Allow pushing user-allocation membership to Keycloak#249
Conversation
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
9a53156 to
d7da5c4
Compare
|
@knikolla Two more questions:
|
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
d7da5c4 to
3b80589
Compare
|
@knikolla I've addressed your comments except one. Also, do you have responses to these questions? |
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
3b80589 to
cb1d628
Compare
|
@QuanMPhm please resolve conflicts. Are there any questions that I missed answering? |
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
2 times, most recently
from
a217f31 to
0358cb7
Compare
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
0358cb7 to
8fc4ea6
Compare
knikolla
left a comment
knikolla
left a comment
There was a problem hiding this comment.
Did a quick first pass and provided some comments.
Also this needs to be possible configurable via a setting.
|
@QuanMPhm Actually, another thought, do you think it would make sense to implement this in the Keycloak plugin? https://github.com/nerc-project/coldfront-plugin-keycloak It could listen to signals in the same way that the cloud plugin listens to signals. It already has a keycloak client implemented. And there is nothing in pushing users to a Keycloak group that is specific to either OpenShift or OpenStack. |
|
@knikolla I see that it does make sense to seperate the Keycloak functionality from the rest of the plugin. It makes sense to me. I forgot that repo existed. There would need to be some overhaul to add integration and unit tests to |
For now let's keep it here (as not to frontload the work) and we can easily split it out later if needed. Perhaps try implementing it here via signals so as to keep it loosely coupled so that if we need to split it later it doesn't require a lot of uncoupling. |
|
@knikolla @larsks I have a question about the Coldfront Keycloak PR. I know we previously decided to represent user-membership to an allocation by adding them to a Keycloak group with the same name as the |
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
97d7220 to
151aea2
Compare
knikolla
left a comment
knikolla
left a comment
There was a problem hiding this comment.
Looking much better. Almost there.
A follow-up to this (after we merge the validate_allocations refactor) should investigate how to cleanly implement this in validate_allocations too.
Actually... I would make it a whole separate CLI command. |
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
151aea2 to
d3087ea
Compare
|
@knikolla I've allowed the group name template string to accept any allocation attribute. Further documentation is in the docstring for the function |
|
@naved001 would appreciate a pass from you. |
knikolla
left a comment
knikolla
left a comment
There was a problem hiding this comment.
Had some more time to think about how to expose enabling/disable the feature.
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
d3087ea to
4489473
Compare
There was a problem hiding this comment.
Pull request overview
Adds Keycloak integration to push ColdFront allocation membership into Keycloak group membership, driven by a resource-level group-name template and exercised via new functional tests/CI workflow.
Changes:
- Add Keycloak client + tasks to add/remove allocation users to/from Keycloak groups based on a configurable template.
- Wire Keycloak add/remove behavior into allocation-user signals when Keycloak is enabled via environment.
- Introduce Keycloak functional tests and CI scripts/workflow to run them.
Reviewed changes
Copilot reviewed 9 out of 11 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| src/coldfront_plugin_cloud/tests/functional/keycloak/test_keycloak.py | Adds functional tests validating Keycloak user/group membership behavior for allocation changes. |
| src/coldfront_plugin_cloud/tests/functional/keycloak/init.py | Introduces package for Keycloak functional tests. |
| src/coldfront_plugin_cloud/tasks.py | Adds Keycloak client caching and add/remove group membership tasks; adds group-name templating helper. |
| src/coldfront_plugin_cloud/signals.py | Hooks Keycloak add/remove tasks into allocation user add/remove signals behind an env flag. |
| src/coldfront_plugin_cloud/management/commands/validate_allocations.py | Tweaks logging/comment wording related to user sync validation. |
| src/coldfront_plugin_cloud/kc_client.py | Adds a Keycloak admin API client for groups/users operations. |
| src/coldfront_plugin_cloud/attributes.py | Adds resource attribute for Keycloak group name template. |
| requirements.txt | Adds requests dependency for the Keycloak client. |
| ci/setup-keycloak.sh | Adds Keycloak container bootstrap script for CI/local functional tests. |
| ci/run_functional_tests_keycloak.sh | Adds a runner script to execute Keycloak functional tests with required env vars. |
| .github/workflows/test-functional-keycloak.yaml | Adds a GitHub Actions workflow to run Keycloak functional tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
2 times, most recently
from
51df802 to
6cb51d7
Compare
A Keycloak admin client has been added When `activate_allocation` is called, the user is added to a Keycloak group named using a format string defined in the allocation's resource attribute "Format String for Keystone Group Names" If the user does not already exist in Keycloak, the case is ignored for now Keycloak integration is optional, toggled by setting the env var "KEYCLOAK_BASE_URL" Authentication to Keycloak is done via client credentials grant When `deactivate_allocation` is called, the user is removed from the Keycloak group New functional test added for Keycloak integration A comment in `validate_allocations` has been updated to reflect the more restrictive validation behavior, where users on cluster projects will be removed if they are not part of the Coldfront allocation (rather than if they are not registered on Coldfront at all).
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
6cb51d7 to
5a6f8d6
Compare
Closes nerc-project/operations#948. More details in the commit message
There are still some questions I have below, so this is still a draft for now.