Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

different iam config for github and local

pull/7160/head
chrislu 3 months ago
parent
ce27ea975f
commit
f9c19dd2f5
3 changed files with 681 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 294
      test/s3/iam/iam_config.github.json
  2. 346
      test/s3/iam/iam_config.local.json
  3. 49
      test/s3/iam/setup_keycloak.sh

294
test/s3/iam/iam_config.github.json
View File

@ -0,0 +1,294 @@
{
"sts": {
"tokenDuration": 3600000000000,
"maxSessionLength": 43200000000000,
"issuer": "seaweedfs-sts",
"signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc="
},
"providers": [
{
"name": "test-oidc",
"type": "mock",
"config": {
"issuer": "test-oidc-issuer",
"clientId": "test-oidc-client"
}
},
{
"name": "keycloak",
"type": "oidc",
"enabled": true,
"config": {
"issuer": "http://localhost:8080/realms/seaweedfs-test",
"clientId": "seaweedfs-s3",
"clientSecret": "seaweedfs-s3-secret",
"jwksUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/certs",
"userInfoUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/userinfo",
"scopes": ["openid", "profile", "email"],
"claimsMapping": {
"username": "preferred_username",
"email": "email",
"name": "name"
},
"roleMapping": {
"rules": [
{
"claim": "roles",
"value": "s3-admin",
"role": "arn:seaweed:iam::role/KeycloakAdminRole"
},
{
"claim": "roles",
"value": "s3-read-only",
"role": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
},
{
"claim": "roles",
"value": "s3-write-only",
"role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole"
},
{
"claim": "roles",
"value": "s3-read-write",
"role": "arn:seaweed:iam::role/KeycloakReadWriteRole"
}
],
"defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
}
}
}
],
"policy": {
"defaultEffect": "Deny",
"storeType": "memory"
},
"roles": [
{
"roleName": "TestAdminRole",
"roleArn": "arn:seaweed:iam::role/TestAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "test-oidc"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
}
]
},
"attachedPolicies": ["S3AdminPolicy"],
"description": "Admin role for testing"
},
{
"roleName": "TestReadOnlyRole",
"roleArn": "arn:seaweed:iam::role/TestReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "test-oidc"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
}
]
},
"attachedPolicies": ["S3ReadOnlyPolicy"],
"description": "Read-only role for testing"
},
{
"roleName": "TestWriteOnlyRole",
"roleArn": "arn:seaweed:iam::role/TestWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "test-oidc"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
}
]
},
"attachedPolicies": ["S3WriteOnlyPolicy"],
"description": "Write-only role for testing"
},
{
"roleName": "KeycloakAdminRole",
"roleArn": "arn:seaweed:iam::role/KeycloakAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
}
]
},
"attachedPolicies": ["S3AdminPolicy"],
"description": "Admin role for Keycloak users"
},
{
"roleName": "KeycloakReadOnlyRole",
"roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
}
]
},
"attachedPolicies": ["S3ReadOnlyPolicy"],
"description": "Read-only role for Keycloak users"
},
{
"roleName": "KeycloakWriteOnlyRole",
"roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
}
]
},
"attachedPolicies": ["S3WriteOnlyPolicy"],
"description": "Write-only role for Keycloak users"
},
{
"roleName": "KeycloakReadWriteRole",
"roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": ["sts:AssumeRoleWithWebIdentity"]
}
]
},
"attachedPolicies": ["S3ReadWritePolicy"],
"description": "Read-write role for Keycloak users"
}
],
"policies": [
{
"name": "S3AdminPolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
}
]
}
},
{
"name": "S3ReadOnlyPolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
}
]
}
},
{
"name": "S3WriteOnlyPolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Deny",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
}
]
}
},
{
"name": "S3ReadWritePolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": ["sts:ValidateSession"],
"Resource": ["*"]
}
]
}
}
]
}

346
test/s3/iam/iam_config.local.json
View File

@ -0,0 +1,346 @@
{
"sts": {
"tokenDuration": 3600000000000,
"maxSessionLength": 43200000000000,
"issuer": "seaweedfs-sts",
"signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc="
},
"providers": [
{
"name": "test-oidc",
"type": "mock",
"config": {
"issuer": "test-oidc-issuer",
"clientId": "test-oidc-client"
}
},
{
"name": "keycloak",
"type": "oidc",
"enabled": true,
"config": {
"issuer": "http://localhost:8090/realms/seaweedfs-test",
"clientId": "seaweedfs-s3",
"clientSecret": "seaweedfs-s3-secret",
"jwksUri": "http://localhost:8090/realms/seaweedfs-test/protocol/openid-connect/certs",
"userInfoUri": "http://localhost:8090/realms/seaweedfs-test/protocol/openid-connect/userinfo",
"scopes": [
"openid",
"profile",
"email"
],
"claimsMapping": {
"username": "preferred_username",
"email": "email",
"name": "name"
},
"roleMapping": {
"rules": [
{
"claim": "roles",
"value": "s3-admin",
"role": "arn:seaweed:iam::role/KeycloakAdminRole"
},
{
"claim": "roles",
"value": "s3-read-only",
"role": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
},
{
"claim": "roles",
"value": "s3-write-only",
"role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole"
},
{
"claim": "roles",
"value": "s3-read-write",
"role": "arn:seaweed:iam::role/KeycloakReadWriteRole"
}
],
"defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
}
}
}
],
"policy": {
"defaultEffect": "Deny",
"storeType": "memory"
},
"roles": [
{
"roleName": "TestAdminRole",
"roleArn": "arn:seaweed:iam::role/TestAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "test-oidc"
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": [
"S3AdminPolicy"
],
"description": "Admin role for testing"
},
{
"roleName": "TestReadOnlyRole",
"roleArn": "arn:seaweed:iam::role/TestReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "test-oidc"
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": [
"S3ReadOnlyPolicy"
],
"description": "Read-only role for testing"
},
{
"roleName": "TestWriteOnlyRole",
"roleArn": "arn:seaweed:iam::role/TestWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "test-oidc"
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": [
"S3WriteOnlyPolicy"
],
"description": "Write-only role for testing"
},
{
"roleName": "KeycloakAdminRole",
"roleArn": "arn:seaweed:iam::role/KeycloakAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": [
"S3AdminPolicy"
],
"description": "Admin role for Keycloak users"
},
{
"roleName": "KeycloakReadOnlyRole",
"roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": [
"S3ReadOnlyPolicy"
],
"description": "Read-only role for Keycloak users"
},
{
"roleName": "KeycloakWriteOnlyRole",
"roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": [
"S3WriteOnlyPolicy"
],
"description": "Write-only role for Keycloak users"
},
{
"roleName": "KeycloakReadWriteRole",
"roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "keycloak"
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
]
}
]
},
"attachedPolicies": [
"S3ReadWritePolicy"
],
"description": "Read-write role for Keycloak users"
}
],
"policies": [
{
"name": "S3AdminPolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}
},
{
"name": "S3ReadOnlyPolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}
},
{
"name": "S3WriteOnlyPolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Deny",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}
},
{
"name": "S3ReadWritePolicy",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:ValidateSession"
],
"Resource": [
"*"
]
}
]
}
}
]
}

49
test/s3/iam/setup_keycloak.sh
View File

@ -11,7 +11,8 @@ NC='\033[0m'
KEYCLOAK_IMAGE="quay.io/keycloak/keycloak:26.0.7" KEYCLOAK_IMAGE="quay.io/keycloak/keycloak:26.0.7"
CONTAINER_NAME="keycloak-iam-test" CONTAINER_NAME="keycloak-iam-test"
KEYCLOAK_PORT="8080" # Default port
KEYCLOAK_PORT="8080" # Default external port
KEYCLOAK_INTERNAL_PORT="8080" # Internal container port (always 8080)
KEYCLOAK_URL="http://localhost:${KEYCLOAK_PORT}" KEYCLOAK_URL="http://localhost:${KEYCLOAK_PORT}"
# Realm and test fixtures expected by tests # Realm and test fixtures expected by tests
@ -38,7 +39,6 @@ get_user_password() {
USERS="admin-user read-user write-user write-only-user" USERS="admin-user read-user write-user write-only-user"
echo -e "${BLUE}🔧 Setting up Keycloak realm and users for SeaweedFS S3 IAM testing...${NC}" echo -e "${BLUE}🔧 Setting up Keycloak realm and users for SeaweedFS S3 IAM testing...${NC}"
echo "Keycloak URL: ${KEYCLOAK_URL}"
ensure_container() { ensure_container() {
# Check for any existing Keycloak container and detect its port # Check for any existing Keycloak container and detect its port
@ -110,11 +110,12 @@ wait_ready() {
kcadm() { kcadm() {
# Always authenticate before each command to ensure context # Always authenticate before each command to ensure context
# Try different admin passwords that might be used in different environments # Try different admin passwords that might be used in different environments
local admin_passwords=("admin123" "admin" "password")
# GitHub Actions uses "admin", local testing might use "admin123"
local admin_passwords=("admin" "admin123" "password")
local auth_success=false local auth_success=false
for pwd in "${admin_passwords[@]}"; do for pwd in "${admin_passwords[@]}"; do
if docker exec -i "${CONTAINER_NAME}" /opt/keycloak/bin/kcadm.sh config credentials --server "http://localhost:8080" --realm master --user admin --password "$pwd" >/dev/null 2>&1; then
if docker exec -i "${CONTAINER_NAME}" /opt/keycloak/bin/kcadm.sh config credentials --server "http://localhost:${KEYCLOAK_INTERNAL_PORT}" --realm master --user admin --password "$pwd" >/dev/null 2>&1; then
auth_success=true auth_success=true
break break
fi fi
@ -130,7 +131,7 @@ kcadm() {
admin_login() { admin_login() {
# This is now handled by each kcadm() call # This is now handled by each kcadm() call
echo "Logging into http://localhost:8080 as user admin of realm master"
echo "Logging into http://localhost:${KEYCLOAK_INTERNAL_PORT} as user admin of realm master"
} }
ensure_realm() { ensure_realm() {
@ -221,12 +222,11 @@ assign_role() {
} }
configure_role_mapper() { configure_role_mapper() {
local client_id="$1"
echo -e "${YELLOW}🔧 Configuring role mapper for client '${client_id}'...${NC}"
echo -e "${YELLOW}🔧 Configuring role mapper for client '${CLIENT_ID}'...${NC}"
# Get client's internal ID # Get client's internal ID
local internal_id local internal_id
internal_id=$(kcadm get clients -r "${REALM_NAME}" -q clientId="${client_id}" | jq -r '.[0].id // empty')
internal_id=$(kcadm get clients -r "${REALM_NAME}" -q clientId="${CLIENT_ID}" | jq -r '.[0].id // empty')
if [[ -z "${internal_id}" ]]; then if [[ -z "${internal_id}" ]]; then
echo -e "${RED}❌ Could not find client ${client_id} to configure role mapper${NC}" echo -e "${RED}❌ Could not find client ${client_id} to configure role mapper${NC}"
@ -267,10 +267,12 @@ main() {
command -v jq >/dev/null || { echo -e "${RED}❌ jq is required${NC}"; exit 1; } command -v jq >/dev/null || { echo -e "${RED}❌ jq is required${NC}"; exit 1; }
ensure_container ensure_container
echo "Keycloak URL: ${KEYCLOAK_URL}"
wait_ready wait_ready
admin_login admin_login
ensure_realm ensure_realm
ensure_client ensure_client
configure_role_mapper
ensure_role "${ROLE_ADMIN}" ensure_role "${ROLE_ADMIN}"
ensure_role "${ROLE_READONLY}" ensure_role "${ROLE_READONLY}"
ensure_role "${ROLE_WRITEONLY}" ensure_role "${ROLE_WRITEONLY}"
@ -288,6 +290,9 @@ main() {
ensure_user write-only-user "$(get_user_password write-only-user)" ensure_user write-only-user "$(get_user_password write-only-user)"
assign_role write-only-user "${ROLE_WRITEONLY}" assign_role write-only-user "${ROLE_WRITEONLY}"
# Copy the appropriate IAM configuration for this environment
setup_iam_config
# Validate the setup by testing authentication and role inclusion # Validate the setup by testing authentication and role inclusion
echo -e "${YELLOW}🔍 Validating setup by testing admin-user authentication and role mapping...${NC}" echo -e "${YELLOW}🔍 Validating setup by testing admin-user authentication and role mapping...${NC}"
sleep 2 sleep 2
@ -337,4 +342,32 @@ main() {
echo -e "${GREEN}✅ Keycloak test realm '${REALM_NAME}' configured${NC}" echo -e "${GREEN}✅ Keycloak test realm '${REALM_NAME}' configured${NC}"
} }
setup_iam_config() {
echo -e "${BLUE}🔧 Setting up IAM configuration for detected environment${NC}"
# Choose the appropriate config based on detected port
local config_source
if [[ "${KEYCLOAK_PORT}" == "8080" ]]; then
config_source="iam_config.github.json"
echo " Using GitHub Actions configuration (port 8080)"
else
config_source="iam_config.local.json"
echo " Using local development configuration (port ${KEYCLOAK_PORT})"
fi
# Verify source config exists
if [[ ! -f "$config_source" ]]; then
echo -e "${RED}❌ Config file $config_source not found${NC}"
exit 1
fi
# Copy the appropriate config
cp "$config_source" "iam_config.json"
local detected_issuer=$(cat iam_config.json | jq -r '.providers[] | select(.name=="keycloak") | .config.issuer')
echo -e "${GREEN}✅ IAM configuration set successfully${NC}"
echo " - Using config: $config_source"
echo " - Keycloak issuer: $detected_issuer"
}
main "$@" main "$@"
Write Preview
Loading…
Cancel
Save