This service is used to replace the BOP service in Ephemeral environments.
It starts up an HTTP server on port 8090, and forwards requests to different endpoints depending on the URL paths the user requests.
It is meant to be run alongside a Keycloak service, where it can fetch and print information about users and realms.
While not essential for running this service, you'll need a local Keycloak server with a pre-configured realm named redhat-external on it, and some users, with the following attributes:
is_active: type: Booleanis_org_admin: type: Booleanis_internal: type: Booleanaccount_id: type: Stringorg_id: type: Stringentitlements: type: Stringaccount_number: type: String
The current list of supported paths is:
/: Empty endpoint, used as a status check endpoint./v1/users: onlyPOSTrequests are allowed. Used to fetch Keycloak users/v1/jwt: sends aGETrequest against theKEYCLOAK_SERVERURL and prints theredhat-externalrealm public key/v1/auth: it expects a basic Authorization Header to be sent with username and password, and uses it to request a token from theredhat-externalrealm from theKEYCLOAK_SERVERURL for that user. Then returns the user entity./v1/accounts: handlesPOSTandGETrequests for querying users for a specific account/v2/accounts: expects a GET request with query params defining filters to fetch users on Keycloak/api/entitlements/v1/services: prints a user's entitlements list based on the provided Identity header (only Basic Auth is supported). if the enviroment variableALL_PASSis found then a fixed JSON object with entitlements is printed instead.
You'll need a Keycloak Server running for the Keycloak-related requests to succed,
and pass in the Server URL, Admin username and password using the KEYCLOAK_SERVER,
KEYCLOAK_USERNAME and KEYCLOAK_PASSWORD environment variables respectively.
The current supported version of Keycloak is: 15.0.2 , based on the
Keycloak version that Clowder uses
You will also need a valid Keycloak realm named redhat-external as MBOP expects it to be
pre-created. There's a realm template you can import to
your Keycloak server to help you get started, it defines the redhat-external realm and a test
user.
It is recommended if you simply spin a container with a Keycloak server that imports the demo-realm.
You can do it using rootless podman by running:
podman run -it --name keycloak -p 8080:8080 \
-e KEYCLOAK_ADMIN_USER=admin \
-e KEYCLOAK_ADMIN_PASSWORD=change_me \
-e KEYCLOAK_IMPORT=/opt/keycloak/data/import/redhat-external-realm.json \
-v ${PWD}/data/redhat-external-realm.json:/opt/keycloak/data/import/redhat-external-realm.json:z \
quay.io/keycloak/keycloak:15.0.2Then run MBOP, either building and running it locally:
$ go build ./...
$ KEYCLOAK_SERVER='http://localhost:8080' KEYCLOAK_USERNAME='admin' KEYCLOAK_PASSWORD='change_it' ./mbopOr you can also build the image container and run it locally with podman:
podman build -t localhost/mbop:dev .
podman run -it --rm --name mbop -p 8090:8090 -e KEYCLOAK_SERVER='http://localhost:8080' KEYCLOAK_USERNAME='admin' KEYCLOAK_PASSWORD='change_it' localhost/mbop:dev
You can also leverage the provided podman-compose.yaml template and run it all together:
PLEASE NOTE : if SELINUX is enforced, you have to provide the :z label for the bind mount Realm file to import successfully.
mv deployments/podman-compose-env deployments/.env
podman-compose -f podman_compose.yaml up -d --build
Simply run
go test ./...
setup a local environment running Keycloak and MBOP:
docker-compose -f deployments/compose.yaml up --build -d
NOTE for podman-compose when SELINUX is enforced: You'll have to set the SELINUX_LABEL
environment variable from deployments/compose.yaml to :z for the Keycloak
Realm import to succeed. You can use the deployments/podman-compose-env
file for that purpose.
podman-compose -f deployments/compose.yaml up -d
you can run Mocha tests with
# npm --prefix test test