此内容没有您所选择的语言版本。

Chapter 6. Securing OData APIs for a virtual database by using 3scale and RH-SSO


You can integrate data virtualization with 3scale and Red Hat’s single sign-on technology to apply advanced authorization and authentication controls to the OData endpoints for your virtual database services. By using 3Scale as a gateway to your API, you ensure that only authorized users have access, and you can control the level of access a user has based on who they are (role-based access).

By default, after you create a virtual database, the OData interface to it is discoverable by the 3Scale API management system, as long as 3Scale system is defined to same cluster and namespace. Using 3scale’s API management features, you can control access to the OData API, and track usage. By further securing access to the API through SSO, you can define user roles and implement role-based access to the API endpoints. After you complete the configuration, you can control access in the virtual database at the level of the view, column, or data source.

The Red Hat SSO technology uses OpenID-Connect as the authentication mechanism to secure the API, and uses OAuth2 as the authorization mechanism. When a user logs in, 3scale negotiates authentication with the Red Hat SSO package. If the authentication succeeds, 3scale passes a security token to the OData API for verification. The OData API then reads permissions from the token and applies them to the data roles that are defined for the virtual database.

Prerequisites

  • You have installed and configured Red Hat’s single sign-on technology. For more information about how to configure SSO to secure OData APIs for a virtual database, see the Teiid OpenShift documentation.
  • You have 3scale API Management installed in the OpenShift cluster that hosts your virtual database.
  • You have configured integration between 3scale and SSO. For more information, see Configuring Red Hat Single Sign-On integration in Using the Developer Portal.

    • You have configured the Red Hat SSO technology for OpenID Connect.
    • You have created SSO security realms.
    • You have specified an Admin client ID, protocol, and access type.
    • You have assigned the realm-management and manage-clients roles.
    • You created API users and specified credentials.
    • You configured 3scale to use OpenID-Connect as the authentication mechanism and OAuth2 as the authorization mechanism.

6.1. Updating the virtual database configuration

After you finish setting up single sign-on in OpenShift, you must modify virtual database settings before you can use SSO to secure your OData APIs. You must update the following artifacts:

  • pom.xml
  • application.properties
  • Configuration map
  • deploymentconfig.yml
  • DDL file

After you update the virtual database configuration, update the 3scale configuration to complete the integration.

Prerequisites

  • You completed the SSO configuration.

6.1.1. Adding SSO dependencies to pom.xml

Prerequisites

  • You completed the configuration to integrate 3scale with SSO.

Procedure

  • Edit the pom.xml file to add the following SSO dependencies:

    <dependency>
      <groupId>org.teiid</groupId>
      <artifactId>spring-keycloak</artifactId>
    </dependency>

6.1.2. Adding SSO settings to application.properties

Update properties in the application.properties file to support integration with SSO.

Procedure

  1. Log in to the Red Hat Single Sign-On Admin Console to find the values for the following authentication properties:

    • keycloak.realm
    • keycloak.auth-server-url
    • keycloak.resource
    • keycloak.ssl-required
    • keycloak.public-client
    • keycloak.principal-attribute
  2. Open the application.properties file from src/main/resources/ and add values for the preceding properties. For example:

    keycloak.realm = 3scale-sso
    keycloak.auth-server-url = http://keycloak-staging.dev.openshiftapps.com/auth
    keycloak.resource = di
    keycloak.ssl-required = external
    keycloak.public-client = true
    keycloak.principal-attribute=preferred_username

6.1.3. Creating a configuration map

In application.properties you assign static properties that do not change between deployment environments. For settings that can change between environments, such as authentication URLs and credentials, you might want to apply different values depending on the environment. To make it easy to apply different values for environment-specific settings, you can specify their values as properties in a configuration map. In each environment in which you deploy a virtual database, use a configuration map with the same name, but vary the map contents (the authentication URL and secret) to match the environment. Then, in each environment where you deploy the virtual database, the virtual database retrieves its version of the authentication values from the map.

You run an OpenShift command to create a configuration map and add values for the following properties:

  • keycloak.auth-server-url
  • keycloak.credentials.secret

Procedure

  1. Run the following command:

    oc create configmap my-config --from-literal=keycloak.auth-server-url=http://<keycloakURL> --from-literal=keycloak.credentials.secret=<secretValue>

    For example,

    oc create configmap my-config --from-literal=keycloak.auth-server-url=http://keycloak-staging.dev.example.com/auth --from-literal=keycloak.credentials.secret=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    The preceding command creates a configuration map in OpenShift with the name my-config, which you can then reference from the deployment configuration file (deploymentconfig.yml).

6.1.4. Updating SSO environment variables in the deploymentconfig.yml file

In the deploymentconfig.yml file you can specify environment variables to apply different settings in each environment where you deploy a virtual database. For example, if you are deploying a virtual database to both a staging environment and a production environment, you can specify different environment variables in each to customize the settings for that environment.

To support SSO, you must add environment variables to the deploymentconfig.yml file.

Procedure

  • From src/main/fabric8, open the deploymentconfig.yml file and add the following environment variables:

    - name: KEYCLOAK_AUTHSERVERURL
      valueFrom:
         configMapKeyRef:
           name: <config-name>
           key: keycloak.auth-server-url
    - name: KEYCLOAK_CREDENTIALS_SECRET
      valueFrom:
         configMapKeyRef:
           name: <config-name>
           key: keycloak.credentials.secret

    For example,

    - name: KEYCLOAK_AUTHSERVERURL
      valueFrom:
         configMapKeyRef:
           name: my-config
           key: keycloak.auth-server-url
    - name: KEYCLOAK_CREDENTIALS_SECRET
      valueFrom:
         configMapKeyRef:
           name: my-config
           key: keycloak.credentials.secret

    If you deploy a virtual database in multiple environments that use different realm or client settings, be sure to specify unique realm and client properties in the SSO configuration that you establish for each environment.

6.1.5. Defining user roles in the DDL file

To apply unique data roles to different users, you must define those roles in the DDL file.

Procedure

  1. Add the following lines to the DDL file in src/main/resources:

    CREATE ROLE ReadRole WITH JAAS ROLE ReadRole;
    GRANT SELECT ON TABLE "<tableName.fieldName>” TO ReadRole

    For example,

    CREATE ROLE ReadRole WITH JAAS ROLE ReadRole;
    GRANT SELECT ON TABLE "portfolio.CustomerZip" TO ReadRole

    In the preceding example, the first line creates a role with the name ReadRole. Map this role to a role with the same name that you created in the SSO configuration, as described in Securing an OData API with Keycloak in the Teiid OpenShift repository. You can use a different role name, but for simplicity, it’s best to use the same name. The second line grants SELECT permission to the portfolio.CustomerZip View to users who are assigned the ReadRole.

    After you make changes to the project to integrate 3scale and enable SSO, rebuild the virtual database image and deploy it to OpenShift. For information about how to build and deploy the image, see Section 4.14, “Building a data virtualization project”.

6.2. Updating the 3scale configuration

Prerequisites

  • You have configured SSO.
  • You have made updates to the virtual database service to support SSO.

Procedure

  1. Log in to the 3scale admin portal, and from the page header, click the name of the API for which you want to enable OpenId Connect integration with SSO.
  2. From the Overview page, click Configuration in the Configuration, Methods and Settings section.
  3. Click edit integration settings.
  4. In the Authentication section, click OpenID Connect, and click Update Service.
  5. From the Configuration page, click the edit APIcast configuration.
  6. Expand the Authentication Settings section to view the authentication options.
  7. In the OpenID Connect Issuer field, type the URL of your SSO server, and the client ID and client secret that you previously defined in Red Hat SSO Admin Console.
  8. Click Update the Staging Environment.
  9. Create a new application so that 3scale can synchronize it with SSO.

    1. From the page header, click Audience, and then select a Developer account.
    2. From the submenu, click Applications.
    3. Click Create Application, and then type a name and description for the application.
    4. For more information about creating applications, see Set up applications.
    5. Select an application plan for the virtual database API that you want to secure. You can select an existing application plan or create a new one. For information about how to create an application plan, see How to create an application plan in the 3scale Admin Portal Guide.
    6. From the API Credentials section, record the values of the client ID and client secret. You must supply these credentials to access the API. If no value is displayed for the client secret, click Add random key to populate the field.
    7. Specify a redirect URL. You use the redirect URL to test the integration in Postman or other REST clients.
    8. In the Redirect URL field click Edit, type a callback link, for example, https://openidconnect.net/callback, and then click Update.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.