/user/yk.mtst/メモ/2018/11/03/keycloak検証環境構築
前提環境
- git
- docker
- docker-compose
構築メモ
インストール
インストールするディレクトリを作成
$ mkdir keycloak $ cd keycloak
https://gist.github.com/sahya/16993f37ba55e10f8bc40ee5fe4b0757 のdocker-compose.ymlを持ってくる
$ wget https://gist.githubusercontent.com/sahya/16993f37ba55e10f8bc40ee5fe4b0757/raw/b2cb9407643765c4c0f83f52abdca73890a8c8bc/docker-compose.yml
weseek/growi-docker-composeに依存しているのでclone
$ git clone https://github.com/weseek/growi-docker-compose.git growi
ドメインを置き換え
$ sed -i 's/example.com/keycloak-eval1.infra-workshop.tech/' docker-compose.yml
ワイルドカード(*.keycloak-eval1.infra-workshop.tech)の証明書を適当に作成
$ mkdir certs $ cd certs $ openssl genrsa 2048 > wildcard.keycloak-eval1.infra-workshop.tech.key $ openssl req -new -key wildcard.keycloak-eval1.infra-workshop.tech.key > wildcard.keycloak-eval1.infra-workshop.tech.csr $ openssl x509 -days 3650 -req -signkey wildcard.keycloak-eval1.infra-workshop.tech.key <wildcard.keycloak-eval1.infra-workshop.tech.csr > wildcard.keycloak-eval1.infra-workshop.tech.crt $ cd ..
コンテナ起動
$ docker-compose up -d
ログを眺めながら起動完了を待つ
$ docker-compose logs -f
適当に名前解決を設定してブラウザでアクセス
https://sts.keycloak-eval1.infra-workshop.tech
https://wiki.keycloak-eval1.infra-workshop.tech
https://wp.keycloak-eval1.infra-workshop.tech
GrowiのSAML認証
https://qiita.com/sahya/items/d8ad66aadcf587c6f0a3 を参考に設定
Growiからのログイン時に以下でエラー
https://github.com/keycloak/keycloak/blob/4.0.0.Final/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java#L135
growiapp | [2018-11-03T08:12:01.455Z] INFO: express/87 on e3610efbe7c7: ::ffff:172.18.0.3 <-- GET /pas sport/saml?_csrf=vAGfeN8B-cgW20eiqjgfbGq-Xt2Z8Oq4CnWw HTTP/1.1 302 0 https://wiki.keycloak-eval1.infra-workshop.tech /login Chrome 70.0 Windows 10.0.0 2.614875 ms (req_id=6aed2f8d-89e6-4acf-828e-8ab3e8b7e5c6)
ESC[36mkeycloak |ESC[0m ESC[0mESC[31m08:12:09,696 ERROR [org.keycloak.protocol.saml.SamlService] (defau lt task-46) request validation failed: org.keycloak.common.VerificationException: SigAlg was null ESC[36mkeycloak |ESC[0m at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(Saml ProtocolUtils.java:135)
→クライアント署名が必須
をオフ
とすることで解消
keycloakイメージ操作
参考:https://hub.docker.com/r/jboss/keycloak/
ログレベルをDEBUGに変更
docker exec keycloak ./keycloak/bin/jboss-cli.sh --connect --command='/subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=DEBUG)'
keycloakアップグレード手順確認
参考:https://keycloak-documentation.openstandia.jp/master/ja_JP/upgrading/index.html
keycloakを停止してDBダンプを取得
$ docker-compose stop keycloak $ docker-compose exec kcdb mysqldump -uroot -proot --all-databases | gzip > kcdb.dump.`date +%Y%m%d_%H%M%S`.gz
docker-compose.ymlを編集
$ vi docker-compose.yml
新しいkeycloakをビルドして起動
$ docker-compose up -d keycloak
動作確認
カスタムkeycloakイメージ作成
DockerfileFROM maven:3-jdk-8 AS builder RUN git clone https://github.com/wadahiro/keycloak-discord.git RUN cd keycloak-discord;mvn package FROM jboss/keycloak:4.5.0.Final COPY --from=builder keycloak-discord/ear/target/keycloak-discord.ear /opt/jboss/keycloak/standalone/deployments/
Discord連携検証(プロトタイプ版)
- deployログ
keycloak | 17:25:14,709 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-discord.ear" (runtime-name: "keycloak-discord.ear") keycloak | 17:25:14,715 INFO [org.jboss.as.server.deployment] (MSC service thread 1-6) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") keycloak | 17:25:14,755 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0006: Undertow HTTPS listener https listening on 0.0.0.0:8443 keycloak | 17:25:14,777 INFO [org.jboss.as.server.deployment] (MSC service thread 1-7) WFLYSRV0207: Starting subdeployment (runtime-name: "keycloak-discord-ejb.jar") keycloak | 17:25:14,825 WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.keycloak.keycloak-server-spi-private") which may be changed or removed in future versions without notice. keycloak | 17:25:14,825 WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.keycloak.keycloak-services") which may be changed or removed in future versions without notice. keycloak | 17:25:14,828 WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.keycloak.keycloak-saml-core-public") which may be changed or removed in future versions without notice. keycloak | 17:25:14,829 WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.bouncycastle") which may be changed or removed in future versions without notice. keycloak | 17:25:14,829 WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("com.google.guava") which may be changed or removed in future versions without notice. keycloak | 17:25:14,855 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: keycloak-discord-ejb.jar keycloak | 17:25:15,196 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max send buffer in the OS correctly (e.g. net.core.wmem_max on Linux) keycloak | 17:25:15,196 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max receive buffer in the OS correctly (e.g. net.core.rmem_max on Linux) keycloak | 17:25:15,196 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max send buffer in the OS correctly (e.g. net.core.wmem_max on Linux) keycloak | 17:25:15,197 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max receive buffer in the OS correctly (e.g. net.core.rmem_max on Linux)
- IdPへのリストアップ
[ ] Discord認証設定画面- adminのThemaを変更
- Discord認証設定画面への遷移を確認
- Discoad側設定
- Discordアプリケーション作成
https://discordapp.com/developers/applications/ で作成 - OAuth2画面でリダイレクトURLを追加
- サーバーID確認
参考:https://support.discordapp.com/hc/ja/articles/206346498-ユーザー-サーバー-メッセージIDはどこで見つけられる-
今回はテスト用のサーバーを作成して使用
- Discordアプリケーション作成
- Discord認証設定
- Discode認証によるログイン
Growiログイン->Keycloakログイン->Discodeログイン->Keycloakユーザ登録->Growiユーザ登録
パフォーマンス可視化
サーバのパフォーマンスを見るためにCockpitを導入