Keycloak integration with RadosGW

Keycloak can be setup as an OpenID Connect Identity Provider, which can be used by mobile/ web apps to authenticate their users. The Web token returned as a result of authentication can be used by the mobile/ web app to call AssumeRoleWithWebIdentity to get back a set of temporary S3 credentials, which can be used by the app to make S3 calls.

Setting up Keycloak

Installing and bringing up Keycloak can be found here: https://www.keycloak.org/docs/latest/server_installation/.

Configuring Keycloak to talk to RGW

The following configurables have to be added for RGW to talk to Keycloak. The format of token inspection url is https://[base-server-url]/token/introspect:

  1. [client.radosgw.gateway]
  2. rgw sts key = {sts key for encrypting/ decrypting the session token}
  3. rgw s3 auth use sts = true

Example showing how to fetch a web token from Keycloak

Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md Taking the example of app-profile-jee-jsp app given in the link above, its client secret and client password, can be used to fetch the access token (web token) as given below:

  1. KC_REALM=demo
  2. KC_CLIENT=<client id>
  3. KC_CLIENT_SECRET=<client secret>
  4. KC_SERVER=<host>:8080
  5. KC_CONTEXT=auth
  6. # Request Tokens for credentials
  7. KC_RESPONSE=$( \
  8. curl -k -v -X POST \
  9. -H "Content-Type: application/x-www-form-urlencoded" \
  10. -d "scope=openid" \
  11. -d "grant_type=client_credentials" \
  12. -d "client_id=$KC_CLIENT" \
  13. -d "client_secret=$KC_CLIENT_SECRET" \
  14. "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
  15. | jq .
  16. )
  17. KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)

KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in STS in Ceph.