JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 2

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The JS7 - Identity Services offer integration with HashiCorpKeycloak® Vault authentication server.
  • The Vault Keycloak Identity Service integration is available from JOC Cockpit:
    • This requires HashiCorpKeycloak® Vault to be downloaded, installed and operated by the user. Vault Keycloak is not a built-in Identity Service and does not ship with JS7.
    • JS7 implements a REST client for use with HashiCorp® Vault 1.7Keycloak® 16.0 and newer.

Identity Service Types

...

Vault Server /
Identity ServiceIdentity Service Configuration ItemsJOC Cockpit Configuration
Service TypeBuilt-inUser Accounts/Passwords
stored with		User Accounts/Passwords
managed by		Roles/Permissions
stored with		Roles->User Accounts Mapping
managed with		Roles Mapping
VAULTKEYCLOAKnoVault Keycloak ServerVault Keycloak ServerJS7 DatabaseVault Keycloak ServerMapping of Vault Policies Keycloak Roles to JOC Cockpit Roles
VAULTKEYCLOAK-JOCnoVault Keycloak ServerVault Keycloak ServerJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC CockpitVAULT-JOC-ACTIVEnoVault Server JOC CockpitJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit


Explanation:

  • Service Type: VAULT KEYCLOAK
    • Management of user accounts and passwords is performed by the Vault Keycloak Server.
    • In addition, an automated mapping of policies roles - assigned a user account in Vault Keycloak - to JOC Cockpit roles takes place.
    • The JOC Cockpit does not know any user accounts, passwords and role assignments as this information is managed with Vault Keycloak only.
  • Service Type: VAULTKEYCLOAK-JOC
    • Management of user accounts and passwords is performed by the Vault Keycloak Server.
    • The assignment of roles to user accounts is performed with The the JOC Cockpit and is stored with the JS7 database.
    • The JOC Cockpit knows user accounts and role assignments. The JOC Cockpit does not know passwords as this information is managed with Vault only
  • Service Type: VAULT-JOC-ACTIVE
    • Management of user accounts and passwords is performed by the JOC Cockpit. The JOC Cockpit forwards user accounts and passwords to the Vault Server. The JOC Cockpit stores users accounts (not: passwords) in the JS7 database.
    • The assignment of roles to user accounts is performed with The JOC Cockpit and is stored with the JS7 database.
    • The JOC Cockpit knows user accounts and role assignments. The JOC Cockpit temporarily knows passwords until this information is forwarded to Vault.

...

    • Keycloak only

Keycloak Authentication Methods

JS7 supports the following authentication methods with Vault:

  • Username & Password
  • LDAP
    • It is not required to use Vault Keycloak to connect to an LDAP Directory Service as there is a built-in in JS7 - LDAP Identity Service for this purpose.
    • This authentication method can be used with the VAULT KEYCLOAK Identity Service Type only.

JS7 does not support cloud based authentication methods with Vault as such methods are typically used for engineering and administrative roles with cloud services that are not related to an application such as JS7.

...

Keycloak.

Keycloak Server Configuration

Anchor
application_role
application_role
Application Role

If the VAULT-JOC-ACTIVE Identity Service Type is used then an Application Role has to be created and an access token has to be generated with Vault that is added to the JOC Cockpit configuration of the Vault Identity Service.


Status
colourYellow
titleTODO
Was muss seitens Keycloak konfiguriert sein?Access tokens created for the Application Role have to include Vault permissions to manage user accounts if the Username & Password authentication method is used

Anchor
authentication_methods
authentication_methods
Authentication Methods

...

Account & Password

  • The authentication method has to be added to Vault.
    • The path of the authentication method has to be added to the Identity Service configuration in the JOC Cockpit.
    is available from Keycloak.
  • If the KEYCLOAK If the VAULT Identity Service Type is used then:
    • user accounts are managed exclusively by VaultKeycloak,
    • policies roles have to be set up in Vault Keycloak with names that exactly match the names of roles in the JOC Cockpit.
      • a user account will be assigned the roles matching policy names when performing a login to the JOC Cockpit.
      • it is not required to add specific permissions to policies roles with VaultKeycloak.
  • If the VAULTKEYCLOAK-JOC Identity Service Type is used then:
    • user accounts are managed by VaultKeycloak.
    • user accounts are added to the JOC Cockpit to allow assignment of roles:
      • user accounts in Vault Keycloak and in the JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • no passwords are managed by the JOC Cockpit.
    If the VAULT-JOC-ACTIVE Identity Service Type is used then:
    • user accounts
      • are managed by
      the JOC Cockpit and are stored with Vault.user accounts are assigned roles with
      • the JOC Cockpit.

LDAP

  • It is not necessary to use Vault to connect to an LDAP Directory Service as there is the built-in JS7 - LDAP Identity Service for this purpose.
  • The authentication method has to be added to Vault.
    • The path of the Authentication Method has to be added to the Identity Service configuration in JOC Cockpit.
  • The VAULT KEYCLOAK Identity Service Type has to be used, meaning that:
    • user accounts are managed with VaultKeycloak.
    • user accounts are added to the JOC Cockpit to allow assignment of roles:
      • user accounts in Vault Keycloak and in the JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • no passwords are managed by the JOC Cockpit.

...

When a user logs in to the JOC Cockpit then user credentials are forwarded to the Vault Keycloak Server that authenticates the user and returns an access token.

  • Vault access tokens are created with the following restrictions:
    • time to live (TTL):
      • the access token will expire after the given period,
      • the Identity Service renews the access token 60s before expiration, this step is performed for an arbitrary number of renewals. This requires that the access token's TTL exceeds 60s and the Vault permission self for renewing a token by the token owner to be in place.
    • maximum time to live:
      • the access token's overall lifetime is limited, renewals cannot take place after the specified period.
  • If an access token cannot be renewed by the Identity Service then the user session is terminated and the user is forced to login and to specify credentials.
    • This happens in the event of the maximum TTL being exceeded or that the token has been revoked.
    • Vault Keycloak administrators should check for reasonable values of the TTL, maybe not less than 300s, and the maximum TTL, maybe at least 15 minutes, as otherwise users would have to repeatedly login quite frequently.
  • The JOC Cockpit handles the idle timeout of user sessions independently of VaultKeycloak, see JS7 - Identity Services.
    • If the idle timeout is exceeded then the user session is terminated.
    • The Identity Service tries to can revoke the access token . This requires the Vault permission self to revoke a token by the token owner. 
    The Identity Service does not make use of Vault child tokens
    • with the Keycloak server.

Identity Service Configuration

The JOC Cockpit Manage Identity Services page from the user menu of an administrative account is provided for the configuration of Identity Services:

Image Modified

Add Identity Service

To add an Identity Service use the button Add Identity Service from the page shown above, listing the available Identity Services:

Image Modified


The remaining input fields for the popup window look like this:

Image Modified


Explanation:

...

Identity Service Settings

Having added a Vault Keycloak Identity Service it is necessary to add settings for the Vault Keycloak integration from the Identity Service's Manage Settings action menu item:
Image Removed

For use of the HashiCorp® Vault Identity Service:

  • the Vault product has to be installed and has to be accessible for JOC Cockpit and
  • the following settings have to be specified: 

Image Modified


Explanation:

...