From 919d842d619950530555dfcd959825d4757ac4b0 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Wed, 13 Jan 2021 17:01:06 -0500 Subject: [PATCH 01/10] added identity service --- docker-compose.yml | 17 ++++++++++++++++- keycloak-alfresco-realm.json | 32 ++++++++++++++++++++++++++++++++ nginx-ingress/entrypoint.sh | 4 ++++ nginx-ingress/nginx.conf | 11 +++++++++++ 4 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 keycloak-alfresco-realm.json diff --git a/docker-compose.yml b/docker-compose.yml index e82f46e..ae35888 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,8 +4,23 @@ version: "2" services: + + identity: + image: alfresco/alfresco-identity-service:1.3 + user: jboss + environment: + KEYCLOAK_USER: admin + KEYCLOAK_PASSWORD: admin + KEYCLOAK_HOSTNAME: ${PROXY_HOST} + KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json + KEYCLOAK_STATISTICS: enabled + volumes: + - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro + proxy: build: ./nginx-ingress - image: local/nginx-ingress:base + image: local/nginx-ingress:aims ports: - 8080:8080 + depends_on: + - identity diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json new file mode 100644 index 0000000..dbbb756 --- /dev/null +++ b/keycloak-alfresco-realm.json @@ -0,0 +1,32 @@ +{ + "realm": "alfresco", + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "roles": { + "realm": [ { + "name": "user", + "description": "User privileges" + }, { + "name": "admin", + "description": "Administrator privileges" + } ] + }, + "clients": [ + { + "clientId": "alfresco", + "name": "Alfresco Products", + "enabled": true, + "alwaysDisplayInConsole": false, + "redirectUris": [ + "*" + ], + "publicClient": true, + "protocol": "openid-connect", + "attributes": { + "login_theme": "alfresco" + } + } + ], + "requiredCredentials": [ "password" ] +} diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh index 8bcdeb5..78597ae 100644 --- a/nginx-ingress/entrypoint.sh +++ b/nginx-ingress/entrypoint.sh @@ -1,5 +1,9 @@ #!/bin/sh +if [[ $AIMS_URL ]]; then + sed -i s%http:\/\/identity:8080%"$AIMS_URL"%g /etc/nginx/nginx.conf +fi + if [[ $ACCESS_LOG ]]; then sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf fi diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf index 8124476..329c46e 100644 --- a/nginx-ingress/nginx.conf +++ b/nginx-ingress/nginx.conf @@ -25,5 +25,16 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; + + location / { + return 301 $scheme://$http_host/auth; + } + + location /auth/ { + proxy_pass http://identity:8080; + + # If using external proxy / load balancer (for initial redirect if no trailing slash) + absolute_redirect off; + } } } From b124cd027c253d894d2e7e099d773a406cc50ee9 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 09:39:34 -0500 Subject: [PATCH 02/10] added default admin.1 user --- keycloak-alfresco-realm.json | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index dbbb756..f12d06c 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -10,7 +10,16 @@ }, { "name": "admin", "description": "Administrator privileges" - } ] + } ], + "client": { + "alfresco": [ + { + "name": "administrator", + "composite": false, + "clientRole": true + } + ] + } }, "clients": [ { @@ -18,9 +27,7 @@ "name": "Alfresco Products", "enabled": true, "alwaysDisplayInConsole": false, - "redirectUris": [ - "*" - ], + "redirectUris": [ "*" ], "publicClient": true, "protocol": "openid-connect", "attributes": { @@ -28,5 +35,21 @@ } } ], - "requiredCredentials": [ "password" ] + "requiredCredentials": [ "password" ], + "users": [ + { + "username" : "admin.1", + "enabled": true, + "credentials" : [ + { + "type" : "password", + "value" : "password" + } + ], + "realmRoles": [ "user" ], + "clientRoles": { + "alfresco": ["administrator"] + } + } + ] } From 44b6f26f4fc6715e7b6709c8e482cbc24f51091a Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 11:17:01 -0500 Subject: [PATCH 03/10] updates after some acs-enterprise testing --- .env | 1 + docker-compose.yml | 6 +++++- keycloak-alfresco-realm.json | 19 +++++-------------- nginx-ingress/nginx.conf | 5 ++++- 4 files changed, 15 insertions(+), 16 deletions(-) diff --git a/.env b/.env index 402477f..decba45 100644 --- a/.env +++ b/.env @@ -3,3 +3,4 @@ EXTERNAL_RESOURCE_DIR=~ PROXY_PROTOCOL=http PROXY_HOST=localhost PROXY_PORT=8080 +IDENTITY_SERVICE_BASEURL=http://auth.example.org:8080 diff --git a/docker-compose.yml b/docker-compose.yml index ae35888..5ddbc21 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,9 +11,13 @@ services: environment: KEYCLOAK_USER: admin KEYCLOAK_PASSWORD: admin - KEYCLOAK_HOSTNAME: ${PROXY_HOST} + KEYCLOAK_HOSTNAME: auth.example.org KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json KEYCLOAK_STATISTICS: enabled + networks: + default: + aliases: + - "auth.example.org" volumes: - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index f12d06c..198f54a 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -10,16 +10,7 @@ }, { "name": "admin", "description": "Administrator privileges" - } ], - "client": { - "alfresco": [ - { - "name": "administrator", - "composite": false, - "clientRole": true - } - ] - } + } ] }, "clients": [ { @@ -28,6 +19,9 @@ "enabled": true, "alwaysDisplayInConsole": false, "redirectUris": [ "*" ], + "standardFlowEnabled": true, + "implicitFlowEnabled": true, + "directAccessGrantsEnabled": false, "publicClient": true, "protocol": "openid-connect", "attributes": { @@ -46,10 +40,7 @@ "value" : "password" } ], - "realmRoles": [ "user" ], - "clientRoles": { - "alfresco": ["administrator"] - } + "realmRoles": [ "user", "admin" ] } ] } diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf index 329c46e..214686a 100644 --- a/nginx-ingress/nginx.conf +++ b/nginx-ingress/nginx.conf @@ -19,7 +19,10 @@ http { proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; - proxy_buffering off; +# proxy_buffering off; + proxy_buffer_size 64k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From b4be2e251c9309d1d0f6cc58ed32b2054c02e938 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 14 Jan 2021 11:40:42 -0500 Subject: [PATCH 04/10] changed admin username ot alfresco defaults --- keycloak-alfresco-realm.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json index 198f54a..ffd05d2 100644 --- a/keycloak-alfresco-realm.json +++ b/keycloak-alfresco-realm.json @@ -32,12 +32,13 @@ "requiredCredentials": [ "password" ], "users": [ { - "username" : "admin.1", + "username": "admin", + "email": "admin@app.activiti.com", "enabled": true, "credentials" : [ { "type" : "password", - "value" : "password" + "value" : "admin" } ], "realmRoles": [ "user", "admin" ] From b238e3c727e94e4c8ef3087dee3f333d5a5ad802 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 6 May 2021 14:13:12 -0400 Subject: [PATCH 05/10] added identity service healthcheck --- docker-compose.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 5ddbc21..e10fd08 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,6 +18,12 @@ services: default: aliases: - "auth.example.org" + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/auth"] + interval: 10s + timeout: 10s + # Really long startup times on Windows + retries: 18 volumes: - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro From a7fa111930854c77db40b8fda7f2ecdfd905836d Mon Sep 17 00:00:00 2001 From: Brian Long Date: Tue, 22 Jun 2021 09:11:00 -0400 Subject: [PATCH 06/10] split AIS url into parts for reuse --- .env | 4 +++- docker-compose.yml | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.env b/.env index a74a230..2cbfe36 100644 --- a/.env +++ b/.env @@ -1,4 +1,6 @@ PROXY_PROTOCOL=http PROXY_HOST=localhost PROXY_PORT=8080 -IDENTITY_SERVICE_BASEURL=http://auth.example.org:8080 +IDENTITY_SERVICE_PROTOCOL=http +IDENTITY_SERVICE_HOST=auth.example.org +IDENTITY_SERVICE_PORT=8080 diff --git a/docker-compose.yml b/docker-compose.yml index e10fd08..4baec46 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ # Sourced from https://github.com/Alfresco/acs-deployment/blob/4.0.3/docker-compose/docker-compose.yml # # Using version 2 as 3 does not support resource constraint options (cpu_*, mem_* limits) for non swarm mode in Compose -version: "2" +version: "2.1" services: @@ -11,13 +11,13 @@ services: environment: KEYCLOAK_USER: admin KEYCLOAK_PASSWORD: admin - KEYCLOAK_HOSTNAME: auth.example.org + KEYCLOAK_HOSTNAME: ${IDENTITY_SERVICE_HOST} KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json KEYCLOAK_STATISTICS: enabled networks: default: aliases: - - "auth.example.org" + - "${IDENTITY_SERVICE_HOST}" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8080/auth"] interval: 10s From 0d379094e954a055861f724b4f1dd4d49fdb80cb Mon Sep 17 00:00:00 2001 From: Brian Long Date: Fri, 30 Jul 2021 16:44:11 -0400 Subject: [PATCH 07/10] updated AIS to v1.4.0 --- docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 4baec46..ecae5b0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ version: "2.1" services: identity: - image: alfresco/alfresco-identity-service:1.3 + image: alfresco/alfresco-identity-service:1.4.0 user: jboss environment: KEYCLOAK_USER: admin @@ -19,7 +19,7 @@ services: aliases: - "${IDENTITY_SERVICE_HOST}" healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:8080/auth"] + test: ["CMD", "curl", "-f", "http://localhost:8080/auth/realms/alfresco"] interval: 10s timeout: 10s # Really long startup times on Windows From 279eb2af9d7629362a91d7caa00aa3bf56a83fd3 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Fri, 30 Jul 2021 16:44:23 -0400 Subject: [PATCH 08/10] updated AIS memory limit mins --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index ecae5b0..c64675d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,7 @@ services: identity: image: alfresco/alfresco-identity-service:1.4.0 + mem_limit: 512m user: jboss environment: KEYCLOAK_USER: admin @@ -30,6 +31,7 @@ services: proxy: build: ./nginx-ingress image: local/nginx-ingress:aims + mem_limit: 256m ports: - 8080:8080 depends_on: From ff3554c0ce9fc1cc387580aa043d28777b1d3ac8 Mon Sep 17 00:00:00 2001 From: "Brian M. Long" Date: Tue, 1 Nov 2022 17:45:46 -0400 Subject: [PATCH 09/10] parameterized AIS version --- .env | 2 ++ docker-compose.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.env b/.env index 2cbfe36..565208d 100644 --- a/.env +++ b/.env @@ -4,3 +4,5 @@ PROXY_PORT=8080 IDENTITY_SERVICE_PROTOCOL=http IDENTITY_SERVICE_HOST=auth.example.org IDENTITY_SERVICE_PORT=8080 + +AIS_TAG=1.8.0 diff --git a/docker-compose.yml b/docker-compose.yml index dc3b21d..dc824fb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,7 +5,7 @@ version: "3" services: identity: - image: alfresco/alfresco-identity-service:1.4.0 + image: alfresco/alfresco-identity-service:${AIS_TAG} user: jboss environment: KEYCLOAK_USER: admin From 9afc703a2c4a4a5dedc59a304edcdb203deb9010 Mon Sep 17 00:00:00 2001 From: "Brian M. Long" Date: Wed, 25 Oct 2023 20:02:33 -0400 Subject: [PATCH 10/10] AIS v1.8.0.1 --- .env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.env b/.env index 565208d..cd47413 100644 --- a/.env +++ b/.env @@ -5,4 +5,4 @@ IDENTITY_SERVICE_PROTOCOL=http IDENTITY_SERVICE_HOST=auth.example.org IDENTITY_SERVICE_PORT=8080 -AIS_TAG=1.8.0 +AIS_TAG=1.8.0.1