[DMS-450] Docker Compose for the Config Service, and authorization de…

…monstration (#363)

* Use strings instead of PowerShell bools

* Correction to default token endpoint
Add more variables

* Work in progress demonstration

* DMS config app settings for docker

* Notes on automated setup

* This script should setup the DMS Config Service client, not a DMS client

* Use an external network

* New compose file for the DMS Config Service

* Need to deploy config database on startup

* Typo fix

* Functional authentication demonstration

* Move file

* Script improvements

* Improved example .env

* Fixed a .env error, now search works

* Move keycloak settings

eng/docker-compose/.env.example

@@ -1,46 +1,67 @@
-
-# Variables for Postgres database
+# -----------------
+# Postgres database
+# -----------------
 POSTGRES_PASSWORD=P@ssW0rd
 POSTGRES_DB_NAME=edfi_datamanagementservice
 POSTGRES_PORT=5432
 
-# Variables for Kafka connect
-CONNECT_SOURCE_PORT=8083
-CONNECT_SINK_PORT=8084
+# ----------------
+# Search Database
+# ----------------
 
 # Note: You only need to configure either the Elasticsearch or OpenSearch settings.
 # Ensure you select the appropriate settings based on your deployment.
 
-# Variables for Opensearch search engine
 OPENSEARCH_HTTP_PORT=9200
 OPENSEARCH_ANALYZER_PORT=9600
 OPENSEARCH_DASHBOARD_PORT=5601
 OPENSEARCH_INITIAL_ADMIN_PASSWORD=abcdefgh1!
 OPENSEARCH_ADMIN_PASSWORD=abcdefgh1!
 
-# Variables for Elasticsearch search engine
 ELASTICSEARCH_HTTP_PORT=9200
 ELASTICSEARCH_ANALYZER_PORT=9300
 ELASTICSEARCH_DASHBOARD_PORT=5601
 ELASTICSEARCH_ADMIN_USERNAME=admin
 ELASTICSEARCH_ADMIN_PASSWORD=abcdefgh1!
 
+# -----
+# Kafka
+# -----
+
 # Variables for Kafka UI
 KAFKA_PORT=9092
 KAFKA_UI_PORT=8088
 
-# Variables for DMS appsettings
+# Variables for Kafka connect
+CONNECT_SOURCE_PORT=8083
+CONNECT_SINK_PORT=8084
+
+# --------
+# Keycloak
+# --------
+
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=admin
+KEYCLOAK_PORT=8045
+
+# ---
+# DMS
+# ---
 ASPNETCORE_HTTP_PORTS=8080
-OAUTH_TOKEN_ENDPOINT=http://localhost:8080/oauth/token
+OAUTH_TOKEN_ENDPOINT=http://localhost:8045/realms/edfi/protocol/openid-connect/token
 NEED_DATABASE_SETUP=true
 BYPASS_STRING_COERCION=false
+
+# INFORMATION, WARNING
 LOG_LEVEL=DEBUG
+
 MASK_REQUEST_BODY_IN_LOGS=true
 CORRELATION_ID_HEADER=
 DMS_DATASTORE=postgresql
 DMS_QUERYHANDLER=opensearch
 
 DATABASE_CONNECTION_STRING=host=dms-postgresql;port=5432;username=postgres;password=${POSTGRES_PASSWORD};database=${POSTGRES_DB_NAME};
+# RepeatableRead, Snapshot
 DATABASE_ISOLATION_LEVEL=ReadCommitted
 
 # DATABASE_CONNECTION_STRING_ADMIN allows for alternate credentials with elevated permissions for creating database objects
@@ -54,15 +75,33 @@ BREAK_DURATION_SECONDS=30
 
 OPENSEARCH_URL=http://dms-search:9200
 
-# Variables for keycloak.yml
-KEYCLOAK_ADMIN=admin
-KEYCLOAK_ADMIN_PASSWORD=admin
-KEYCLOAK_PORT=8045
-
 # Authorization parameters
 IDENTITY_ENFORCE_AUTHORIZATION=true
-IDENTITY_SERVICE_ROLE=dms-client
-IDENTITY_AUTHORITY=http://dms-keycloak:8080/realms/dms
+# Config Service is currently assigning DMS clients the same role as Config Service clients, not using "dms-client" as intended
+# IDENTITY_SERVICE_ROLE=dms-client
+IDENTITY_SERVICE_ROLE=config-service-app
+IDENTITY_AUTHORITY=http://dms-keycloak:8080/realms/edfi
 IDENTITY_AUDIENCE=account
 IDENTITY_REQUIRE_HTTPS_METADATA=false
-IDENTITY_ROLE_CLAIM_TYPE=http://schemas.microsoft.com/ws/2008/06/identity/claims/role
+IDENTITY_ROLE_CLAIM_TYPE=http://schemas\\.microsoft\\.com/ws/2008/06/identity/claims/role
+
+# --------------
+# Config Service
+# --------------
+
+DMS_CONFIG_ASPNETCORE_HTTP_PORTS=8081
+DMS_CONFIG_DATASTORE=postgresql
+DMS_CONFIG_DATABASE_CONNECTION_STRING=host=dms-postgresql;port=5432;username=postgres;password=${POSTGRES_PASSWORD};database=${POSTGRES_DB_NAME};
+DMS_CONFIG_IDENTITY_ALLOW_REGISTRATION=true
+DMS_CONFIG_IDENTITY_SERVICE_ROLE=config-service-app
+DMS_CONFIG_IDENTITY_AUTHORITY=${IDENTITY_AUTHORITY}
+DMS_CONFIG_IDENTITY_AUDIENCE=${IDENTITY_AUDIENCE}
+KEYCLOAK_URL=http://dms-keycloak:8080
+KEYCLOAK_REALM=edfi
+DMS_CONFIG_IDENTITY_CLIENT_ID=DmsConfigurationService
+DMS_CONFIG_IDENTITY_CLIENT_SECRET=s3creT@09
+DMS_CONFIG_IDENTITY_REQUIRE_HTTPS=false
+DMS_CONFIG_IDENTITY_ROLE_CLAIM_TYPE=${IDENTITY_ROLE_CLAIM_TYPE}
+DMS_CONFIG_IDENTITY_SCOPE=scp:edfi_dms_configuration_service/full_access
+DMS_CONFIG_LOG_LEVEL=Information
+DMS_CONFIG_DEPLOY_DATABASE=true

eng/docker-compose/KEYCLOAK-SETUP.md

@@ -36,7 +36,71 @@ Keycloak locally using docker-compose.
 
     ![Default realm page](./images/image-14.png)
 
-## Creating a New Realm
+## Scripted Keycloak Setup
+
+> [!NOTE]
+> See [Manual Keycloak Setup](#appendix-manual-keycloak-setup) below if you are interested in the instructions for setting up Keycloak via the user interface.
+
+## Time to update Configuration Service appsettings
+
+1. Copy your client secret
+2. Make sure you're in the edfi realm
+3. Click Clients in the left sidebar
+4. Select `DmsConfigurationService`
+5. Click Credentials
+6. Copy the Client secret
+7. Update DMS Configuration Service IdentitySettings section on appsettings.json:
+
+   ```js
+    ServiceRole: "config-service-app" (Service realm role created earlier)
+    Authority: "http://your-keycloak-url:port/realms/<your-realm>"
+    IdentityServer: "http://your-keycloak-url:port"
+    Realm: "edfi"(your realm)
+    ClientId: "DmsConfigurationService"
+    ClientSecret: <value-you-copied>
+    RoleClaimType: "http://schemas\\.microsoft\\.com/ws/2008/06/identity/claims/role"
+    Leave the rest as-are
+   ```
+
+    > [!NOTE]
+    > To test the connect/register endpoint, make sure the AllowRegistration flag
+    > is set to true in the IdentitySettings.
+
+    After updating the IdentitySettings values, you can use the connect/register
+    endpoint to register the client. To retrieve the access token, use the
+    connect/token endpoint.
+
+    ```js
+    // connect/register sample request payload
+    {    
+    "clientId":"CSClientApp",
+    "clientSecret":"test1@Secret",
+    "displayName":"CSClientApp"
+    }
+
+    // connect/token sample request payload
+    {    
+    "clientId":"CSClientApp",
+    "clientSecret":"test1@Secret"
+    }
+    ```
+
+## Shutting down the Keycloak container
+
+If you want to shut down the container you can use the -d parameter and if you
+want to remove the volume, add the -v parameter.
+
+```pwsh
+# Stop keykloack, keeping volume
+./start-keycloak.ps1 - d
+
+# Stop keykloack and delete volume
+./start-keycloak.ps1 -d -v
+```
+
+## Appendix: Manual Keycloak Setup
+
+### Creating a New Realm
 
  1. In the top-left corner, select the dropdown labeled `master` (or whatever
     the default realm is called).
@@ -54,14 +118,14 @@ Keycloak locally using docker-compose.
 
     ![Created edfi realm](./images/image-6.png)
 
-## Configuring service specific realm roles
+### Configuring service specific realm roles
 
  1. From the left menu, select Realm roles.
  2. Click Create role
  3. Enter a Role Name (`config-service-app`) and Description
  4. Click Save
 
-## Creating a Configuration Service Client
+### Creating a Configuration Service Client
 
 > [!NOTE]
 > Make sure you are in edfi realm
@@ -104,51 +168,7 @@ Keycloak locally using docker-compose.
 
     ![Realm admin role assignment](./images/image-16.png)
 
-## Time to update Configuration Service appsettings
-
-1. Copy your client secret
-2. Make sure you're in the edfi realm
-3. Click Clients in the left sidebar
-4. Select `DmsConfigurationService`
-5. Click Credentials
-6. Copy the Client secret
-7. Update DMS Configuration Service IdentitySettings section on appsettings.json:
-
-   ```js
-    ServiceRole: "config-service-app" (Service realm role created earlier)
-    Authority: "http://your-keycloak-url:port/realms/<your-realm>"
-    IdentityServer: "http://your-keycloak-url:port"
-    Realm: "edfi"(your realm)
-    ClientId: "DmsConfigurationService"
-    ClientSecret: <value-you-copied>
-    RoleClaimType: "http://schemas\\.microsoft\\.com/ws/2008/06/identity/claims/role"
-    Leave the rest as-are
-   ```
-
-    > [!NOTE]
-    > To test the connect/register endpoint, make sure the AllowRegistration flag
-    > is set to true in the IdentitySettings.
-
-    After updating the IdentitySettings values, you can use the connect/register
-    endpoint to register the client. To retrieve the access token, use the
-    connect/token endpoint.
-
-    ```js
-    // connect/register sample request payload
-    {    
-    "clientId":"CSClientApp",
-    "clientSecret":"test1@Secret",
-    "displayName":"CSClientApp"
-    }
-
-    // connect/token sample request payload
-    {    
-    "clientId":"CSClientApp",
-    "clientSecret":"test1@Secret"
-    }
-    ```
-
-## DMS client setup in Keycloak
+### DMS client setup in Keycloak
 
 Please refer "Creating a Configuration Service Client" section above
 
@@ -299,16 +319,3 @@ Please refer "Creating a Configuration Service Client" section above
             "RequireHttpsMetadata": false,
             "RoleClaimType": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
         ```
-
-## Shutting down the Keycloak container
-
-If you want to shut down the container you can use the -d parameter and if you
-want to remove the volume, add the -v parameter.
-
-```pwsh
-# Stop keykloack, keeping volume
-./start-keycloak.ps1 - d
-
-# Stop keykloack and delete volume
-./start-keycloak.ps1 -d -v
-```

eng/docker-compose/kafka-opensearch-ui.yml

@@ -15,6 +15,8 @@ services:
       DYNAMIC_CONFIG_ENABLED: 'true'
       KAFKA_CLUSTERS_0_NAME: kafka1
       KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9092
+    networks:
+      - dms
 
   opensearch-dashboards:
     image: opensearchproject/opensearch-dashboards:2.15.0@sha256:b7c26c60bfafcbb90c538316570b84bab85f5dc82339aa7feefc3014274c689e
@@ -28,3 +30,9 @@ services:
        # disables security dashboards plugin in OpenSearch Dashboards, otherwise will have TLS errors
       DISABLE_SECURITY_DASHBOARDS_PLUGIN: true
     restart: unless-stopped
+    networks:
+      - dms
+
+networks:
+  dms:
+    external: true

eng/docker-compose/kafka-opensearch.yml

@@ -13,6 +13,8 @@ services:
       - zookeeper-data:/zookeeper/data
       - zookeeper-txns:/zookeeper/txns
       - zookeeper-conf:/zookeeper/conf
+    networks:
+      - dms
 
   kafka:
     hostname: dms-kafka1
@@ -28,6 +30,8 @@ services:
     volumes:
       - kafka-data:/kafka/data
       - kafka-logs:/kafka/logs
+    networks:
+      - dms
 
   kafka-postgresql-source:
     hostname: kafka-postgresql-source
@@ -47,6 +51,8 @@ services:
     volumes:
       - kafka-postgresql-source-logs:/kafka/logs
       - kafka-postgresql-source-config:/kafka/config
+    networks:
+      - dms
 
   kafka-opensearch-sink:
     hostname: kafka-opensearch-sink
@@ -66,6 +72,8 @@ services:
     volumes:
       - kafka-opensearch-sink-logs:/kafka/logs
       - kafka-opensearch-sink-config:/kafka/config
+    networks:
+      - dms
 
   opensearch:
     image: opensearchproject/opensearch:2.15.0@sha256:1963b3ece46dfe1a17cd633fb2e9cea22bd20753a295f39c2f513ce0070cad42
@@ -104,6 +112,8 @@ services:
       interval: 30s
       timeout: 10s
       retries: 50
+    networks:
+      - dms
 
 volumes:
   zookeeper-logs:
@@ -117,3 +127,7 @@ volumes:
   kafka-opensearch-sink-logs:
   kafka-opensearch-sink-config:
   opensearch-data1:
+
+networks:
+  dms:
+    external: true

eng/docker-compose/keycloak.yml

@@ -17,6 +17,12 @@ services:
       - ${KEYCLOAK_PORT:-8065}:8080
     volumes:
       - dms-keycloak:/var/lib/keycloak/data
+    networks:
+      - dms
 
 volumes:
   dms-keycloak:
+
+networks:
+  dms:
+    external: true