Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

add back configure_audience_mapper

pull/7160/head
chrislu 1 month ago
parent
88203fe29d
commit
7650f87054
2 changed files with 55 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 39
      test/s3/iam/setup_keycloak.sh
  2. 16
      test/s3/iam/setup_keycloak_docker.sh

39
test/s3/iam/setup_keycloak.sh
View File

@ -262,6 +262,44 @@ configure_role_mapper() {
fi fi
} }
configure_audience_mapper() {
echo -e "${YELLOW}🔧 Configuring audience mapper for client '${CLIENT_ID}'...${NC}"
# Get client's internal ID
local internal_id
internal_id=$(kcadm get clients -r "${REALM_NAME}" -q clientId="${CLIENT_ID}" | jq -r '.[0].id // empty')
if [[ -z "${internal_id}" ]]; then
echo -e "${RED}❌ Could not find client ${CLIENT_ID} to configure audience mapper${NC}"
return 1
fi
# Check if an audience mapper already exists for this client
local existing_mapper
existing_mapper=$(kcadm get "clients/${internal_id}/protocol-mappers/models" -r "${REALM_NAME}" | jq -r '.[] | select(.name=="audience-mapper" and .protocolMapper=="oidc-audience-mapper") | .id // empty')
if [[ -n "${existing_mapper}" ]]; then
echo -e "${GREEN}✅ Audience mapper already exists${NC}"
else
echo -e "${YELLOW}📝 Creating audience mapper...${NC}"
# Create protocol mapper for audience
kcadm create "clients/${internal_id}/protocol-mappers/models" -r "${REALM_NAME}" \
-s name="audience-mapper" \
-s protocol="openid-connect" \
-s protocolMapper="oidc-audience-mapper" \
-s consentRequired=false \
-s 'config."included.client.audience"='"${CLIENT_ID}" \
-s 'config."id.token.claim"=false' \
-s 'config."access.token.claim"=true' >/dev/null || {
echo -e "${RED}❌ Failed to create audience mapper${NC}"
return 1
}
echo -e "${GREEN}✅ Audience mapper created${NC}"
fi
}
main() { main() {
command -v docker >/dev/null || { echo -e "${RED}❌ Docker is required${NC}"; exit 1; } command -v docker >/dev/null || { echo -e "${RED}❌ Docker is required${NC}"; exit 1; }
command -v jq >/dev/null || { echo -e "${RED}❌ jq is required${NC}"; exit 1; } command -v jq >/dev/null || { echo -e "${RED}❌ jq is required${NC}"; exit 1; }
@ -273,6 +311,7 @@ main() {
ensure_realm ensure_realm
ensure_client ensure_client
configure_role_mapper configure_role_mapper
configure_audience_mapper
ensure_role "${ROLE_ADMIN}" ensure_role "${ROLE_ADMIN}"
ensure_role "${ROLE_READONLY}" ensure_role "${ROLE_READONLY}"
ensure_role "${ROLE_WRITEONLY}" ensure_role "${ROLE_WRITEONLY}"

16
test/s3/iam/setup_keycloak_docker.sh
View File

@ -97,6 +97,22 @@ MAPPER_CONFIG='{
kcadm create clients/"$CLIENT_UUID"/protocol-mappers/models -r "$REALM_NAME" -b "$MAPPER_CONFIG" 2>/dev/null || echo "✅ Role mapper already exists" kcadm create clients/"$CLIENT_UUID"/protocol-mappers/models -r "$REALM_NAME" -b "$MAPPER_CONFIG" 2>/dev/null || echo "✅ Role mapper already exists"
echo "✅ Realm roles mapper configured" echo "✅ Realm roles mapper configured"
# Configure audience mapper to ensure JWT tokens have correct audience claim
echo "🔧 Configuring audience mapper for client '$CLIENT_ID'..."
AUDIENCE_MAPPER_CONFIG='{
"protocol": "openid-connect",
"protocolMapper": "oidc-audience-mapper",
"name": "audience-mapper",
"config": {
"included.client.audience": "'$CLIENT_ID'",
"id.token.claim": "false",
"access.token.claim": "true"
}
}'
kcadm create clients/"$CLIENT_UUID"/protocol-mappers/models -r "$REALM_NAME" -b "$AUDIENCE_MAPPER_CONFIG" 2>/dev/null || echo "✅ Audience mapper already exists"
echo "✅ Audience mapper configured"
# Create realm roles # Create realm roles
echo "📝 Creating realm roles..." echo "📝 Creating realm roles..."
for role in "s3-admin" "s3-read-only" "s3-write-only" "s3-read-write"; do for role in "s3-admin" "s3-read-only" "s3-write-only" "s3-read-write"; do

Write Preview
Loading…
Cancel
Save