Skip to content
/ keycloak-docker-group-role-mapper Public

Authorization Mapping Provider for Keycloak's Docker Registry v2 token protocol based on client roles and realm groups with configuration options.

License

Apache-2.0 license
7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alexanderwolz/keycloak-docker-group-role-mapper

BranchesTags

Repository files navigation

Docker v2 - Groups and Role Mapper for Keycloak 25.x

GitHub release (latest by date) GitHub GitHub GitHub GitHub GitHub code size in bytes GitHub all releases

🧑‍💻 About

This repository provides a MappingProvider for Keycloak's Docker-v2 protocol. It manages registry access for users with client role admin or editor and who are assigned to realm groups named like registry-${namespace}. Clients without any roles are treated as user and will be granted read-only access to the namespace by default. This behavior can be overwritten by environment variables (see configuration)

🛠️ Build

  1. Create jar resource using ./gradlew clean build
  2. Copy /build/libs/*.jar into Keycloak´s /opt/keycloak/providers/ folder
  3. Build keycloak instance using /opt/keycloak/bin/kc.sh build

See also Keycloak Dockerfile for reference in examples section.

🔬 Basic Concept

  • Users can be grouped to the same repository namespace by assigning them to one or several groups starting with registry-.
  • Without any client roles assigned, users will be granted read-only access to their namespaces.
  • Default namespaces (repositories without prefix/) can only be accessed by admins.
  • Assigning the client role editor will allow users to also push and delete images in their namespaces.
  • Assigning the client role admin will allow access to any resource in the whole registry and give full access.
  • Users could be grouped to domain-namespaces according to their email-addresses (can be configured via environment variables, default off)
  • Without having any roles and groups assigned, users will have full access to the namespace if it matches their username (can be configured via environment variables, default off)

⚙️ Configuration

This mapper supports following environment variables (either set on server or in docker container):

Variable Name Values Description
REGISTRY_CATALOG_AUDIENCE editor, user Will allow editors or users to access registry:catalog:* scope. That would be of interest to users who want to access UI frontends.
No scope is set by default, so only admins are allowed to access registry scope.
REGISTRY_NAMESPACE_SCOPE group, domain, sld, username If group is set, users are checked for group membership and will be granted access to the repository according to their roles.
If domain is set, users are checked against their email domain and will be granted access to the repository (e.g. company.com/image) according to their roles.
If sld is set, users are checked against their email second level domain (sld) and will be granted access to the repository (e.g. company/image) according to their roles.
If username is set, users will be granted full access to the namespace if it matches their username (lowercase check).

Namespace scope group is set by default or if value is empty or no value matches group, domain, sld or username (all values can be concatenated with ,).
REGISTRY_GROUP_PREFIX any String Custom group prefix. Will default to registry-. Comparisons will be checked with lowercase String representation.

🔒 Keycloak Setup

Keycloak must be setup to have a docker-v2 registry client, roles and optional groups. The registry then must be configured to use OIDC configuration provided by Keycloak

Enable Docker v2 Protocol Feature

  1. In order to use the Docker v2 protocol, the feature docker must be enabled during Keycloak server startup.
  2. This can be done by setting the environment variable KC_FEATURES=docker,token-exchange.

Create Registry Client Configuration

  1. Go to realm and choose "Clients" section
  2. Create new client by clicking "Create client"
  3. Choose Client Type docker-v2 and insert client id e.g. "myregistry"
  4. Set valid redirect URL

Create Client Roles

  1. In Client Page, choose "Roles"-tab
  2. Click "Create role" and set role name to admin
  3. Go back to "Roles"-tab
  4. Click "Create role" and set role name to editor

Set the Mapper

  1. in Client Page, choose "Client scopes"-tab
  2. Go to "myregistry-dedicated" scope
  3. Delete "docker-v2-allow-all-mapper" configuration
  4. Click "Configure a new mapper" button
  5. Choose "Allow by Groups and Roles" mapper (this mapper)
  6. Give it a name e.g. "Allow by Groups and Roles Mapper"

Keycloak Registry Client Config

Create Roles

  1. Go to realm and choose "Groups" section
  2. Click "Create group"
  3. Name it "registry-mycompany"

Assign Roles to users

  1. Go to realm and choose "Users" section
  2. Choose your user and select "Role mapping"
  3. Click "Assign role"
  4. Filter by "clients" and search for 'myregistry'
  5. Choose either admin or editor
  6. Click "Assign"

Assign Groups to users

  1. Go to realm and choose "Users" section
  2. Choose your user and select "Groups"
  3. Click "Join Group"
  4. Select "registry-mycompany"
  5. Click "Join"
  6. Now the user will have access to registry namespace myregistry.com/mycompany/

Keycloak Registry Client Config

Made with ❤️ in Bavaria
© 2024, Alexander Wolz

About

Authorization Mapping Provider for Keycloak's Docker Registry v2 token protocol based on client roles and realm groups with configuration options.

Topics

kotlin plugin docker registry jwt groups keycloak authentication mapping email docker-registry domain auth roles authorization token user scope sld

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity

Stars

7 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 12

v1.5.3 Latest
May 11, 2024
+ 11 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages