Red Hat CodeReady Containers(OpenShift4)에 RH-SSO 배포
소개
OpenShift의 공부중에 조사해, 남겨 두고 싶은 것을 기사로 했습니다.
CodeReady Containers에서 RH-SSO를 배포했을 때의 작업 내용입니다.
배포 절차는 'OpenShift Interactive Learning Playground
환경
RH-SSO 배포
oc 명령을 사용할 수 있도록 하고 kubeadmin으로 로그인합니다.
% eval $(./crc oc-env)
% oc login -u kubeadmin -p ILWgF-VfgcQ-p6mJ4-Jztez https://api.crc.testing:6443
사용 가능한 템플릿을 확인합니다.
% oc get template -n openshift -o name
template.template.openshift.io/3scale-gateway
template.template.openshift.io/amq63-basic
template.template.openshift.io/amq63-persistent
template.template.openshift.io/amq63-persistent-ssl
template.template.openshift.io/amq63-ssl
template.template.openshift.io/apicurito
template.template.openshift.io/cache-service
template.template.openshift.io/cakephp-mysql-example
template.template.openshift.io/cakephp-mysql-persistent
template.template.openshift.io/dancer-mysql-example
template.template.openshift.io/dancer-mysql-persistent
template.template.openshift.io/datagrid-service
template.template.openshift.io/datavirt64-basic-s2i
template.template.openshift.io/datavirt64-extensions-support-s2i
template.template.openshift.io/datavirt64-ldap-s2i
template.template.openshift.io/datavirt64-secure-s2i
template.template.openshift.io/decisionserver64-amq-s2i
template.template.openshift.io/decisionserver64-basic-s2i
template.template.openshift.io/django-psql-example
template.template.openshift.io/django-psql-persistent
template.template.openshift.io/dotnet-example
template.template.openshift.io/dotnet-pgsql-persistent
template.template.openshift.io/eap-cd-basic-s2i
template.template.openshift.io/eap-cd-starter-s2i
template.template.openshift.io/eap72-basic-s2i
template.template.openshift.io/eap72-https-s2i
template.template.openshift.io/eap72-mongodb-persistent-s2i
template.template.openshift.io/eap72-mongodb-s2i
template.template.openshift.io/eap72-mysql-persistent-s2i
template.template.openshift.io/eap72-mysql-s2i
template.template.openshift.io/eap72-postgresql-persistent-s2i
template.template.openshift.io/eap72-postgresql-s2i
template.template.openshift.io/eap72-sso-s2i
template.template.openshift.io/eap72-third-party-db-s2i
template.template.openshift.io/fuse75-console
template.template.openshift.io/fuse76-console
template.template.openshift.io/httpd-example
template.template.openshift.io/jenkins-ephemeral
template.template.openshift.io/jenkins-ephemeral-monitored
template.template.openshift.io/jenkins-persistent
template.template.openshift.io/jenkins-persistent-monitored
template.template.openshift.io/jws31-tomcat7-basic-s2i
template.template.openshift.io/jws31-tomcat7-https-s2i
template.template.openshift.io/jws31-tomcat7-mongodb-persistent-s2i
template.template.openshift.io/jws31-tomcat7-mongodb-s2i
template.template.openshift.io/jws31-tomcat7-mysql-persistent-s2i
template.template.openshift.io/jws31-tomcat7-mysql-s2i
template.template.openshift.io/jws31-tomcat7-postgresql-persistent-s2i
template.template.openshift.io/jws31-tomcat7-postgresql-s2i
template.template.openshift.io/jws31-tomcat8-basic-s2i
template.template.openshift.io/jws31-tomcat8-https-s2i
template.template.openshift.io/jws31-tomcat8-mongodb-persistent-s2i
template.template.openshift.io/jws31-tomcat8-mongodb-s2i
template.template.openshift.io/jws31-tomcat8-mysql-persistent-s2i
template.template.openshift.io/jws31-tomcat8-mysql-s2i
template.template.openshift.io/jws31-tomcat8-postgresql-persistent-s2i
template.template.openshift.io/jws50-tomcat9-basic-s2i
template.template.openshift.io/jws50-tomcat9-https-s2i
template.template.openshift.io/jws50-tomcat9-mongodb-persistent-s2i
template.template.openshift.io/jws50-tomcat9-mongodb-s2i
template.template.openshift.io/jws50-tomcat9-mysql-persistent-s2i
template.template.openshift.io/jws50-tomcat9-mysql-s2i
template.template.openshift.io/jws50-tomcat9-postgresql-persistent-s2i
template.template.openshift.io/mariadb-ephemeral
template.template.openshift.io/mariadb-persistent
template.template.openshift.io/mongodb-ephemeral
template.template.openshift.io/mongodb-persistent
template.template.openshift.io/mysql-ephemeral
template.template.openshift.io/mysql-persistent
template.template.openshift.io/nginx-example
template.template.openshift.io/nodejs-mongo-persistent
template.template.openshift.io/nodejs-mongodb-example
template.template.openshift.io/openjdk-web-basic-s2i
template.template.openshift.io/postgresql-ephemeral
template.template.openshift.io/postgresql-persistent
template.template.openshift.io/processserver64-amq-mysql-persistent-s2i
template.template.openshift.io/processserver64-amq-mysql-s2i
template.template.openshift.io/processserver64-amq-postgresql-persistent-s2i
template.template.openshift.io/processserver64-amq-postgresql-s2i
template.template.openshift.io/processserver64-basic-s2i
template.template.openshift.io/processserver64-externaldb-s2i
template.template.openshift.io/processserver64-mysql-persistent-s2i
template.template.openshift.io/processserver64-mysql-s2i
template.template.openshift.io/processserver64-postgresql-persistent-s2i
template.template.openshift.io/rails-pgsql-persistent
template.template.openshift.io/rails-postgresql-example
template.template.openshift.io/redis-ephemeral
template.template.openshift.io/redis-persistent
template.template.openshift.io/rhdm77-authoring
template.template.openshift.io/rhdm77-authoring-ha
template.template.openshift.io/rhdm77-kieserver
template.template.openshift.io/rhdm77-prod-immutable-kieserver
template.template.openshift.io/rhdm77-prod-immutable-kieserver-amq
template.template.openshift.io/rhdm77-trial-ephemeral
template.template.openshift.io/rhpam77-authoring
template.template.openshift.io/rhpam77-authoring-ha
template.template.openshift.io/rhpam77-kieserver-externaldb
template.template.openshift.io/rhpam77-kieserver-mysql
template.template.openshift.io/rhpam77-kieserver-postgresql
template.template.openshift.io/rhpam77-managed
template.template.openshift.io/rhpam77-prod
template.template.openshift.io/rhpam77-prod-immutable-kieserver
template.template.openshift.io/rhpam77-prod-immutable-kieserver-amq
template.template.openshift.io/rhpam77-prod-immutable-monitor
template.template.openshift.io/rhpam77-trial-ephemeral
template.template.openshift.io/s2i-fuse75-spring-boot-camel
template.template.openshift.io/s2i-fuse75-spring-boot-camel-rest-3scale
template.template.openshift.io/s2i-fuse75-spring-boot-camel-xml
template.template.openshift.io/s2i-fuse76-spring-boot-camel
template.template.openshift.io/s2i-fuse76-spring-boot-camel-rest-3scale
template.template.openshift.io/s2i-fuse76-spring-boot-camel-xml
template.template.openshift.io/sso72-https
template.template.openshift.io/sso72-mysql
template.template.openshift.io/sso72-mysql-persistent
template.template.openshift.io/sso72-postgresql
template.template.openshift.io/sso72-postgresql-persistent
template.template.openshift.io/sso73-https
template.template.openshift.io/sso73-mysql
template.template.openshift.io/sso73-mysql-persistent
template.template.openshift.io/sso73-ocp4-x509-https
template.template.openshift.io/sso73-ocp4-x509-mysql-persistent
template.template.openshift.io/sso73-ocp4-x509-postgresql-persistent
template.template.openshift.io/sso73-postgresql
template.template.openshift.io/sso73-postgresql-persistent
template.template.openshift.io/sso74-https
template.template.openshift.io/sso74-ocp4-x509-https
template.template.openshift.io/sso74-ocp4-x509-postgresql-persistent
template.template.openshift.io/sso74-postgresql
template.template.openshift.io/sso74-postgresql-persistent
sso는 하단에 늘어서 있기 때문에 보기 쉽네요... 「sso74-ocp4-x509-https」 근처가 무난할 것 같아 좋을까?
배포 대상으로 "sso"라는 프로젝트를 만듭니다.
% oc new-project sso
Now using project "sso" on server "https://api.crc.testing:6443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app ruby~https://github.com/sclorg/ruby-ex.git
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node
default 서비스 계정에 view 역할을 부여하는 것 같습니다.
% oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
clusterrole.rbac.authorization.k8s.io/view added: "system:serviceaccount:sso:default"
템플릿을 지정하여 RH-SSO를 배포합니다.
여기서는 "sso74-ocp4-x509-https"를 사용합니다. 관리자 계정을 임의로 만들려면 다음 매개 변수 옵션을 지정합니다.
SSO_ADMIN_USERNAME
SSO_ADMIN_PASSWORD
지정하지 않으면 무작위로 작성됩니다. 작성한 사용자 이름과 암호는 화면에 표시됩니다.
% oc new-app --template=sso74-ocp4-x509-https -p SSO_ADMIN_USERNAME=sso_admin -p SSO_ADMIN_PASSWORD=sso_password
--> Deploying template "openshift/sso74-ocp4-x509-https" to project sso
Red Hat Single Sign-On 7.4 on OpenJDK (Ephemeral)
---------
An example application based on RH-SSO 7.4 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso74-dev/docs.
A new RH-SSO service has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is sso_admin/sso_password. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing RH-SSO requests were automatically created via OpenShift's service serving x509 certificate secrets.
* With parameters:
* Application Name=sso
* Custom RH-SSO Server Hostname=
* JGroups Cluster Password=Qt08VMWTx47A8B2SlTJwlgBMdniWoDUj # generated
* Datasource Minimum Pool Size=
* Datasource Maximum Pool Size=
* Datasource Transaction Isolation=
* ImageStream Namespace=openshift
* RH-SSO Administrator Username=sso_admin
* RH-SSO Administrator Password=sso_password
* RH-SSO Realm=
* RH-SSO Service Username=
* RH-SSO Service Password=
* Container Memory Limit=1Gi
--> Creating resources ...
configmap "sso-service-ca" created
service "sso" created
service "sso-ping" created
route.route.openshift.io "sso" created
deploymentconfig.apps.openshift.io "sso" created
--> Success
Access your application via route 'sso-sso.apps-crc.testing'
Run 'oc status' to view your app.
oc get pod로 SSO의 Pod(-deploy가 아닌 분) 「1/1 Running」이 될 때까지 기다립니다. ※ 상당히 시간이 걸리므로 「-w」로 감시 상태로 해 두면 좋습니다.
% oc get pod -w
NAME READY STATUS RESTARTS AGE
sso-1-deploy 0/1 Completed 0 2m16s
sso-1-m4fkj 1/1 Running 0 2m6s
route로 생성된 URL에 브라우저로 접속하면 RH-SSO의 화면이 표시됩니다.
% oc get svc,route
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/sso ClusterIP 172.25.202.12 <none> 8443/TCP 3m49s
service/sso-ping ClusterIP None <none> 8888/TCP 3m49s
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/sso sso-sso.apps-crc.testing sso <all> reencrypt None
위의 경우라면 "https://sso-sso.apps-crc.testing/"입니다.
"Administration Console"을 열면 로그인 화면이 나오므로 배포 중에 정의한 "sso_admin"으로 로그인합니다.
「RH-SSO Admin Console」의 화면입니다.
REST API 사용
GUI뿐만 아니라 CLI에서도 확인합니다. REST API의 사양서는 이하가 되는 것 같습니다. (RH-SSO 매뉴얼에서 추적 가능)
htps : // 아세스 s. 레레 t. 코 m / ぇ 바세 ts / 아 ぁ ぉ / d / 레 d는 t- 신 g ぇ - g n - 온 / ぇ r 시온 - 7.4 / 레 s 타피 /
접속처는 환경에도 의합니다만, OpenShift에서는 route에 기재되어 있는 호스트명+포트 번호입니다.
액세스 TOKEN을 취득합니다.
TOKEN의 유효기간은 1분과 같기 때문에, 쉘 스크립트로 사용한다면 매회 취득하는 것이 좋을지도 모릅니다.
% curl -s -d "client_id=admin-cli" -d "username=sso_admin" -d "password=sso_password" -d "grant_type=password" https://sso-sso.apps-crc.testing/auth/realms/master/protocol/openid-connect/token --insecure | jq -r .access_token
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2MVNEbmhQV3VOMVIycHhKaWJVb0RNaHAtYzN5bUxucS1VaDJqN1NGMno0In0.eyJleHAiOjE1OTkwOTI5MzEsImlhdCI6MTU5OTA5Mjg3MSwianRpIjoiNzI3MTI2OWQtOGYzMC00NzU3LWFiZjgtMDIzNTUwNWYzYjJjIiwiaXNzIjoiaHR0cHM6Ly9zc28tc3NvLmFwcHMtY3JjLnRlc3RpbmcvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYjU0YzE3MGItZTZlMi00NjBmLWIxMWQtNjdiMWIzOTcyNDFjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwic2Vzc2lvbl9zdGF0ZSI6Ijk2M2M5MTM2LTRjYzAtNDU0OS1iMzNiLTdlNzI3ZDI3MTIyZiIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNzb19hZG1pbiJ9.p4cRz0CG5Af_uN53kS1ZzIQAWECoORpg0zZzs3ncqCNgVJoel63SuuRWc_t16n9drqYsmAuszf_oguaDQAyleA8YMNnSi4OEk9fpYfAauAx9eLjQUGnsEuntdrNfA7cOuYXIjJ9ZAEv-9SxU9BphpKgQ1xsyDKzzoBFPOBDzKfyzvM2T5d7snotsZ6zem_-bLGgD5fE693lqt6BgLpezNt4JJGLbrdSkVAMoBn4QKPDe2IJB8YbgfkZngSUJa0TBDHXo8NWSx4fYeXIypSI6KGhhOQNK1oD1UXx9xBic5DZs6fBenfUwHgtlYbfNpOuaQM8JvL2e2N_0v3GgGvQGCA
■Get clients belonging to the realm Returns a list of clients belonging to the realm
GET/{realm}/clients
최종적으로 Client-ID와 ID를 JSON으로 성형하여 출력시키고 있습니다.
% TOKEN=`curl -s -d "client_id=admin-cli" -d "username=sso_admin" -d "password=sso_password" -d "grant_type=password" https://sso-sso.apps-crc.testing/auth/realms/master/protocol/openid-connect/token --insecure | jq -r .access_token` &&\
curl -s -H "Authorization: bearer $TOKEN" https://sso-sso.apps-crc.testing/auth/admin/realms/master/clients --insecure | jq '[.[] | {(.clientId): .id}] | add'
{
"account": "e6cfa122-e0d0-4671-bef7-a24d3440bbef",
"account-console": "1f12b035-bbbb-4baa-8914-3b259bd3876b",
"admin-cli": "47bb0cd4-f07f-4ddf-9667-97f32804f3e3",
"broker": "4e1135b2-389b-474e-a123-2ca42b064f74",
"master-realm": "4f5dec06-ee4c-46ba-9b38-e37db9b3c753",
"security-admin-console": "eb13dafb-9ac5-4eb6-a73b-d43ec8aa084f"
}
■Get user sessions for client Returns a list of user sessions associated with this client
GET/{realm}/clients/{id}/user-sessions
원래 이 REST API를 시도하고 싶었습니다만, {id}의 설명이 「id of client (not client-id)」가 되어 있어, 여러가지 조사해 상기에서 취득한 값이라고 알았습니다.
% TOKEN=`curl -s -d "client_id=admin-cli" -d "username=sso_admin" -d "password=sso_password" -d "grant_type=password" https://sso-sso.apps-crc.testing/auth/realms/master/protocol/openid-connect/token --insecure | jq -r .access_token` &&\
ID=`curl -s -H "Authorization: bearer $TOKEN" https://sso-sso.apps-crc.testing/auth/admin/realms/master/clients --insecure | jq '[.[] | {(.clientId): .id}] | add' | jq -r '."security-admin-console"'` &&\
curl -s -H "Authorization: bearer $TOKEN" https://sso-sso.apps-crc.testing/auth/admin/realms/master/clients/$ID/user-sessions --insecure | jq .
[
{
"id": "d0aca740-649d-4153-be21-e875e43b0a99",
"username": "sso_admin",
"userId": "b54c170b-e6e2-460f-b11d-67b1b397241c",
"ipAddress": "192.168.64.1",
"start": 1599101316000,
"lastAccess": 1599101316000,
"clients": {
"eb13dafb-9ac5-4eb6-a73b-d43ec8aa084f": "security-admin-console"
}
}
]
「RH-SSO Admin Console」의 화면과 같은 결과를 채취할 수 있습니다.
결론
매뉴얼을 보면서 시험하고 있습니다만, 여러가지 혼란스러운 정보가 있으므로, 생긴 패턴을 남겨 두지 않으면 잊어버리네요...나이입니까.
매뉴얼은 다음과 같습니다.
htps : // 아세스 s. 레레 t. 코 m / 도쿠 멘 타치 온 / 쟈 jp / 레 d_는 t_ 신 g ぇ_ 시 응 온 / 7.4 / HTML - 신 g ぇ / 레 d_는 t_ 신 gぉr_오펜시ft_온_오펜jdk
Reference
이 문제에 관하여(Red Hat CodeReady Containers(OpenShift4)에 RH-SSO 배포), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/Y-Shikase/items/4bfb1f657a388061f31a
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
% eval $(./crc oc-env)
% oc login -u kubeadmin -p ILWgF-VfgcQ-p6mJ4-Jztez https://api.crc.testing:6443
% oc get template -n openshift -o name
template.template.openshift.io/3scale-gateway
template.template.openshift.io/amq63-basic
template.template.openshift.io/amq63-persistent
template.template.openshift.io/amq63-persistent-ssl
template.template.openshift.io/amq63-ssl
template.template.openshift.io/apicurito
template.template.openshift.io/cache-service
template.template.openshift.io/cakephp-mysql-example
template.template.openshift.io/cakephp-mysql-persistent
template.template.openshift.io/dancer-mysql-example
template.template.openshift.io/dancer-mysql-persistent
template.template.openshift.io/datagrid-service
template.template.openshift.io/datavirt64-basic-s2i
template.template.openshift.io/datavirt64-extensions-support-s2i
template.template.openshift.io/datavirt64-ldap-s2i
template.template.openshift.io/datavirt64-secure-s2i
template.template.openshift.io/decisionserver64-amq-s2i
template.template.openshift.io/decisionserver64-basic-s2i
template.template.openshift.io/django-psql-example
template.template.openshift.io/django-psql-persistent
template.template.openshift.io/dotnet-example
template.template.openshift.io/dotnet-pgsql-persistent
template.template.openshift.io/eap-cd-basic-s2i
template.template.openshift.io/eap-cd-starter-s2i
template.template.openshift.io/eap72-basic-s2i
template.template.openshift.io/eap72-https-s2i
template.template.openshift.io/eap72-mongodb-persistent-s2i
template.template.openshift.io/eap72-mongodb-s2i
template.template.openshift.io/eap72-mysql-persistent-s2i
template.template.openshift.io/eap72-mysql-s2i
template.template.openshift.io/eap72-postgresql-persistent-s2i
template.template.openshift.io/eap72-postgresql-s2i
template.template.openshift.io/eap72-sso-s2i
template.template.openshift.io/eap72-third-party-db-s2i
template.template.openshift.io/fuse75-console
template.template.openshift.io/fuse76-console
template.template.openshift.io/httpd-example
template.template.openshift.io/jenkins-ephemeral
template.template.openshift.io/jenkins-ephemeral-monitored
template.template.openshift.io/jenkins-persistent
template.template.openshift.io/jenkins-persistent-monitored
template.template.openshift.io/jws31-tomcat7-basic-s2i
template.template.openshift.io/jws31-tomcat7-https-s2i
template.template.openshift.io/jws31-tomcat7-mongodb-persistent-s2i
template.template.openshift.io/jws31-tomcat7-mongodb-s2i
template.template.openshift.io/jws31-tomcat7-mysql-persistent-s2i
template.template.openshift.io/jws31-tomcat7-mysql-s2i
template.template.openshift.io/jws31-tomcat7-postgresql-persistent-s2i
template.template.openshift.io/jws31-tomcat7-postgresql-s2i
template.template.openshift.io/jws31-tomcat8-basic-s2i
template.template.openshift.io/jws31-tomcat8-https-s2i
template.template.openshift.io/jws31-tomcat8-mongodb-persistent-s2i
template.template.openshift.io/jws31-tomcat8-mongodb-s2i
template.template.openshift.io/jws31-tomcat8-mysql-persistent-s2i
template.template.openshift.io/jws31-tomcat8-mysql-s2i
template.template.openshift.io/jws31-tomcat8-postgresql-persistent-s2i
template.template.openshift.io/jws50-tomcat9-basic-s2i
template.template.openshift.io/jws50-tomcat9-https-s2i
template.template.openshift.io/jws50-tomcat9-mongodb-persistent-s2i
template.template.openshift.io/jws50-tomcat9-mongodb-s2i
template.template.openshift.io/jws50-tomcat9-mysql-persistent-s2i
template.template.openshift.io/jws50-tomcat9-mysql-s2i
template.template.openshift.io/jws50-tomcat9-postgresql-persistent-s2i
template.template.openshift.io/mariadb-ephemeral
template.template.openshift.io/mariadb-persistent
template.template.openshift.io/mongodb-ephemeral
template.template.openshift.io/mongodb-persistent
template.template.openshift.io/mysql-ephemeral
template.template.openshift.io/mysql-persistent
template.template.openshift.io/nginx-example
template.template.openshift.io/nodejs-mongo-persistent
template.template.openshift.io/nodejs-mongodb-example
template.template.openshift.io/openjdk-web-basic-s2i
template.template.openshift.io/postgresql-ephemeral
template.template.openshift.io/postgresql-persistent
template.template.openshift.io/processserver64-amq-mysql-persistent-s2i
template.template.openshift.io/processserver64-amq-mysql-s2i
template.template.openshift.io/processserver64-amq-postgresql-persistent-s2i
template.template.openshift.io/processserver64-amq-postgresql-s2i
template.template.openshift.io/processserver64-basic-s2i
template.template.openshift.io/processserver64-externaldb-s2i
template.template.openshift.io/processserver64-mysql-persistent-s2i
template.template.openshift.io/processserver64-mysql-s2i
template.template.openshift.io/processserver64-postgresql-persistent-s2i
template.template.openshift.io/rails-pgsql-persistent
template.template.openshift.io/rails-postgresql-example
template.template.openshift.io/redis-ephemeral
template.template.openshift.io/redis-persistent
template.template.openshift.io/rhdm77-authoring
template.template.openshift.io/rhdm77-authoring-ha
template.template.openshift.io/rhdm77-kieserver
template.template.openshift.io/rhdm77-prod-immutable-kieserver
template.template.openshift.io/rhdm77-prod-immutable-kieserver-amq
template.template.openshift.io/rhdm77-trial-ephemeral
template.template.openshift.io/rhpam77-authoring
template.template.openshift.io/rhpam77-authoring-ha
template.template.openshift.io/rhpam77-kieserver-externaldb
template.template.openshift.io/rhpam77-kieserver-mysql
template.template.openshift.io/rhpam77-kieserver-postgresql
template.template.openshift.io/rhpam77-managed
template.template.openshift.io/rhpam77-prod
template.template.openshift.io/rhpam77-prod-immutable-kieserver
template.template.openshift.io/rhpam77-prod-immutable-kieserver-amq
template.template.openshift.io/rhpam77-prod-immutable-monitor
template.template.openshift.io/rhpam77-trial-ephemeral
template.template.openshift.io/s2i-fuse75-spring-boot-camel
template.template.openshift.io/s2i-fuse75-spring-boot-camel-rest-3scale
template.template.openshift.io/s2i-fuse75-spring-boot-camel-xml
template.template.openshift.io/s2i-fuse76-spring-boot-camel
template.template.openshift.io/s2i-fuse76-spring-boot-camel-rest-3scale
template.template.openshift.io/s2i-fuse76-spring-boot-camel-xml
template.template.openshift.io/sso72-https
template.template.openshift.io/sso72-mysql
template.template.openshift.io/sso72-mysql-persistent
template.template.openshift.io/sso72-postgresql
template.template.openshift.io/sso72-postgresql-persistent
template.template.openshift.io/sso73-https
template.template.openshift.io/sso73-mysql
template.template.openshift.io/sso73-mysql-persistent
template.template.openshift.io/sso73-ocp4-x509-https
template.template.openshift.io/sso73-ocp4-x509-mysql-persistent
template.template.openshift.io/sso73-ocp4-x509-postgresql-persistent
template.template.openshift.io/sso73-postgresql
template.template.openshift.io/sso73-postgresql-persistent
template.template.openshift.io/sso74-https
template.template.openshift.io/sso74-ocp4-x509-https
template.template.openshift.io/sso74-ocp4-x509-postgresql-persistent
template.template.openshift.io/sso74-postgresql
template.template.openshift.io/sso74-postgresql-persistent
% oc new-project sso
Now using project "sso" on server "https://api.crc.testing:6443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app ruby~https://github.com/sclorg/ruby-ex.git
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node
% oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
clusterrole.rbac.authorization.k8s.io/view added: "system:serviceaccount:sso:default"
% oc new-app --template=sso74-ocp4-x509-https -p SSO_ADMIN_USERNAME=sso_admin -p SSO_ADMIN_PASSWORD=sso_password
--> Deploying template "openshift/sso74-ocp4-x509-https" to project sso
Red Hat Single Sign-On 7.4 on OpenJDK (Ephemeral)
---------
An example application based on RH-SSO 7.4 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso74-dev/docs.
A new RH-SSO service has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is sso_admin/sso_password. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing RH-SSO requests were automatically created via OpenShift's service serving x509 certificate secrets.
* With parameters:
* Application Name=sso
* Custom RH-SSO Server Hostname=
* JGroups Cluster Password=Qt08VMWTx47A8B2SlTJwlgBMdniWoDUj # generated
* Datasource Minimum Pool Size=
* Datasource Maximum Pool Size=
* Datasource Transaction Isolation=
* ImageStream Namespace=openshift
* RH-SSO Administrator Username=sso_admin
* RH-SSO Administrator Password=sso_password
* RH-SSO Realm=
* RH-SSO Service Username=
* RH-SSO Service Password=
* Container Memory Limit=1Gi
--> Creating resources ...
configmap "sso-service-ca" created
service "sso" created
service "sso-ping" created
route.route.openshift.io "sso" created
deploymentconfig.apps.openshift.io "sso" created
--> Success
Access your application via route 'sso-sso.apps-crc.testing'
Run 'oc status' to view your app.
% oc get pod -w
NAME READY STATUS RESTARTS AGE
sso-1-deploy 0/1 Completed 0 2m16s
sso-1-m4fkj 1/1 Running 0 2m6s
% oc get svc,route
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/sso ClusterIP 172.25.202.12 <none> 8443/TCP 3m49s
service/sso-ping ClusterIP None <none> 8888/TCP 3m49s
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/sso sso-sso.apps-crc.testing sso <all> reencrypt None
GUI뿐만 아니라 CLI에서도 확인합니다. REST API의 사양서는 이하가 되는 것 같습니다. (RH-SSO 매뉴얼에서 추적 가능)
htps : // 아세스 s. 레레 t. 코 m / ぇ 바세 ts / 아 ぁ ぉ / d / 레 d는 t- 신 g ぇ - g n - 온 / ぇ r 시온 - 7.4 / 레 s 타피 /
접속처는 환경에도 의합니다만, OpenShift에서는 route에 기재되어 있는 호스트명+포트 번호입니다.
액세스 TOKEN을 취득합니다.
TOKEN의 유효기간은 1분과 같기 때문에, 쉘 스크립트로 사용한다면 매회 취득하는 것이 좋을지도 모릅니다.
% curl -s -d "client_id=admin-cli" -d "username=sso_admin" -d "password=sso_password" -d "grant_type=password" https://sso-sso.apps-crc.testing/auth/realms/master/protocol/openid-connect/token --insecure | jq -r .access_token
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2MVNEbmhQV3VOMVIycHhKaWJVb0RNaHAtYzN5bUxucS1VaDJqN1NGMno0In0.eyJleHAiOjE1OTkwOTI5MzEsImlhdCI6MTU5OTA5Mjg3MSwianRpIjoiNzI3MTI2OWQtOGYzMC00NzU3LWFiZjgtMDIzNTUwNWYzYjJjIiwiaXNzIjoiaHR0cHM6Ly9zc28tc3NvLmFwcHMtY3JjLnRlc3RpbmcvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYjU0YzE3MGItZTZlMi00NjBmLWIxMWQtNjdiMWIzOTcyNDFjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwic2Vzc2lvbl9zdGF0ZSI6Ijk2M2M5MTM2LTRjYzAtNDU0OS1iMzNiLTdlNzI3ZDI3MTIyZiIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNzb19hZG1pbiJ9.p4cRz0CG5Af_uN53kS1ZzIQAWECoORpg0zZzs3ncqCNgVJoel63SuuRWc_t16n9drqYsmAuszf_oguaDQAyleA8YMNnSi4OEk9fpYfAauAx9eLjQUGnsEuntdrNfA7cOuYXIjJ9ZAEv-9SxU9BphpKgQ1xsyDKzzoBFPOBDzKfyzvM2T5d7snotsZ6zem_-bLGgD5fE693lqt6BgLpezNt4JJGLbrdSkVAMoBn4QKPDe2IJB8YbgfkZngSUJa0TBDHXo8NWSx4fYeXIypSI6KGhhOQNK1oD1UXx9xBic5DZs6fBenfUwHgtlYbfNpOuaQM8JvL2e2N_0v3GgGvQGCA
■Get clients belonging to the realm Returns a list of clients belonging to the realm
GET/{realm}/clients
최종적으로 Client-ID와 ID를 JSON으로 성형하여 출력시키고 있습니다.
% TOKEN=`curl -s -d "client_id=admin-cli" -d "username=sso_admin" -d "password=sso_password" -d "grant_type=password" https://sso-sso.apps-crc.testing/auth/realms/master/protocol/openid-connect/token --insecure | jq -r .access_token` &&\
curl -s -H "Authorization: bearer $TOKEN" https://sso-sso.apps-crc.testing/auth/admin/realms/master/clients --insecure | jq '[.[] | {(.clientId): .id}] | add'
{
"account": "e6cfa122-e0d0-4671-bef7-a24d3440bbef",
"account-console": "1f12b035-bbbb-4baa-8914-3b259bd3876b",
"admin-cli": "47bb0cd4-f07f-4ddf-9667-97f32804f3e3",
"broker": "4e1135b2-389b-474e-a123-2ca42b064f74",
"master-realm": "4f5dec06-ee4c-46ba-9b38-e37db9b3c753",
"security-admin-console": "eb13dafb-9ac5-4eb6-a73b-d43ec8aa084f"
}
■Get user sessions for client Returns a list of user sessions associated with this client
GET/{realm}/clients/{id}/user-sessions
원래 이 REST API를 시도하고 싶었습니다만, {id}의 설명이 「id of client (not client-id)」가 되어 있어, 여러가지 조사해 상기에서 취득한 값이라고 알았습니다.
% TOKEN=`curl -s -d "client_id=admin-cli" -d "username=sso_admin" -d "password=sso_password" -d "grant_type=password" https://sso-sso.apps-crc.testing/auth/realms/master/protocol/openid-connect/token --insecure | jq -r .access_token` &&\
ID=`curl -s -H "Authorization: bearer $TOKEN" https://sso-sso.apps-crc.testing/auth/admin/realms/master/clients --insecure | jq '[.[] | {(.clientId): .id}] | add' | jq -r '."security-admin-console"'` &&\
curl -s -H "Authorization: bearer $TOKEN" https://sso-sso.apps-crc.testing/auth/admin/realms/master/clients/$ID/user-sessions --insecure | jq .
[
{
"id": "d0aca740-649d-4153-be21-e875e43b0a99",
"username": "sso_admin",
"userId": "b54c170b-e6e2-460f-b11d-67b1b397241c",
"ipAddress": "192.168.64.1",
"start": 1599101316000,
"lastAccess": 1599101316000,
"clients": {
"eb13dafb-9ac5-4eb6-a73b-d43ec8aa084f": "security-admin-console"
}
}
]
「RH-SSO Admin Console」의 화면과 같은 결과를 채취할 수 있습니다.
결론
매뉴얼을 보면서 시험하고 있습니다만, 여러가지 혼란스러운 정보가 있으므로, 생긴 패턴을 남겨 두지 않으면 잊어버리네요...나이입니까.
매뉴얼은 다음과 같습니다.
htps : // 아세스 s. 레레 t. 코 m / 도쿠 멘 타치 온 / 쟈 jp / 레 d_는 t_ 신 g ぇ_ 시 응 온 / 7.4 / HTML - 신 g ぇ / 레 d_는 t_ 신 gぉr_오펜시ft_온_오펜jdk
Reference
이 문제에 관하여(Red Hat CodeReady Containers(OpenShift4)에 RH-SSO 배포), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/Y-Shikase/items/4bfb1f657a388061f31a
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
Reference
이 문제에 관하여(Red Hat CodeReady Containers(OpenShift4)에 RH-SSO 배포), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/Y-Shikase/items/4bfb1f657a388061f31a텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
좋은 웹페이지 즐겨찾기
