[英]Spring Cloud Data Flow security configuracion and integration with RedHat SSO
We are trying to turn on the security for Spring Cloud Data Flow following the documentation ( https://docs.spring.io/spring-cloud-dataflow/docs/current-SNAPSHOT/reference/htmlsingle/#configuration-security ) but we have some knowledge gaps that we are not capable to fill.我们正在尝试按照文档( https://docs.spring.io#configuration-cloud-current-dataflow/sdocsle/有一些我们无法填补的知识空白。
According to the point 9.2, it is possible to configure the authentication with OAuth 2.0 and integrate it with SSO.根据第 9.2 点,可以使用 OAuth 2.0 配置身份验证并将其与 SSO 集成。 We use RedHat SSO, so we are trying to integrate both of them, but we are not capable to make it works, is it possible or there is a limitation about the SSO used?
我们使用 RedHat SSO,因此我们正在尝试将两者集成,但我们无法使其正常工作,是否可能或使用的 SSO 存在限制?
Following the documentation, we have set these properties:根据文档,我们设置了这些属性:
So we have some considerations:所以我们有一些考虑:
Finally, we have test the configuration in a SCDF running in a Docker container, but it does "nothing":最后,我们在 Docker 容器中运行的 SCDF 中测试了配置,但它“什么也没做”:
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] org.apache.tomcat.util.http.Parameters : Set query string encoding to UTF-8
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.a.t.util.http.Rfc6265CookieProcessor : Cookies: Parsing b[]: JSESSIONID=55694CBB4F694DD2E345AF61AF90B05D
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.a.catalina.connector.CoyoteAdapter : Requested cookie session id is 55694CBB4F694DD2E345AF61AF90B05D
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.a.c.authenticator.AuthenticatorBase : Security checking request POST /tasks/executions
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] org.apache.catalina.realm.RealmBase : No applicable constraints defined
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.a.c.a.jaspic.AuthConfigFactoryImpl : Loading persistent provider registrations from [/tmp/tomcat.1807897745863872641.9393/conf/jaspic-providers.xml]
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.a.c.authenticator.AuthenticatorBase : Not subject to any constraint
dataflow-server | INFO 1 --- [nio-9393-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.apache.catalina.core.StandardWrapper : Returning non-STM instance
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] org.apache.tomcat.util.http.Parameters : Set encoding to UTF-8
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] org.apache.tomcat.util.http.Parameters : Start processing with input [name=microapabatch&arguments=--my.arguments.sleep=2000+--my.arguments.forceFailure=false]
dataflow-server | TRACE 1 --- [nio-9393-exec-1] s.n.www.protocol.http.HttpURLConnection : ProxySelector Request for https://xxxxxxxxxxxxxxxxxxxxxxxx/openid-connect/token/introspect
dataflow-server | TRACE 1 --- [nio-9393-exec-1] s.n.www.protocol.http.HttpURLConnection : Looking for HttpClient for URL https://xxxxxxxxxxxxxxxxxxxxxxxx/openid-connect/token/introspect and proxy value of DIRECT
dataflow-server | TRACE 1 --- [nio-9393-exec-1] s.n.www.protocol.http.HttpURLConnection : Creating new HttpsClient with url:https://xxxxxxxxxxxxxxxxxxxxxxxx/openid-connect/token/introspect and proxy:DIRECT with connect timeout:-1
dataflow-server | TRACE 1 --- [nio-9393-exec-1] s.n.www.protocol.http.HttpURLConnection : Proxy used: DIRECT
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.a.tomcat.util.net.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1376a3b7:org.apache.tomcat.util.net.NioChannel@198ec8c7:java.nio.channels.SocketChannel[connected local=/172.18.0.4:9393 remote=/172.18.0.1:33758]], Read from buffer: [0]
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] org.apache.tomcat.util.net.NioEndpoint : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1376a3b7:org.apache.tomcat.util.net.NioChannel@198ec8c7:java.nio.channels.SocketChannel[connected local=/172.18.0.4:9393 remote=/172.18.0.1:33758]], Read direct from socket: [0]
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.apache.coyote.http11.Http11Processor : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1376a3b7:org.apache.tomcat.util.net.NioChannel@198ec8c7:java.nio.channels.SocketChannel[connected local=/172.18.0.4:9393 remote=/172.18.0.1:33758]], Status in: [OPEN_READ], State out: [OPEN]
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] o.a.coyote.http11.Http11NioProtocol : Pushed Processor [org.apache.coyote.http11.Http11Processor@17492586]
dataflow-server | DEBUG 1 --- [nio-9393-exec-1] org.apache.tomcat.util.net.NioEndpoint : Registered read interest for [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@1376a3b7:org.apache.tomcat.util.net.NioChannel@198ec8c7:java.nio.channels.SocketChannel[connected local=/172.18.0.4:9393 remote=/172.18.0.1:33758]]
It seems that the problem is the 'remote=/172.18.0.1:33758', but we can't explain how the introspect uri can be converted in this local IP.似乎问题出在'remote=/172.18.0.1:33758',但我们无法解释如何在这个本地IP中转换内省uri。
These are all plain Spring Security OAuth settings and concepts are better documented there.这些都是简单的 Spring 安全 OAuth 设置和概念在那里有更好的记录。 We're in a process to add better docks for keycloak but in a meanwhile my old test dataflow-keycloak might get you started.
我们正在为 keycloak 添加更好的扩展坞,但与此同时,我的旧测试dataflow-keycloak可能会帮助您入门。
In a recent versions we added a better way to use plain jwt keys and we documented it for Azure/AD .在最近的版本中,我们添加了一种更好的方法来使用普通的 jwt 密钥,我们为Azure/AD记录了它。 Plan is to add similar section for keycloak.
计划是为 keycloak 添加类似的部分。
I believe just by using issuer-uri and jwk-set-uri should give you a working setup(you still need to figure out scope to roles mappings) as Spring Security is using those to autoconfigure oauth settings.我相信仅通过使用issuer-uri和jwk-set-uri 就可以为您提供工作设置(您仍然需要弄清楚 scope 到角色映射),因为 Spring 安全性正在使用这些设置来自动配置 Z7C82E855B0415F27BD0Z92D2。 All the other settings are kinda legacy dating back times when we weren't fully on Spring Security 5.3 line.
当我们还没有完全使用 Spring 安全 5.3 线时,所有其他设置都有点旧。
For RH SSO I'm not sure if you're talking about some global shared instance or your private setup.对于 RH SSO,我不确定您是在谈论一些全局共享实例还是您的私有设置。
For those as newbie as I was, I am going to add some points to take into account when configuring the security in SCDF对于像我这样的新手,我将添加一些在 SCDF 中配置安全性时要考虑的要点
First, some comments to the original considerations:首先,对原始考虑的一些评论:
Now, the configuration we used to make it work:现在,我们用来使其工作的配置:
Finally, some considerations in the SSO side (this could vary depending on the used tool, this is for Keycloak/RedHatSSO):最后,SSO 方面的一些注意事项(这可能因使用的工具而异,这是针对 Keycloak/RedHatSSO 的):
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.