mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-29 23:08:06 +02:00
Fix RBAC groups handling and refactor Keycloak role
- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
* Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
* Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.
This commit is contained in:
@@ -32,7 +32,6 @@ server:
|
||||
scopes:
|
||||
nextcloud: nextcloud
|
||||
|
||||
rbac_groups: "/rbac"
|
||||
docker:
|
||||
services:
|
||||
keycloak:
|
||||
@@ -44,5 +43,5 @@ docker:
|
||||
|
||||
credentials:
|
||||
recaptcha:
|
||||
website_key: "YOUR_RECAPTCHA_WEBSITE_KEY" # Required if you enabled recaptcha:
|
||||
secret_key: "YOUR_RECAPTCHA_SECRET_KEY" # Required if you enabled recaptcha:
|
||||
website_key: "" # Required if you enabled recaptcha:
|
||||
secret_key: "" # Required if you enabled recaptcha:
|
||||
8
roles/web-app-keycloak/tasks/01_meta.yml
Normal file
8
roles/web-app-keycloak/tasks/01_meta.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
- include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml"
|
||||
vars:
|
||||
handler_role_name: "docker-compose"
|
||||
- ansible.builtin.include_vars:
|
||||
file: "{{ item }}"
|
||||
loop:
|
||||
- "{{ playbook_dir }}/roles/docker-compose/vars/docker-compose.yml"
|
||||
- "{{ playbook_dir }}/roles/cmp-rdbms/vars/database.yml"
|
||||
@@ -1,25 +0,0 @@
|
||||
- name: Load the '{{ application_id }}' role dependencies
|
||||
block:
|
||||
- name: "load required 'web-svc-logout' for {{ application_id }}"
|
||||
include_role:
|
||||
name: web-svc-logout
|
||||
when: run_once_web_svc_logout is not defined
|
||||
|
||||
- name: "load docker, db and proxy for {{ application_id }}"
|
||||
include_role:
|
||||
name: cmp-db-docker-proxy
|
||||
vars:
|
||||
docker_compose_flush_handlers: true
|
||||
when: KEYCLOAK_LOAD_DEPENDENCIES | bool
|
||||
|
||||
- name: "Load database & docker-compose variables if role dependencies aren't loaded"
|
||||
block:
|
||||
- include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml"
|
||||
vars:
|
||||
handler_role_name: "docker-compose"
|
||||
- ansible.builtin.include_vars:
|
||||
file: "{{ item }}"
|
||||
loop:
|
||||
- "{{ playbook_dir }}/roles/docker-compose/vars/docker-compose.yml"
|
||||
- "{{ playbook_dir }}/roles/cmp-rdbms/vars/database.yml"
|
||||
when: not KEYCLOAK_LOAD_DEPENDENCIES | bool
|
||||
12
roles/web-app-keycloak/tasks/04_dependencies.yml
Normal file
12
roles/web-app-keycloak/tasks/04_dependencies.yml
Normal file
@@ -0,0 +1,12 @@
|
||||
- block:
|
||||
- name: "load required 'web-svc-logout' for {{ application_id }}"
|
||||
include_role:
|
||||
name: web-svc-logout
|
||||
public: false
|
||||
when: run_once_web_svc_logout is not defined
|
||||
|
||||
- name: "load docker, db and proxy for {{ application_id }}"
|
||||
include_role:
|
||||
name: cmp-db-docker-proxy
|
||||
vars:
|
||||
docker_compose_flush_handlers: true
|
||||
@@ -5,7 +5,7 @@
|
||||
{{
|
||||
(
|
||||
KEYCLOAK_DICTIONARY_REALM.clientScopes
|
||||
| selectattr('name','equalto', KEYCLOAK_OIDC_RBAC_SCOPE_NAME)
|
||||
| selectattr('name','equalto', KEYCLOAK_RBAC_GROUP_CLAIME)
|
||||
| list | first
|
||||
) | to_json
|
||||
}}
|
||||
@@ -27,7 +27,7 @@
|
||||
scope_id_rbac: >-
|
||||
{{ (
|
||||
all_scopes.stdout | from_json
|
||||
| selectattr('name','equalto', KEYCLOAK_OIDC_RBAC_SCOPE_NAME)
|
||||
| selectattr('name','equalto', KEYCLOAK_RBAC_GROUP_CLAIME)
|
||||
| list | first | default({})
|
||||
).id | default('') }}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
- name: "Update REALM settings (merge LDAP component .config)"
|
||||
include_tasks: 03_update.yml
|
||||
include_tasks: _update.yml
|
||||
vars:
|
||||
kc_object_kind: "component"
|
||||
kc_lookup_value: "{{ KEYCLOAK_LDAP_CMP_NAME }}"
|
||||
@@ -141,4 +141,4 @@
|
||||
}, recursive=True)
|
||||
}}
|
||||
kc_merge_path: "config"
|
||||
include_tasks: 03_update.yml
|
||||
include_tasks: _update.yml
|
||||
@@ -1,12 +1,18 @@
|
||||
---
|
||||
- name: "Load meta"
|
||||
include_tasks: 01_meta.yml
|
||||
when: not KEYCLOAK_LOAD_DEPENDENCIES | bool
|
||||
|
||||
|
||||
- name: "Load cleanup routine for '{{ application_id }}'"
|
||||
include_tasks: 01_cleanup.yml
|
||||
include_tasks: 02_cleanup.yml
|
||||
|
||||
- name: "Load init routine for '{{ application_id }}'"
|
||||
include_tasks: 02_initialize.yml
|
||||
include_tasks: 03_init.yml
|
||||
|
||||
- name: "Load the depdendencies required by '{{ application_id }}'"
|
||||
include_tasks: 03_load_dependencies.yml
|
||||
include_tasks: 04_dependencies.yml
|
||||
when: KEYCLOAK_LOAD_DEPENDENCIES | bool
|
||||
|
||||
- name: "Wait until '{{ KEYCLOAK_CONTAINER }}' container is healthy"
|
||||
community.docker.docker_container_info:
|
||||
@@ -50,9 +56,9 @@
|
||||
| list | first | default({}) ).attributes | default({}) )
|
||||
| combine({'frontchannel.logout.url': KEYCLOAK_FRONTCHANNEL_LOGOUT_URL}, recursive=True)
|
||||
}}
|
||||
include_tasks: 03_update.yml
|
||||
include_tasks: _update.yml
|
||||
|
||||
- include_tasks: 04_rbac_client_scope.yml
|
||||
- include_tasks: 05_rbac_client_scope.yml
|
||||
|
||||
- include_tasks: 05_ldap.yml
|
||||
- include_tasks: 06_ldap.yml
|
||||
when: KEYCLOAK_LDAP_ENABLED | bool
|
||||
|
||||
@@ -54,7 +54,7 @@
|
||||
"organization",
|
||||
"offline_access",
|
||||
"microprofile-jwt",
|
||||
"{{ KEYCLOAK_OIDC_RBAC_SCOPE_NAME }}",
|
||||
"{{ KEYCLOAK_RBAC_GROUP_CLAIME }}",
|
||||
"{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
|
||||
]
|
||||
}
|
||||
|
||||
@@ -156,7 +156,7 @@
|
||||
"group.object.classes": [ "groupOfNames" ],
|
||||
"memberof.ldap.attribute": [ "memberOf" ],
|
||||
"drop.non.existing.groups.during.sync": [ "false" ],
|
||||
"groups.path": [ "{{ applications | get_app_conf(application_id, 'rbac_groups', True) }}" ]
|
||||
"groups.path": [ "{{ KEYCLOAK_RBAC_GROUP_NAME }}" ]
|
||||
}
|
||||
},
|
||||
{
|
||||
|
||||
@@ -1430,7 +1430,7 @@
|
||||
"phone",
|
||||
"microprofile-jwt",
|
||||
"organization",
|
||||
"{{ KEYCLOAK_OIDC_RBAC_SCOPE_NAME }}",
|
||||
"{{ KEYCLOAK_RBAC_GROUP_CLAIME }}",
|
||||
"{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
|
||||
],
|
||||
"browserSecurityHeaders": {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"name": "{{ KEYCLOAK_OIDC_RBAC_SCOPE_NAME }}",
|
||||
"name": "{{ KEYCLOAK_RBAC_GROUP_CLAIME }}",
|
||||
"description": "RBAC Groups",
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
@@ -22,7 +22,7 @@
|
||||
"id.token.claim": "true",
|
||||
"lightweight.claim": "false",
|
||||
"access.token.claim": "true",
|
||||
"claim.name": "{{ OIDC.CLAIMS.GROUPS }}"
|
||||
"claim.name": "{{ KEYCLOAK_RBAC_GROUP_CLAIME }}"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -11,9 +11,12 @@ KEYCLOAK_REALM_URL: "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}"
|
||||
KEYCLOAK_DEBUG_ENABLED: "{{ MODE_DEBUG }}"
|
||||
KEYCLOAK_CLIENT_ID: "{{ OIDC.CLIENT.ID }}"
|
||||
KEYCLOAK_SERVER_INTERNAL_URL: "http://127.0.0.1:8080"
|
||||
KEYCLOAK_OIDC_RBAC_SCOPE_NAME: "{{ OIDC.CLAIMS.GROUPS }}"
|
||||
KEYCLOAK_LOAD_DEPENDENCIES: "{{ applications | get_app_conf(application_id, 'load_dependencies') }}"
|
||||
|
||||
# RBAC
|
||||
KEYCLOAK_RBAC_GROUP_CLAIME: "{{ RBAC.GROUP.CLAIM }}"
|
||||
KEYCLOAK_RBAC_GROUP_NAME: "{{ RBAC.GROUP.NAME }}"
|
||||
|
||||
## Health
|
||||
KEYCLOAK_HEALTH_ENABLED: true
|
||||
|
||||
|
||||
Reference in New Issue
Block a user