Sync auth

[wtrocki]

Posting for early visibility.

[wtrocki]

@psturc Actually tried to execute this steps and see how long this takes. It's not simple or convenient which made me question entire instruction. pinged @ziccardi to see if we can just get config directly from keycloak server and paste that directly as content to environment variable. If this is working we can document that - possibly instruction will change to 3 simple steps, but it will not include binding.

[psturc]

that sounds good

[wtrocki]

This is going to be separate ticket as @ziccardi is out sick.

[wtrocki]

Can we check this again? It's still pretty raw (we can improve it later).
If we merge that we going to unblock @darahayes PR that may be related to this.

[darahayes]

Hey @wtrocki apologies for the very specific review. It's all minor grammar things but they're important to get right.

[darahayes]

Perhaps rework this to the following:

By default, {sync-service} does not provide any authentication and authorization mechanism.

[pwright]

+1 to Dara's rewording

[darahayes]

Best practice is to captialize headings, except for words like is, a, the, to etc.

Should be:

Binding the {sync-service} Instance to a {keycloak-service} Instance.

[pwright]

fyi, there's a debate about that style issue, Dara describes the style called Titlecase, more likely we're going with Sentence case, which is what is there currently

[darahayes]

Minor grammar thing:

To benefit from authentication, developers...

[pwright]

To implement authentication in your app, you must bind the {sync-service} service with the {keycloak-service} service.

[darahayes]

Again, capitalization. Should probably be:

Making the Secret Available

[pwright]

-1

[darahayes]

Minor grammar thing. Should probably be like this:

By default, the secret is not visible to the server application

[pwright]

+1

[darahayes]

Again just some small grammar stuff,

To point the server to the application, please add a new environment variable:

[pwright]

+1

[jhellar]

The Authentication section is now in Setting up section. Shouldn't it be in it's own section similarly to Monitoring Data Sync Service section?

[jhellar]

After completing the steps, and opening data sync server url on /graphql endpoint, I get Invalid parameter: redirect_uri. Should we also add steps for configuring valid redirect uri?

[jhellar]

Will this work with self-signed certs? Should we document it?

[psturc]

The trick for getting this working with self-signed certs is to add NODE_TLS_REJECT_UNAUTHORIZED = 0 to environment variables in the data-sync-server deployment config. This should be documented.

[pwright]

not the way we refer to SDK in doc, but will fix in post

[wtrocki]

Ah.. Really sorry. Missing tons of context here.

[wtrocki]

Let's create another ticket to review entire auth docs:

The Authentication section is now in Setting up section. Shouldn't it be in it's own section similarly to Monitoring Data Sync Service section?

After completing the steps, and opening data sync server url on /graphql endpoint, I get Invalid parameter: redirect_uri. Should we also add steps for configuring valid redirect uri?

This is part of the prerequisites (Keycloak setup and running) instruction there explains it and I did not want to copy the content here.

Will this work with self-signed certs? Should we document it?

This is canonical documentation ( we will need to get some local machine documentation that will cover self signed certs.

[wtrocki]

@jhellar @psturc Can you take look and get that very raw version of this. Can we get some consensu how to reorganize this content better, basing on your valuable feedback.

[wtrocki]

@darahayes Final review?

[wtrocki]

Mering to sync branch in order to rebuild, joing articles together

[StephenCoady]

are we leaving this as is? we could change it to the actual value we are using for now?

[wtrocki]

Ups. yeah. TODO needs to be removed. I overlooked that in the rush

[StephenCoady]

Its ok I will change it on sync branch. I was too slow reviewing.

…

On Wed, 5 Sep 2018 at 11:49, Wojciech Trocki ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In modules/ROOT/pages/sync/auth.adoc <#403 (comment)>: > + +== Making the Secret available to the {sync-service} + +* Select *View Secret* on the *Identity Management* details page +* Select *Add to Application* and select the data-sync-server from the options +* Select the *Volume* option and enter the following mount path: `/opt/keycloak` + +NOTE: The mount path must be set to `/opt/keycloak` for the {sync-service} to be configured to use the secret. + +== Making Secret available to application + +By default, the secret is not visible to the server application. +o point the server to the application, please add a new environment variable: + +---- +KEYCLOAK_CONFIG_FILE= `/opt/keycloak`TODO Ups. yeah. TODO needs to be removed. I overlooked that in the rush — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#403 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AG9_8-PQa1uD6HAUruIknIyciGs68IgSks5uX6w4gaJpZM4WTKnE> .

-- STEPHEN COADY ASSOCIATE SOFTWARE ENGINEER Red Hat <https://www.redhat.com/> Communications House, Cork Road Waterford City, Ireland X91NY33 scoady@redhat.com IM: scoady <https://red.ht/sig>