Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keycloak 24.05. Release Candidate #66

Closed
jjeroch opened this issue Mar 20, 2024 · 2 comments
Closed

Keycloak 24.05. Release Candidate #66

jjeroch opened this issue Mar 20, 2024 · 2 comments
Assignees
@evegufy @jjeroch
Milestone
Release 3.0.0 (24...

Comments

@jjeroch
Copy link
Contributor

jjeroch commented Mar 20, 2024
edited
Loading

Summary

Update the keycloak image for release candidate 24.05.

Details

SD Factory Tech User

  • sa-cl5-custodian-1 to be removed - not needed anymore (note: already disabled the user in INT at the 24th of March to be able to test the scenario of not having this user anymore as part of the e2e tests) ✅ removed
  • sa-cl5-custodian-2 - for discussion; actually interim (in release 24.05.) the connection will be stopped; afterwards it might get reconnected --> decision: stays in

Impact to portal db seeding to be checked

New Client Issuer Component

Basic

  • new client for issuer component needed Cl24-CX-SSI-CredentialIssuer
  • add the following permissions to the new client ✅
    • request_ssicredential
    • decision_ssicredential
    • view_use_case_participation
    • view_certificates
    • revoke_credentials_issuer
    • revoke_credential
  • technical user sa-cl2-04 needed (release image) which has permission to access Cl24-CX-SSI-CredentialIssuer with all its roles ✅
  • technical user sa-cl24-01 needed (release image) which has permission to access Cl2-CX-Portal with the roles ✅
    • send_mail
    • create_notifications
    • update_application_bpn_credential
    • update_application_membership_credential

Add portal permissions ✅

  • send_mail
  • update_application_bpn_credential
  • update_application_membership_credential
  • store_didDocument

Role Changes

  • assign new permission decision_ssicredential to the portal role CX Admin

New DIM Client

Within release iam image:

  • technical user sa-cl2-05 needed which has permission to access Cl2-CX-Portal with the role store_didDocument

Not within release iam image / only consortia images (because hosted in some SAP IAM):

  • new client for issuer component needed DIM-Middle-Layer
    • setup_wallet
    • view_status_list
  • technical user sa-dim-middle-layer-01 needed which has permission to access DIM-Middle-Layer with all its roles

New technical users for the issuer function ✅ done under "New Client Issuer Component" section

Portal needs a configured technical user to connect portal with SSI-Credential-Issuer

  • Tech Role "Credential Issuer" with the following assigned roles from the new client Cl24-CX-SSI-CredentialIssuer
    • request_ssicredential
    • decision_ssicredential
    • view_use_case_participation
    • view_certificates
    • revoke_credentials_issuer
    • revoke_credential

Issuer Component needs a configured technical user to connect back to the portal

  • Tech Role "Issuer Communication" with the following assigned roles from the new client Cl2-CX-Portal
    • send_mail (new Cl2-CX-Portal permission)
    • create_notifications (new Cl2-CX-Portal permission)
    • update_application_bpn_credential (new Cl2-CX-Portal permission)
    • update_application_membership_credential (new Cl2-CX-Portal permission)

Removal of portal permissions due to the new SSI Solution and Issuer component ✅

  • remove decision_ssicredential permission from portal
  • remove request_ssicredential permission from portal

Removal of portal permissions due to clean-up/matching roles&rights matrix obsolete marked permissions ✅

  • remove upload_documents permission from portal
  • remove my_user_account permission from portal
  • remove view_tech_roles permission from portal
  • remove setup_client permission from portal
  • remove view_dataspaces permission from portal
  • remove filter_apps permission from portal
  • remove view_services permission from portal
  • remove subscribe_service_offering permission from portal
  • remove `` permission from portal

BPDM Roles & Right Concept adjustment ✅

  • Clean up Cl7-CX-BPDM
    Valid Origin: https://partners-pool.{env}.demo.catena-x.net/*
    Description: BPDM Pool
    Permissions:

    • read_partner
    • write_partner
    • read_partner_member
    • read_changelog
    • read_changelog_member
    • read_metadata
    • write_metadata

  • Clean up Cl16-CX-BPDMGate
    Valid Origin: https://partners-gate.{env}.demo.catena-x.net/*
    Description: Portal Gate
    Permissions:

    • read_input_partner
    • write_input_partner
    • read_input_changelog
    • read_output_partner
    • write_output_partner
    • read_output_changelog
    • read_sharing_state
    • write_sharing_state
    • read_stats

  • Inside the technical_roles_management remove

    • "BPDM Gate Read"
    • "BPDM Gate Read & Write"
    • "BPDM Partner Gate"
    • "BPDM Management"
    • "BPDM Pool"

  • Inside the technical_roles_management newly create

    • BPDM Sharing Admin
      With permissions:
      • read_input_partner
      • write_input_partner
      • read_input_changelog
      • read_output_partner
      • write_output_partner
      • read_output_changelog
      • read_sharing_state
      • write_sharing_state
      • read_stats
    • BPDM Sharing Input Manager
      • read_input_partner
      • write_input_partner
      • read_input_changelog
      • read_sharing_state
      • write_sharing_state
      • read_stats
    • BPDM Sharing Input Consumer
      • read_input_partner
      • read_input_changelog
      • read_sharing_state
      • read_stats
    • BPDM Sharing Output Consumer
      • read_output_partner
      • read_output_changelog
      • read_sharing_state
      • read_stats
    • BPDM Pool Consumer
      • read_changelog
      • read_changelog_member
      • read_metadata
    • BPDM Pool Admin
      • read_partner
      • write_partner
      • read_partner_member
      • read_changelog
      • read_changelog_member
      • read_metadata
      • write_metadata
  • remove sa-cl7-cx-1
  • remove sa-cl7-cx-2 - we need to inform Fabio - but I want to get rid of the user if possible ✅ (I asked Fabio, it's ok)
  • update sa-cl7-cx-3 - assign BPDM Pool Admin
  • update sa-cl7-cx-4 - assign BPDM Pool Consumer
  • update sa-cl7-cx-5 - assign BPDM Pool Admin & BPDM Sharing Admin
  • update sa-cl7-cx-6 - assign BPDM Pool Consumer
  • update sa-cl7-cx-7 - assign BPDM Pool Admin & BPDM Sharing Admin
@evegufy evegufy changed the title Keycloak 24.03. Release Candidate Keycloak 24.05. Release Candidate Mar 20, 2024
@evegufy evegufy mentioned this issue Mar 20, 2024
Merged
9 tasks
@Phil91
Copy link
Member

Phil91 commented Mar 25, 2024
edited
Loading

@jjeroch had a look at the code the we need the following technical users:

portal -> needs SSI Issuer Client + roles:
request_ssicredential
decision_ssicredential
view_use_case_participation
view_certificates
revoke_credentials_issuer
revoke_credential

issuer component -> needs Cl2-CX-Portal Client + roles:
send_mail
create_notifications
update_application_bpn_credential
update_application_membership_credential

@evegufy /cc

@jjeroch
Copy link
Contributor Author

jjeroch commented Mar 26, 2024

@Phil91 let us do some cleanups here

request_credential
decision_credential
view_credential_requests
revoke_credentials_issuer
revoke_credentials_requester

@evegufy evegufy added this to the Release 24.05 milestone Apr 9, 2024
Phil91 added a commit to eclipse-tractusx/portal-backend that referenced this issue Apr 10, 2024
@Phil91
chore: adjust seeding for cx test access
bc6b1e7 
Refs: eclipse-tractusx/portal-iam#66
@evegufy evegufy mentioned this issue Apr 10, 2024
Merged
2 tasks
Phil91 added a commit to eclipse-tractusx/portal-backend that referenced this issue Apr 11, 2024
@Phil91
chore: adjust seeding for cx test access
3f72a2a 
Refs: eclipse-tractusx/portal-iam#66
evegufy added a commit that referenced this issue Apr 11, 2024
@evegufy
chore(3.0.0-rc.1): update realm config for cx-central realm
4627f15 
#66
@evegufy evegufy mentioned this issue Apr 11, 2024
Merged
2 tasks
evegufy added a commit that referenced this issue Apr 11, 2024
@evegufy
chore(3.0.0-rc.1): update realm config for cx-central realm
751ca8a 
#66
@evegufy evegufy mentioned this issue Apr 11, 2024
Merged
2 tasks
evegufy added a commit to eclipse-tractusx/portal-backend that referenced this issue Apr 11, 2024
@evegufy @Phil91
chore(iam-seeding): remove service-account and onboard CX-Test-Access…
20e7752 
…(consortia) (#620)

* chore(service-accounts): remove sa-cl5-custodian-1 service account and rename sa-cl5-custodian-1

* chore(seeding-consortia): WIP onboard CX-Test-Access

* chore: adjust seeding for cx test access

Refs: eclipse-tractusx/portal-iam#66

---------

Co-authored-by: Phil Schneider <info@philschneider.de>
This was referenced Apr 11, 2024
Merged
Merged
Merged
evegufy added a commit to eclipse-tractusx/portal-backend that referenced this issue Apr 11, 2024
@evegufy
chore(roles-seeding): update bpdm roles (#623)
07832c1 
remove:
- BPDM Gate Read
- BPDM Gate Read & Write
- BPDM Partner Gate
- BPDM Management
- BPDM Pool
add:
- BPDM Sharing Admin
- BPDM Sharing Input Manager
- BPDM Sharing Input Consumer
- BPDM Sharing Output Consumer
- BPDM Pool Admin
- BPDM Pool Consumer
eclipse-tractusx/portal-iam#66
@evegufy evegufy mentioned this issue May 3, 2024
Merged
8 tasks
@evegufy evegufy mentioned this issue May 24, 2024
Closed
@jjeroch jjeroch mentioned this issue Jun 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evegufy evegufy

@jjeroch jjeroch

Labels
None yet
Projects
Portal
Archived in project
Milestone
Release 3.0.0 (24.05)
Development

No branches or pull requests
4 participants
@Phil91 @evegufy @jjeroch @msinamci