providers-configured' | translate}}
{{getInstanceName(instance)}}{{getInstanceProvider(instance) | capitalize}}{{getInstancePriority(instance)}}{{:: 'edit' | translate}}{{:: 'delete' | translate}}
{{:: 'no-user-federation-providers-configured' | translate}}
From d65343783075c65be50d624810d59637fcd94926 Mon Sep 17 00:00:00 2001 From: Stan Silvert Date: Tue, 4 Oct 2016 17:17:03 -0400 Subject: [PATCH 4/4] KEYCLOAK-3649: Sort role lists in Role Mappings screen. --- .../resources/partials/client-role-detail.html | 10 +++++----- .../resources/partials/client-scope-mappings.html | 14 +++++++------- .../partials/client-service-account-roles.html | 14 +++++++------- .../partials/client-template-scope-mappings.html | 14 +++++++------- .../resources/partials/group-role-mappings.html | 14 +++++++------- .../resources/partials/realm-default-roles.html | 2 +- .../base/admin/resources/partials/role-detail.html | 2 +- .../admin/resources/partials/role-mappings.html | 14 +++++++------- 8 files changed, 42 insertions(+), 42 deletions(-) diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html index 71621517ab..de1a76302d 100755 --- a/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html +++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html @@ -75,7 +75,7 @@