如何在密钥斗篷中为詹金斯设置基于角色的登录 [英] How to set role-based login for jenkins in keycloak
问题描述
我是密钥斗篷的初学者.我需要一些帮助.
I am very beginner of keycloak. I need some help.
我有SSO解决方案,我想将其与jenkins集成. 在这一点上,我想允许一些基于用户的角色.
I have SSO solution and I want to integrate it with jenkins. In this point, I want to permit some users based role.
OpenID-keycloak-jenkins:所有使用openid的用户都可以登录jenkins(我不想要)
OpenID -- keycloak -- jenkins : all users who are in openid can login jenkins (I don't want)
OpenID-keycloak(检查角色)-jenkins:所有在openid中并且在keycloak中也具有特定角色的用户都可以登录jenkins(我想要)
OpenID -- keycloak (check role) -- jenkins : all users who are in openid and also have specific role in keycloak can login jenkins (I want)
我认为这是使用keycloak的非常简单且常见的示例,但是我找不到解决方法.
I think this is very simple and common example of using keycloak, but I can't find the solution.
我所做的步骤在这里.
- 在jenkins中安装keycloak插件.
- 安装密钥斗篷(使用头盔的5.0.0版)
- 创建领域
- 创建身份提供者(OpenID)
- 创建客户端(名为jenkins)
- 安装"选项卡>将Keycloak OIDC JSON复制到Jenkins
(请参阅. https://wiki.jenkins.io/display/JENKINS/keycloak-plugin )
现在,我可以成功登录詹金斯了.
now, I can login jenkins successfully.
- 在领域角色中创建角色
- 在(詹金斯)客户端中,启用授权已启用"
- 授权"标签>策略"标签>创建策略">角色"
选择领域角色并检查是否需要
select realm role and check required
- 在Jenkins配置中更新JSON.
已完成,但不起作用.
推荐答案
我通过以下方式进行管理(使用Keycloak 8.0.1,Jenkins 2.208):
I managed it the following way (Using Keycloak 8.0.1, Jenkins 2.208):
密钥斗篷:
- 创建领域
- 创建客户端"jenkins"-将根URL设置为Jenkins-url(例如 http://127.0.0.1:8080 )
- 在客户端"jenkins"中选择安装"选项卡-格式化"keycloak OIDC JSON"-复制到下面的Jenkins安装程序的剪贴板
- 创建角色"jenkins_admin"
- 创建角色"jenkins_readonly"
- 创建用户"admin"并分配角色"jenkins_admin"
- 创建命名用户并分配角色"jenkins_readonly"
- create realm
- create client "jenkins" - set root url to Jenkins-url (e.g. http://127.0.0.1:8080)
- In client "jenkins" select tab "installation" - format "keycloak OIDC JSON" - copy to clipboard for Jenkins Setup below
- create role "jenkins_admin"
- create role "jenkins_readonly"
- create user "admin" and assign role "jenkins_admin"
- create named user and assign role "jenkins_readonly"
詹金斯
- 安装插件" Keycloak身份验证插件"
- 安装插件"矩阵授权策略插件"
- 管理Jenkins-配置系统"-全局Keycloak设置"-将先前复制的JSon(Keycloak步骤3)输入"Keycloak JSON"区域
- 管理Jenkins-管理和分配角色-管理角色-全局角色-(如果不存在)添加选中所有复选框的"admin"角色-保存
- 管理Jenkins-管理和分配角色-管理角色-全局角色-添加角色"read_only"并选择整体读取"-保存
- 管理Jenkins-管理和分配角色-分配角色-将"jenkins_admin"组添加到全局角色,然后选择"admin"-保存
- 管理Jenkins-管理和分配角色-分配角色-将"jenkins_readonly"组添加到全局角色,然后选择"read_only"-SAVE
- 配置全局安全性"-选择安全领域":"Keycloak身份验证插件"
- 配置全局安全性"-选择授权":基于角色的策略"-保存
- install Plugin "Keycloak Authentication Plugin"
- install Plugin "Matrix Authorization Strategy Plugin"
- Manage Jenkins - "Configure System" - "Global Keycloak Settings" - Enter previously copied JSon (Keycloak step 3) to "Keycloak JSON" Area
- Manage Jenkins - Manage and Assign Roles - Manage Roles - Global Roles - (if not present) add role "admin" with all checkboxes selected - SAVE
- Manage Jenkins - Manage and Assign Roles - Manage Roles - Global Roles - add role "read_only" with "Overall Read" selected - SAVE
- Manage Jenkins - Manage and Assign Roles - Assign Roles - add group "jenkins_admin" to global roles and select "admin" - SAVE
- Manage Jenkins - Manage and Assign Roles - Assign Roles - add group "jenkins_readonly" to global roles and select "read_only" - SAVE
- "Configure Global Security" - Select "Security Realm": "Keycloak Authentication Plugin"
- "Configure Global Security" - Select "Authorization": "Role-Based Strategy" - SAVE
您现在应该重定向到Keycloak登录名. 尝试以具有管理员权限的管理员身份和具有只读权限的命名用户身份登录.
You should be redirected now to the Keycloak login. Try to log in as admin with admin rights, and as named user with read only rights.
这篇关于如何在密钥斗篷中为詹金斯设置基于角色的登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!