Re: [PR] Support for external identity providers [polaris]

Fri, 18 Apr 2025 06:34:18 -0700 


adutra commented on PR #1397:
URL: https://github.com/apache/polaris/pull/1397#issuecomment-2815380643

   For those willing to test out integration with Keycloak:
   
   1. Start a Keycloak server on port 8080 e.g.: 
`http://localhost:8080/realms/master`
   
   2. With keycloak admin UI, configure a client to return the following claims 
(e.g. using hard-coded claim mappers):
     a. `polaris/principal_id`
     b. `polaris/principal_name`
     c. `polaris/roles`
   3. Run Polaris with:
   
   
   ```shell
   ./gradlew :polaris-quarkus-service:quarkusDev \
     -Dpolaris.realm-context.realms=realm1,realm2,realm3 \
     
-Dpolaris.bootstrap.credentials="realm1,root,secret;realm2,root,secret;realm3,root,secret"
 \
     -Dpolaris.authentication.realm2.type=external \
     -Dpolaris.authentication.realm3.type=mixed \
     -Dquarkus.oidc.tenant-enabled=true \
     -Dquarkus.oidc.auth-server-url=http://localhost:8080/realms/master \
     -Dquarkus.oidc.roles.role-claim-path=polaris/roles \
     -Dpolaris.oidc.claims.principal-id-claim-path=polaris/principal_id \
     -Dpolaris.oidc.claims.principal-name-claim-path=polaris/principal_name
   ```
   
   4. 3 realms will be bootstrapped:
     a.  `realm1` internal auth
     b. `realm2` external auth
     c; `realm3` mixed auth
   
   5. Obtain a token from Keycloak:
   
   ```shell
    curl -v http://localhost:8080/realms/master/protocol/openid-connect/token \
     -d client_id=client1 \
     -d client_secret=s3cr3t \
     -d grant_type=client_credentials
   ```
   
   7. Obtain a token from Polaris (realm1 or realm3):
   
   ```shell
   curl -v http://localhost:8181/api/catalog/v1/oauth/tokens \
     -H "Polaris-Realm: realm1" \
     -d client_id=root \
     -d client_secret=secret \
     -d grant_type=client_credentials \
     -d scope=PRINCIPAL_ROLE:ALL
   ```
   
   8. Using the token:
   
   ```shell
   curl -v http://localhost:8181/api/catalog/v1/config\?warehouse\=default \
     -H "Polaris-Realm: realm1"  \
     -H "Authorization: Bearer $token"
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to