I want to add the ability to microservices to allow configuring endpoints and permissions for RBAC via Cloud Config Server. So if there is a service called mordor, then if I add following properties in its application.yml at Cloud Config Server's repo
rbac:
- endpoint: /v1/test1
method: GET
scopes: ["rest-write:all", "read-write:product"]
- endpoint: /v1/test2
method: POST
scopes: ["read-write:product"]
the endpoints mentioned above should be configured for RBAC. As of now, I am passing the scopes and permissions via Auth0 JWT and using it for authentication. But with this, I will be able to add RBAC also based on the permissions I configure in Auth0's dashboard.
What is the best way to proceed with this?
I am able to get the rbac endpoints from Cloud Config Server but the problem is how to add them to Spring Security. I already have a class OAuth2SecurityConfiguerer where httpSecurity is configured but I haven't been able to add endpoints to Spring Security because it might require iterating over the endpoints obtained from Cloud Config Server
Related
We have a spring cloud config service which is secured with OAuth2.
In another service, we are configuring this service with spring.config.import: {cloud-cfg-svc-uri}
Since the config service requires Bearer token, I need to make a call to the token provider service and then use that token to call the cloud config service
Is this feasible? Any pointers for help please?
We have a few cloud run services deployed on Cloud run with Ingress control set to "All" and Authentication set to "IAM". These are REST APIs created using Spring boot framework. We have one more Cloud Run service which is deployed as Spring boot admin server with Ingress control set to "All" and Authentication set to "Allow Unauthenticated Invocations".
Now the backend team have configured the Cloud run REST API services with the following cloud run endpoints in application.properties to communicate with Spring boot admin server:-
spring.boot.admin.client.url=${sm://cloud_run_rest_api_endpoint}
spring.boot.admin.client.instance.service-url=${sm://spring_boot_admin_server_cloud_run_endpoint}
This obviously fails on cloud run with 403 Unauthorized as the endpoints (Eg: /health, /metrics, /trace etc) required by Spring boot admin server from its clients need an Authorization Bearer token.
Is it possible to pass JWT token when accessing those endpoints ? Has anyone had success in setting up the same ? Or is there any possibility to have some of our cloud run service endpoints to be public on which we can later apply some security provided by spring ?
We are in the middle of setting up free API monitoring tool for our all APIs. Any recommendations are much appreciated.
Installed spring boot admin and server.
All client endpoints are visible in spring boot admin but after adding security dependency in client secured endpoints are not visible in admin.
Provided credentials of admin and client in application.yaml of client.
Had the same problem. Firstly, you need to share user and password from admin-client, this can be configured in yml file:
spring.boot.admin.client:
url: http://localhost:8080
instance:
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
Also you need to enable http basic in security config, because SBA server then uses this metadata to make http calls.
source: https://codecentric.github.io/spring-boot-admin/2.2.3/#_securing_client_actuator_endpoints
Now, I use Spring boot version 2.0.0.RELEASE and Swagger version 3.1.6 and Keycloak of Jboss. I would like to know how to configure in application.yml then let swagger can get access_token from Keycloak.
Thanks for your help
An initial decision to make is whether to say that the user accessing the swagger page needs to have an access token (i.e. the url pattern for swagger is secured and the user has to log in to get to swagger) or you exclude the swagger URLs from keycloak so that its UI can be accessed without needing a token.
If you're using the keycloak spring boot adapter then the URL patterns to secure (and which roles are required to access them) are configured in the application.yml or application.properties file as security-constraints. As properties an example is:
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/customers/*
This could be translated to yaml as:
keycloak:
security-constraints[0]:
-authRoles[0]: user
-securityCollections[0]:
-patterns[0]: /customers/*
(Real yml example at https://github.com/codemonkeybr/skip/blob/master/skip-cart/src/main/resources/application.yml#L29 )
Anything not covered by security-constraints is not restricted. There's a similar way of doing this with spring security if you're not using the official keycloak adpater - normally then you do it in a SecurityConfiguration java class.
Then you face decisions based on your chosen oauth2 flow and whether you use the 'try it out' feature. You can display descriptions without necessarily needing a token but 'try it out' does need a token. That yaml example above also has a way of telling swagger the token issuer url:
swagger:
auth:
token-url: ${keycloak.auth-server-url}/realms/${keycloak.realm}/protocol/openid-connect/token/
client-id: skip-local
That config is read by a java swagger configuration class and is part of a whole example that you could run. This specific question of how to configure swagger to work with an oauth2 token is not specific to keycloak and is general swagger-oauth2 configuration for which there is a guide at baeldung and there's an example using a different mode in Keycloak integration in Swagger
Instead of giving an AppRole or Static Token for Spring Cloud Config Server to access ALL secrets across ALL applications, is it possible to configure Spring Cloud Vault Config to utilize a given token on the request for the configuration?
This communication would be over 2-way SSL with the token in the headers. Not ideal to send such a token outward but seems the proper solution in this scenario.
Keep in mind this is a Spring Cloud Config Server using Git + Vault as backends in order to resolve secrets, variables, etc, into the desired configurations. This would not only be used for Spring Configurations but other files delivered to an ephemeral environment, such as an httpd.conf for Apache (bad example to shove secrets into)
Goal here is to limit access where possible and keeping it limited to the end-application requesting the configuration. Also nice to not duplicate RBAC efforts with AuthZ on Spring Config AND Vault policies.
You can configure each Spring Boot application that talks to Config Server to send its' own unique token to Config Server which is then passed through to Vault.
Vault will allow access to the requested resource based on the policies that define access to that resource and the permissions granted to the token.
Step 1: Define a policy.
cat ./rules/application-a.hcl <<EOF
path "secret/application" {
capabilities = ["read", "list"]
}
path "secret/application-a" {
capabilities = ["read", "list"]
}
EOF
Step 2: Write the policy to Vault.
vault write sys/policy/policy-application-a rules=#./rules/application-a.hcl
Step 3: Create a token using the defined policy.
vault token-create -display-name="My Application A" -policy="policy-application-a"
Step 4: Write some data to Vault
vault write secret/application-a #application-a-config.json
Step 5: Configure the Spring Boot application to use its' token.
Use the token created in Step 3 above. Set the following up in the application's bootstrap.yml file. You could also pass this through at run-time if you're running in a containerized environment.
spring:
cloud:
config:
uri: https://configserver:8888/
token: <secret token>
Spring handles the transfer of token from the client application to Config Server and then onto Vault.
For any other application, you can set the token in the header of a HTTP request.
From the Vault documentation:
https://www.vaultproject.io/intro/getting-started/apis.html
curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/secret/application-a
I hope this helps you.