From 40c89fa6fa48bbbbbb28855e952a1c354fca89c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Olivier=20Lem=C3=A9e?= Date: Mon, 26 Aug 2024 11:00:40 +0200 Subject: [PATCH] add keycloak clients dependency management (allowing integration with admin, auth apis) --- demonstrators-line/demonstrator-v0/pom.xml | 17 ++++++++++++++++- .../demonstrator-v0/sample-project-pom.xml | 2 +- .../technologies-stack-analysis.md | 4 ++-- .../demonstrator-v0/v0-technologies-stack.md | 7 ++++--- 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/demonstrators-line/demonstrator-v0/pom.xml b/demonstrators-line/demonstrator-v0/pom.xml index 3902789..54121de 100644 --- a/demonstrators-line/demonstrator-v0/pom.xml +++ b/demonstrators-line/demonstrator-v0/pom.xml @@ -2,7 +2,7 @@ 4.0.0 org.cybnity techstack - 0.34.0 + 0.35.0 pom CYBNITY Official Standard Techstack @@ -57,6 +57,7 @@ [1.1.0,) [1.1.0,) [1.1.0,) + [25.0.4,) 5.9.3 [1.9.2,) 7.12.1 @@ -270,6 +271,20 @@ ${janusgraph.driver} test + + + + org.keycloak + keycloak-admin-client + ${keycloak.client} + compile + + + + org.keycloak + keycloak-authz-client + ${keycloak.client} + diff --git a/demonstrators-line/demonstrator-v0/sample-project-pom.xml b/demonstrators-line/demonstrator-v0/sample-project-pom.xml index 1c905a0..299f056 100644 --- a/demonstrators-line/demonstrator-v0/sample-project-pom.xml +++ b/demonstrators-line/demonstrator-v0/sample-project-pom.xml @@ -3,7 +3,7 @@ org.cybnity techstack - 0.34.0 + 0.35.0 org.cybnity.techstack.quality diff --git a/demonstrators-line/demonstrator-v0/technologies-stack-analysis.md b/demonstrators-line/demonstrator-v0/technologies-stack-analysis.md index d095fdf..6195b55 100644 --- a/demonstrators-line/demonstrator-v0/technologies-stack-analysis.md +++ b/demonstrators-line/demonstrator-v0/technologies-stack-analysis.md @@ -237,7 +237,7 @@ The criteria checked about advantages (ADV) are: | Vault |Trusted authority for application and machine identities; secure, store, and access credentials and resources for user identity; Key/Value store for secrets, with flexibility and configurability with topics such as secret engines, authentication methods, and access policies
**ADV01:** [Mozilla Public License 2](https://github.com/hashicorp/vault/blob/main/LICENSE)
![image](vault-high-level-architecture-overview.png)
**ADV02:** [several installations](https://www.vaultproject.io/downloads) for Linux, Windows, macOS; [docker image](https://hub.docker.com/_/vault/); [Kubernetes compatible with Helm example](https://www.vaultproject.io/docs/platform/k8s/helm); [High-Availability](https://www.vaultproject.io/docs/concepts/ha) capabilities; [reference architecture with Consul integration](https://learn.hashicorp.com/tutorials/vault/reference-architecture)
**ADV03:** variety of secret and auth backends; dynamic secret generation; auditLog; leasing and renewal; Privilege Access Management (PAM); integrations for Kubernetes, Spring, and officially supported client libraries for Go and Ruby; fetching of secrets via the CLI, REST API, or community-maintained [open source libraries](https://www.vaultproject.io/api/libraries#community); auth method such [App Role](https://www.vaultproject.io/docs/auth/approle) or additional precautions such as [Cubbyhole response wrapping](https://learn.hashicorp.com/tutorials/vault/cubbyhole-response-wrapping); [integration with Consul](https://learn.hashicorp.com/tutorials/vault/ha-with-consul); [Vault Helm Charts](https://github.com/hashicorp/vault-helm) project; Java spring client library for connect to Vault
**ADV04:** HashiCorp provides Vault Enterprise, a fully managed version running on HashiCorp Cloud Platform (HCP)|**Advantage:** easy to set up and use; list of integrations, primarily focusing on authentication and secret storage|`COOL`| | midPoint Evolveum |Open source ecosystem for identity and access management focused on how the data is processed, auditing, and provide data rectification and erasure options out-of-the-box; identity governance and administration (automated access request, provisioning and deprovisioning, policy and roles management, auditing, access certification); 3rd-parties solutions licenses management; identity data visibility and accountability compliance (gdpr); consent management and identity data; user access self-services (password, access request, profile); [all features](https://docs.evolveum.com/midpoint/features/current/)
![image](midpoint-high-level-component-structure.png)
**ADV01:** Apache License and European Union Public License
**ADV02:** [requirements](https://docs.evolveum.com/midpoint/install/system-requirements/); [Docker Alpine image installation](https://docs.evolveum.com/midpoint/install/docker/); need JRE 11+
![image](midpoint-environment-schema-HA.png)
**ADV03:** synchronize identities stores across all the inbound and outbound resources; PostgreSQL repository implementation internally; RBAC/ABAC supported; organizational structure, group membership, access control lists (ACLs), privileges managed; web UI for uiam management
**ADV04:** professional support; [rich tutorial](https://evolveum.com/get-started/) and documentations by evolveum; LTS program; large identity [connectors](https://docs.evolveum.com/connectors/connectors/); [shared roadmap](https://docs.evolveum.com/midpoint/roadmap/)|**Advantage:** lot of integration with third-party solution around the identity management; very large documentations for IAM management and segregation of duties between the components
**Disadvantage:** complementary solution to external directories|`COOL`| | [Apache Directory Server](https://directory.apache.org/) |
**ADV02:** written in Java
**ADV03:** certified as LDAP v3 compliant by the Open Group (ApacheDS), and Eclipse-based directory tools (Apache Directory Studio); supports Kerberos 5 and the Change Password Protocol; [Apache directory studio](https://directory.apache.org/studio/) LDAP browser| |`OK`| -| [Keycloak](https://www.keycloak.org/) |Access management system; single-Sign On, user accounts and authorizations management; fine-grained support of [abac/rbac/ubac/cbac policies](https://www.keycloak.org/docs/latest/authorization_services/index.html) for authorization services
**ADV01:** Apache 2 license
**ADV02:** Java 11+ supported; compatible under [Docker](https://www.keycloak.org/server/containers) and Kubernetes; several database supported (e.g postgreSQL, mysql, mariadb); low resources required (512Mo RAM, 1Go disk space)
**ADV03:** integration with identity providers (e.g via OpenID Connect, SAML 2.0, Kerberos); user accounts federation (e.g LDAP, Active Directory, RDBMS servers) or stand-alone implementation; admin console (e.g update the profile, change passwords, and setup two-factor authentication); management of authorization policies; OAuth2 supported; administration RESTful api; TLS for end-point exposure; tenant with realm for applications and/or users groups management; clients adapters (e.g javascript, SpringBoot via OpenID); [extensions](https://www.keycloak.org/extensions.html); [theming extension with React](https://www.keycloakify.dev/); [France Connect connector](https://github.com/InseeFr/Keycloak-FranceConnect)
**ADV04:** sponsored by Redhat|**Advantage:** Keycloack's token are digitally signed so the app just need to verify the digital signature without contacting the Keycloak server; Identity brokering; efficient support community and active forums; clear documentation|`OK`| +| [Keycloak](https://www.keycloak.org/) |Access management system; Single-Sign On, user accounts and authorizations management; fine-grained support of [abac/rbac/ubac/cbac policies](https://www.keycloak.org/docs/latest/authorization_services/index.html) for authorization services
**ADV01:** Apache 2 license
**ADV02:** Java 11+ supported; compatible under [Docker](https://www.keycloak.org/server/containers) and Kubernetes; several database supported (e.g postgreSQL, mysql, mariadb); low resources required (512Mo RAM, 1Go disk space)
**ADV03:** integration with identity providers (e.g via OpenID Connect, SAML 2.0, Kerberos); user accounts federation (e.g LDAP, Active Directory, RDBMS servers) or stand-alone implementation; admin console (e.g update the profile, change passwords, and setup two-factor authentication); management of authorization policies; OAuth2 supported; administration RESTful api; TLS for end-point exposure; tenant with realm for applications and/or users groups management; clients adapters (e.g javascript, SpringBoot via OpenID); [extensions](https://www.keycloak.org/extensions.html); [theming extension with React](https://www.keycloakify.dev/); [France Connect connector](https://github.com/InseeFr/Keycloak-FranceConnect)
**ADV04:** sponsored by Redhat|**Advantage:** Keycloack's token are digitally signed so the app just need to verify the digital signature without contacting the Keycloak server; Identity brokering; efficient support community and active forums; clear documentation|`OK`| | [CAS](https://github.com/apereo/cas) |Single sign-on solution
**ADV01:** Apache 2.0 licensed
**ADV02:** Docker compatible; based on SpringBoot/Cloud; Java 11+ supported; Apache Tomcat used
**ADV03:** Java server component; lot of protocols supported (e.g OAuth2, SAML2, OpenID...); authorization via ABAC; delegated authorization (e.g Facebook, Twitter, OpenID connect...); HA clustered deployments via Hazelcast, Ehcache, JPA, Apache Cassandra, Memcached, Apache Ignite, MongoDb, Redis, DynamoDb, Couchbase and more; application registration backed by JSON, MongoDb, Redis and more; multifactor authentication via Duo Security, YubiKey, RSA, Google Authenticator, U2F, WebAuthn and more; administrative UIs; user interface theme and branding; password management and password policy enforcement; Spring Webflow to do script processing of login and logout protocols
**ADV04:** project under control by Apereo with announced [roadmap](https://www.apereo.org/projects/cas)|**Disadvantage:** CAS server's token must be verified by contacting the CAS server (so both user and app need to access the CAS server) but [CAS Service Tickets are signed and can be verified](https://apereo.github.io/cas/development/installation/Configure-ServiceTicket-JWT.html) without contacting the CAS Server|`OK`| | [Apache Syncope](https://syncope.apache.org) |Cross-platform solution for managing digital identities, covering identity management process (provisioning, auditing, reporting, administration, policy management, password management, password policy management)
**ADV01:** Apache 2.0 license
**ADV02:** implemented in JEE technology
**ADV03:** REST API; admin UI; end-user UI web app for self-registration, self-service and password reset; JAX-RS 2.0 RESTful interface to consume services; ConnId for communication with Identity Stores compatible (e.g Google apps, OS, Windows AD, databases) connectors (e.g CSV directory, LDAP, database table, SOAP)|**Disadvantage:** good for integration with complementary IAM sub-systems but need more components for quiakc/easy deployment; risk on complexity and low features implemented by default|`KO`| | [Gluu](http://gluu.org/) |Identity and access management; Customer Identity and Access, Two-Factor authentication; Identity brokering
**ADV01:** Gluu [licensed](https://gluu.org/docs/gluu-server/4.4/#license) (complex about open source components scope)
**AD02:** Ubuntu/Debian/centOS/Redhat packages; Kubernetes compatible
**ADV03:** OpenID provider (profile, centralized authentication for web/mobile); full FIDO server stack; user managed assess to interact with a person post-authentication (e.g consent); SAML 2.0, OAuth 2.0, SCIM, LDAP, Radius (open source Radius server called Radiator is recommended than very small implementation by default embedded in Gluu) supported; priced cluster manager|**Disadvantage:** doubt on open source licensing with potential risk for CYBNITY customers|`KO`| @@ -324,7 +324,7 @@ The acceptance level per differentiation criteria is evaluated as: | Keycloak |OK| |OK| | | | | | PostgreSQL |OK| |OK| | | | | | Apache Solr | | | | | | | | -| JanusGraph | | | | | | | | +| JanusGraph |OK| |OK| | | | | | MongoDB | | | | | | | | | Telegraf Agent | | | | | | | | | Grafana | | | | | | | | diff --git a/demonstrators-line/demonstrator-v0/v0-technologies-stack.md b/demonstrators-line/demonstrator-v0/v0-technologies-stack.md index dc326fa..7c6d76c 100644 --- a/demonstrators-line/demonstrator-v0/v0-technologies-stack.md +++ b/demonstrators-line/demonstrator-v0/v0-technologies-stack.md @@ -68,8 +68,8 @@ Should allow definition and test of basic software factory implementation allowi None supervision requirements required regarding the step of the CYBNITY Foundation project. # CURRENT MPP OFFICIAL VERSION -- Version: 0.34.0 -- Released at: August, 20, 2024 +- Version: 0.35.0 +- Released at: August, 26, 2024 - Status: `RELEASED` - Documentation: [technologies-stack-analysis](technologies-stack-analysis.md) - Deliverables: @@ -80,7 +80,7 @@ None supervision requirements required regarding the step of the CYBNITY Foundat org.cybnity techstack - 0.34.0 + 0.35.0 @@ -175,6 +175,7 @@ Presentation of the technologies and frameworks used for implementation of the C |Vert.x Redis Client|Interactions with Redis messaging system(s)|Extension connector with Redis broker(s)|Java, JSON|Vert.x Core| |Lettuce Redis Client|Interactions with Redis messaging system(s)|Client library for integration with Redis broker(s)|Java, JSON|JVM| |JanusGraph Client|Interactions with JanusGraph repository|Client library for integration with JanusGraph (Gremlin server)|Java|JVM| +|Keycloak Client|Interactions with Keycloak SSO server|Client libraries (e.g admin, auth apis) for integration with Keycloak server|Java|JVM| |Vert.x Kafka Client|Interactions with Kafka messaging system(s)|Client library for integration with Kafka broker(s)|Java, JSON|Vert.x Core| |Zookeeper Client|Interactions with Zookeeper directory|Client library for access to resources directory (e.g Kafka, Redis brokers)|Java|JVM| |Redis|Interactions between UI layer's service components|Broker of distributed events, persistence of shared data|Java, JSON|JVM|