Setting up Keycloak admin user and gw resource profile
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/555eb6bc Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/555eb6bc Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/555eb6bc Branch: refs/heads/develop Commit: 555eb6bccb18767bc464a34d67edfd3a8ce33318 Parents: 3ed7880 Author: Marcus Christie <[email protected]> Authored: Fri Jun 16 11:24:41 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Fri Jun 16 11:24:41 2017 -0400 ---------------------------------------------------------------------- .../airavata/KeycloakIdentityServerClient.java | 22 ++++++++++++ .../org/apache/airavata/MigrationManager.java | 36 ++++++++++++++++---- 2 files changed, 51 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/555eb6bc/modules/user-profile-migration/src/main/java/org/apache/airavata/KeycloakIdentityServerClient.java ---------------------------------------------------------------------- diff --git a/modules/user-profile-migration/src/main/java/org/apache/airavata/KeycloakIdentityServerClient.java b/modules/user-profile-migration/src/main/java/org/apache/airavata/KeycloakIdentityServerClient.java index e48e4df..6d26312 100644 --- a/modules/user-profile-migration/src/main/java/org/apache/airavata/KeycloakIdentityServerClient.java +++ b/modules/user-profile-migration/src/main/java/org/apache/airavata/KeycloakIdentityServerClient.java @@ -141,6 +141,28 @@ public class KeycloakIdentityServerClient { } } + public void setUserPassword(String realmId, String username, String newPassword) { + List<UserRepresentation> retrieveUserList = client.realm(realmId).users().search(username, + null, + null, + null, + 0, 1); + if (!retrieveUserList.isEmpty()) { + UserResource retrievedUser = client.realm(realmId).users().get(retrieveUserList.get(0).getId()); + CredentialRepresentation credential = new CredentialRepresentation(); + credential.setType(CredentialRepresentation.PASSWORD); + credential.setValue(newPassword); + credential.setTemporary(false); + retrievedUser.resetPassword(credential); + // Remove the UPDATE_PASSWORD required action + UserRepresentation userRepresentation = retrievedUser.toRepresentation(); + userRepresentation.getRequiredActions().remove("UPDATE_PASSWORD"); + retrievedUser.update(userRepresentation); + } else { + throw new RuntimeException("Requested user not found"); + } + } + private Map<String,RoleRepresentation> getRealmRoleNameMap(String targetRealm) { return this.client.realm(targetRealm).roles().list() .stream() http://git-wip-us.apache.org/repos/asf/airavata/blob/555eb6bc/modules/user-profile-migration/src/main/java/org/apache/airavata/MigrationManager.java ---------------------------------------------------------------------- diff --git a/modules/user-profile-migration/src/main/java/org/apache/airavata/MigrationManager.java b/modules/user-profile-migration/src/main/java/org/apache/airavata/MigrationManager.java index 067cdd1..ef89cf1 100644 --- a/modules/user-profile-migration/src/main/java/org/apache/airavata/MigrationManager.java +++ b/modules/user-profile-migration/src/main/java/org/apache/airavata/MigrationManager.java @@ -23,6 +23,9 @@ import org.apache.airavata.api.Airavata; import org.apache.airavata.api.client.AiravataClientFactory; import org.apache.airavata.common.exception.ApplicationSettingsException; import org.apache.airavata.common.utils.Constants; +import org.apache.airavata.credential.store.client.CredentialStoreClientFactory; +import org.apache.airavata.credential.store.cpi.CredentialStoreService; +import org.apache.airavata.model.appcatalog.gatewayprofile.GatewayResourceProfile; import org.apache.airavata.model.credential.store.PasswordCredential; import org.apache.airavata.model.error.AiravataClientException; import org.apache.airavata.model.security.AuthzToken; @@ -164,7 +167,8 @@ public class MigrationManager { userProfile.setAccountLocked(claim.getValue().equals("true")); } } - userProfile.setUserName(user); + // Lowercase all usernames as required by Keycloak and User Profile service + userProfile.setUserName(user.toLowerCase()); userProfile.setGatewayID(creds.getGateway()); userProfile.setPhones(phones); if (!userProfile.isAccountLocked()) { @@ -271,6 +275,18 @@ public class MigrationManager { // Update Gateway profile with the client id and secret System.out.println("Updating gateway with OAuth client id and secret ..."); tenantProfileServiceClient.updateGateway(authzToken, gatewayWithIdAndSecret); + + KeycloakIdentityServerClient keycloakIdentityServerClient = getKeycloakIdentityServerClient(); + // Set the admin user's password to the same as it was for wso2IS + keycloakIdentityServerClient.setUserPassword(gatewayId, this.gatewayAdminUsername, this.wso2ISAdminPassword); + + // Create password credential for admin username and password + String passwordToken = airavataClient.registerPwdCredential(authzToken, gatewayId, this.gatewayAdminUsername, this.gatewayAdminUsername, this.wso2ISAdminPassword, "Keycloak admin password for realm " + gatewayId); + + // Update gateway resource profile with tenant id (gatewayId) and admin user password token + GatewayResourceProfile gatewayResourceProfile = airavataClient.getGatewayResourceProfile(authzToken, gatewayId); + gatewayResourceProfile.setIdentityServerTenant(gatewayId); + gatewayResourceProfile.setIdentityServerPwdCredToken(passwordToken); return true; } @@ -308,14 +324,18 @@ public class MigrationManager { } private void migrateUserProfilesToKeycloak(List<UserProfileDAO> Wso2ISProfileList){ - KeycloakIdentityServerClient client = new KeycloakIdentityServerClient(this.keycloakServiceURL, - this.keycloakAdminUsername, - this.keycloakAdminPassword, - this.keycloakTrustStorePath, - this.keycloakTrustStorePassword); + KeycloakIdentityServerClient client = getKeycloakIdentityServerClient(); client.migrateUserStore(Wso2ISProfileList, this.gatewayId, this.keycloakTemporaryUserPassword, this.roleConversionMap); } + private KeycloakIdentityServerClient getKeycloakIdentityServerClient() { + return new KeycloakIdentityServerClient(this.keycloakServiceURL, + this.keycloakAdminUsername, + this.keycloakAdminPassword, + this.keycloakTrustStorePath, + this.keycloakTrustStorePassword); + } + private void loadConfigFile(String filename) { Properties properties = new Properties(); try { @@ -361,8 +381,10 @@ public class MigrationManager { List<UserProfileDAO> userProfileList = migrationManager.getUserProfilesFromWso2IS(); try { migrationManager.migrateGatewayProfileToAiravata(); - migrationManager.migrateUserProfilesToAiravata(userProfileList); + // Must migrate profiles to Keycloak first because Profile Service will attempt to keep user profiles + // in since with Keycloak user profiles migrationManager.migrateUserProfilesToKeycloak(userProfileList); + migrationManager.migrateUserProfilesToAiravata(userProfileList); } catch (Exception e) { throw new RuntimeException(e); }
