From 919d842d619950530555dfcd959825d4757ac4b0 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Wed, 13 Jan 2021 17:01:06 -0500 Subject: [PATCH 1/7] added identity service --- docker-compose.yml | 17 ++++++++++++++++- keycloak-alfresco-realm.json | 32 ++++++++++++++++++++++++++++++++ nginx-ingress/entrypoint.sh | 4 ++++ nginx-ingress/nginx.conf | 11 +++++++++++ 4 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 keycloak-alfresco-realm.json diff --git a/docker-compose.yml b/docker-compose.yml index e82f46e..ae35888 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,8 +4,23 @@ version: "2" services: + + identity: + image: alfresco/alfresco-identity-service:1.3 + user: jboss + environment: + KEYCLOAK_USER: admin + KEYCLOAK_PASSWORD: admin + KEYCLOAK_HOSTNAME: ${PROXY_HOST} + KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json + KEYCLOAK_STATISTICS: enabled + volumes: + - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro + proxy: build: ./nginx-ingress - image: local/nginx-ingress:base + image: local/nginx-ingress:aims ports: - 8080:8080 + depends_on: + - identity diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json new file mode 100644 index 0000000..dbbb756 --- /dev/null +++ b/keycloak-alfresco-realm.json @@ -0,0 +1,32 @@ +{ + "realm": "alfresco", + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "roles": { + "realm": [ { + "name": "user", + "description": "User privileges" + }, { + "name": "admin", + "description": "Administrator privileges" + } ] + }, + "clients": [ + { + "clientId": "alfresco", + "name": "Alfresco Products", + "enabled": true, + "alwaysDisplayInConsole": false, + "redirectUris": [ + "*" + ], + "publicClient": true, + "protocol": "openid-connect", + "attributes": { + "login_theme": "alfresco" + } + } + ], + "requiredCredentials": [ "password" ] +} diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh index 8bcdeb5..78597ae 100644 --- a/nginx-ingress/entrypoint.sh +++ b/nginx-ingress/entrypoint.sh @@ -1,5 +1,9 @@ #!/bin/sh +if [[ $AIMS_URL ]]; then + sed -i s%http:\/\/identity:8080%"$AIMS_URL"%g /etc/nginx/nginx.conf +fi + if [[ $ACCESS_LOG ]]; then sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf fi diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf index 8124476..329c46e 100644 --- a/nginx-ingress/nginx.conf +++ b/nginx-ingress/nginx.conf @@ -25,5 +25,16 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; + + location / { + return 301 $scheme://$http_host/auth; + } + + location /auth/ { + proxy_pass http://identity:8080; + + # If using external proxy / load balancer (for initial redirect if no trailing slash) + absolute_redirect off; + } } } From b124cd027c253d894d2e7e099d773a406cc50ee9 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 09:39:34 -0500 Subject: [PATCH 2/7] added default admin.1 user --- keycloak-alfresco-realm.json | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index dbbb756..f12d06c 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -10,7 +10,16 @@ }, { "name": "admin", "description": "Administrator privileges" - } ] + } ], + "client": { + "alfresco": [ + { + "name": "administrator", + "composite": false, + "clientRole": true + } + ] + } }, "clients": [ { @@ -18,9 +27,7 @@ "name": "Alfresco Products", "enabled": true, "alwaysDisplayInConsole": false, - "redirectUris": [ - "*" - ], + "redirectUris": [ "*" ], "publicClient": true, "protocol": "openid-connect", "attributes": { @@ -28,5 +35,21 @@ } } ], - "requiredCredentials": [ "password" ] + "requiredCredentials": [ "password" ], + "users": [ + { + "username" : "admin.1", + "enabled": true, + "credentials" : [ + { + "type" : "password", + "value" : "password" + } + ], + "realmRoles": [ "user" ], + "clientRoles": { + "alfresco": ["administrator"] + } + } + ] } From ca420b43e222509760070a50b0b9378e45c1e95c Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 09:40:28 -0500 Subject: [PATCH 3/7] added aims config to platform/share --- docker-compose.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 8ca7203..26f6f34 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,6 +36,10 @@ services: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 -Dtransform.service.enabled=false + + -Dauthentication.chain=aims:identity-service,builtin:alfrescoNtlm + -Didentity-service.authentication.defaultAdministratorUserNames=admin.1 + -Didentity-service.auth-server-url=http://identity:8080/auth -Dsystem.content.eagerOrphanCleanup=true -Dsystem.content.orphanProtectDays=0 @@ -62,6 +66,16 @@ services: -Dalfresco.host=${PROXY_HOST} -Dalfresco.port=${PROXY_PORT} -Dalfresco.protocol=${PROXY_PROTOCOL} + -Daims.enabled=true + -Daims.realm=alfresco + -Daims.resource=alfresco + -Daims.authServerUrl=http://identity:8080/auth + -Daims.sslRequired=none + -Daims.publicClient=true + -Daims.autodetectBearerOnly=true + -Daims.alwaysRefreshToken=true + -Daims.principalAttribute=preferred_username + -Daims.enableBasicAuth=true " postgres-acs: From 44b6f26f4fc6715e7b6709c8e482cbc24f51091a Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 11:17:01 -0500 Subject: [PATCH 4/7] updates after some acs-enterprise testing --- .env | 1 + docker-compose.yml | 6 +++++- keycloak-alfresco-realm.json | 19 +++++-------------- nginx-ingress/nginx.conf | 5 ++++- 4 files changed, 15 insertions(+), 16 deletions(-) diff --git a/.env b/.env index 402477f..decba45 100644 --- a/.env +++ b/.env @@ -3,3 +3,4 @@ EXTERNAL_RESOURCE_DIR=~ PROXY_PROTOCOL=http PROXY_HOST=localhost PROXY_PORT=8080 +IDENTITY_SERVICE_BASEURL=http://auth.example.org:8080 diff --git a/docker-compose.yml b/docker-compose.yml index ae35888..5ddbc21 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,9 +11,13 @@ services: environment: KEYCLOAK_USER: admin KEYCLOAK_PASSWORD: admin - KEYCLOAK_HOSTNAME: ${PROXY_HOST} + KEYCLOAK_HOSTNAME: auth.example.org KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json KEYCLOAK_STATISTICS: enabled + networks: + default: + aliases: + - "auth.example.org" volumes: - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index f12d06c..198f54a 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -10,16 +10,7 @@ }, { "name": "admin", "description": "Administrator privileges" - } ], - "client": { - "alfresco": [ - { - "name": "administrator", - "composite": false, - "clientRole": true - } - ] - } + } ] }, "clients": [ { @@ -28,6 +19,9 @@ "enabled": true, "alwaysDisplayInConsole": false, "redirectUris": [ "*" ], + "standardFlowEnabled": true, + "implicitFlowEnabled": true, + "directAccessGrantsEnabled": false, "publicClient": true, "protocol": "openid-connect", "attributes": { @@ -46,10 +40,7 @@ "value" : "password" } ], - "realmRoles": [ "user" ], - "clientRoles": { - "alfresco": ["administrator"] - } + "realmRoles": [ "user", "admin" ] } ] } diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf index 329c46e..214686a 100644 --- a/nginx-ingress/nginx.conf +++ b/nginx-ingress/nginx.conf @@ -19,7 +19,10 @@ http { proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; - proxy_buffering off; +# proxy_buffering off; + proxy_buffer_size 64k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 0be038fe07319ea8ebd166d1711aab85a1371afb Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 11:19:01 -0500 Subject: [PATCH 5/7] added acs platform/share AIMS config after testing --- docker-compose.yml | 6 +++--- keycloak-alfresco-realm.json | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c5412db..cc2c49d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,7 +39,7 @@ services: -Dauthentication.chain=aims:identity-service,builtin:alfrescoNtlm -Didentity-service.authentication.defaultAdministratorUserNames=admin.1 - -Didentity-service.auth-server-url=http://identity:8080/auth + -Didentity-service.auth-server-url=${IDENTITY_SERVICE_BASEURL}/auth -Dsystem.content.eagerOrphanCleanup=true -Dsystem.content.orphanProtectDays=0 @@ -68,8 +68,8 @@ services: -Dalfresco.protocol=${PROXY_PROTOCOL} -Daims.enabled=true -Daims.realm=alfresco - -Daims.resource=alfresco - -Daims.authServerUrl=http://identity:8080/auth + -Daims.resource=acs-share + -Daims.authServerUrl=${IDENTITY_SERVICE_BASEURL}/auth -Daims.sslRequired=none -Daims.publicClient=true -Daims.autodetectBearerOnly=true diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index 198f54a..43cb8ae 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -27,6 +27,21 @@ "attributes": { "login_theme": "alfresco" } + }, + { + "clientId": "acs-share", + "name": "ACS Share", + "enabled": true, + "alwaysDisplayInConsole": false, + "redirectUris": [ "*" ], + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "publicClient": true, + "protocol": "openid-connect", + "attributes": { + "login_theme": "alfresco" + } } ], "requiredCredentials": [ "password" ], From dc236b7550cdd885b1ebf8c2471f542823d1cb93 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 11:20:05 -0500 Subject: [PATCH 6/7] added sync/adw config after testing --- docker-compose.yml | 8 ++++++++ keycloak-alfresco-realm.json | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 499a967..77518b4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -154,6 +154,8 @@ services: -Drepo.port=8080 -Ddw.server.applicationConnectors[0].type=http -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + -Didentity-service.auth-server-url=${IDENTITY_SERVICE_BASEURL}/auth + -Didentity-service.resource=acs-sync " depends_on: - postgres-acs @@ -166,6 +168,12 @@ services: BASE_PATH: ./ APP_CONFIG_ECM_HOST: "${PROXY_PROTOCOL}://${PROXY_HOST}:${PROXY_PORT}" APP_BASE_SHARE_URL: "${PROXY_PROTOCOL}://${PROXY_HOST}:${PROXY_PORT}/#/preview/s" + APP_CONFIG_AUTH_TYPE: OAUTH + APP_CONFIG_OAUTH2_HOST: "${IDENTITY_SERVICE_BASEURL}/auth/realms/alfresco" + APP_CONFIG_OAUTH2_CLIENTID: alfresco + APP_CONFIG_OAUTH2_IMPLICIT_FLOW: "true" + APP_CONFIG_OAUTH2_REDIRECT_LOGIN: "/workspace/" + APP_CONFIG_OAUTH2_REDIRECT_LOGOUT: "/workspace/logout" identity: image: alfresco/alfresco-identity-service:1.3 diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index 43cb8ae..ecf4e74 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -42,6 +42,24 @@ "attributes": { "login_theme": "alfresco" } + }, + { + "clientId": "acs-sync", + "name": "Alfresco Sync Service Clients", + "enabled": true, + "alwaysDisplayInConsole": false, + "redirectUris": [ + "http://127.0.0.1*", + "http://localhost*" + ], + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "publicClient": true, + "protocol": "openid-connect", + "attributes": { + "login_theme": "alfresco" + } } ], "requiredCredentials": [ "password" ], From b4be2e251c9309d1d0f6cc58ed32b2054c02e938 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 11:40:42 -0500 Subject: [PATCH 7/7] changed admin username ot alfresco defaults --- keycloak-alfresco-realm.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index 198f54a..ffd05d2 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -32,12 +32,13 @@ "requiredCredentials": [ "password" ], "users": [ { - "username" : "admin.1", + "username": "admin", + "email": "admin@app.activiti.com", "enabled": true, "credentials" : [ { "type" : "password", - "value" : "password" + "value" : "admin" } ], "realmRoles": [ "user", "admin" ]