Keycloak

Keycloak is installed on keycloak.opendev.org. It is in a prototype phase for use with the Zuul admin API, and may be used by other OpenDev services in the future.

At a Glance

Hosts:

• https://keycloak.opendev.org

Ansible:

• https://opendev.org/opendev/system-config

• system-config: playbooks/roles/keycloak

• system-config: playbooks/service-keycloak.yaml

Projects:

• https://www.keycloak.org/

• https://github.com/keycloak/keycloak

• https://github.com/keycloak/keycloak/tree/main/quarkus/container

Bugs:

• https://storyboard.openstack.org/#!/project/748

• https://github.com/keycloak/keycloak/issues

Overview

Apache is configured as a reverse proxy to [::1]:8080 and there is also a separate MariaDB database listening on [::1]:3306.

Use

We currently have a “zuul” realm configured, and all user accounts within this realm get administrative access to the WebUI for zuul.opendev.org. The configuration basically follows upstream Zuul’s Configuring Keycloak Authentication document, but we extend the configuration by adding an infra-root group and a zuul-dedicated client scope within the zuul client with a group token mapper whose Token Claim Name is groups. The group mapping allows us to delegate administrative rights globally and on a per-tenant basis with admin-rule entries at the top of our main.yaml file.

Sysadmins should follow the Zuul Admins instructions for adding their accounts to the zuul realm, if such access is desired.