SAML user attribute flags issue #5303 (PR #11430)

* Adding SAML option in SAML configuration to specify system auditor and system superusers by role or attribute * Adding keycloak container and documentation on how to start keycloak alongside AWX (including configuration of both)
2026-02-18 19:50:05 -03:30 · 2022-01-10 16:52:44 -05:00
parent 4de0f09c85
commit c92468062d
21 changed files with 2289 additions and 5 deletions
--- a/tools/docker-compose/ansible/plumb_keycloak.yml
+++ b/tools/docker-compose/ansible/plumb_keycloak.yml
@@ -0,0 +1,81 @@
+---
+- name: Plumb a keycloak instance
+  hosts: localhost
+  connection: local
+  gather_facts: False
+  vars:
+    private_key_file: ../_sources/keycloak.key
+    public_key_file: ../_sources/keycloak.cert
+    awx_host: "https://localhost:8043"
+    keycloak_realm_template: ../_sources/keycloak.awx.realm.json
+    keycloak_user: admin
+    keycloak_pass: admin
+    cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
+  tasks:
+    - name: Generate certificates for keycloak
+      command: 'openssl req -new -x509 -days 365 -nodes -out {{ public_key_file }} -keyout {{ private_key_file }} -subj "{{ cert_subject }}"'
+      args:
+        creates: "{{ public_key_file }}"
+
+    - name: Load certs, existing and new SAML settings
+      set_fact:
+        private_key: "{{ private_key_content }}"
+        public_key: "{{ public_key_content }}"
+        public_key_trimmed: "{{ public_key_content | regex_replace('-----BEGIN CERTIFICATE-----\\\\n', '') | regex_replace('\\\\n-----END CERTIFICATE-----', '') }}"
+        existing_saml: "{{ lookup('awx.awx.controller_api', 'settings/saml', host=awx_host, verify_ssl=false) }}"
+        new_saml: "{{ lookup('template', 'saml_settings.json.j2') }}"
+      vars:
+        # We add the extra \\ in here so that when jinja is templating out the files we end up with \n in the strings.
+        public_key_content: "{{ lookup('file', public_key_file) | regex_replace('\n', '\\\\n') }}"
+        private_key_content: "{{ lookup('file', private_key_file) | regex_replace('\n', '\\\\n') }}"
+
+    - name: Displauy existing SAML configuration
+      debug:
+        msg:
+          - "Here is your existing SAML configuration for reference:"
+          - "{{ existing_saml }}"
+
+    - pause:
+        prompt: "Continuing to run this will replace your existing saml settings (displayed above). They will all be captured except for your private key. Be sure that is backed up before continuing"
+
+    - name: Write out the existing content
+      copy:
+        dest: "../_sources/existing_saml_adapter_settings.json"
+        content: "{{ existing_saml }}"
+
+    - name: Configure AWX SAML adapter
+      awx.awx.settings:
+        settings: "{{ new_saml }}"
+        controller_host: "{{ awx_host }}"
+        validate_certs: False
+
+    - name: Get a keycloak token
+      uri:
+        url: "https://localhost:8443/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body_format: form-urlencoded
+        body:
+          client_id: "admin-cli"
+          username: "{{ keycloak_user }}"
+          password: "{{ keycloak_pass }}"
+          grant_type: "password"
+        validate_certs: False
+      register: keycloak_response
+
+    - name: Template the AWX realm
+      template:
+        src: keycloak.awx.realm.json.j2
+        dest: "{{ keycloak_realm_template }}"
+
+    - name: Create the AWX realm
+      uri:
+        url: "https://localhost:8443/auth/admin/realms"
+        method: POST
+        body_format: json
+        body: "{{ lookup('file', keycloak_realm_template) }}"
+        validate_certs: False
+        headers:
+          Authorization: "Bearer {{ keycloak_response.json.access_token }}"
+        status_code: 201
+      register: realm_creation
+      changed_when: True
--- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@@ -16,3 +16,5 @@ receptor_work_sign_reconfigure: false
 work_sign_key_dir: '../_sources/receptor'
 work_sign_private_keyfile: "{{ work_sign_key_dir }}/work_private_key.pem"
 work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem"
+
+enable_keycloak: false
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@@ -79,6 +79,23 @@ services:
  {% set container_postfix = loop.index %}
    - "awx_{{ container_postfix }}"
  {% endfor %}
+{% endif %}
+{% if enable_keycloak|bool %}
+  keycloak:
+    image: quay.io/keycloak/keycloak:15.0.2
+    container_name: tools_keycloak_1
+    hostname: keycloak
+    user: "{{ ansible_user_uid }}"
+    ports:
+      - "8443:8443"
+    environment:
+      DB_VENDOR: postgres
+      DB_ADDR: postgres
+      DB_DATABASE: keycloak
+      DB_USER: {{ pg_username }}
+      DB_PASSWORD: {{ pg_password }}
+    depends_on:
+      - postgres
 {% endif %}
  # A useful container that simply passes through log messages to the console
  # helpful for testing awx/tower logging
--- a/tools/docker-compose/ansible/templates/keycloak.awx.realm.json.j2
+++ b/tools/docker-compose/ansible/templates/keycloak.awx.realm.json.j2
--- a/tools/docker-compose/ansible/templates/saml_settings.json.j2
+++ b/tools/docker-compose/ansible/templates/saml_settings.json.j2
@@ -0,0 +1,51 @@
+{
+    "SAML_AUTO_CREATE_OBJECTS": true,
+    "SOCIAL_AUTH_SAML_SP_ENTITY_ID": "{{ container_reference }}:8043",
+    "SOCIAL_AUTH_SAML_SP_PUBLIC_CERT": "{{ public_key_content | regex_replace('\\n', '') }}",
+    "SOCIAL_AUTH_SAML_SP_PRIVATE_KEY": "{{ private_key_content | regex_replace('\\n', '') }}",
+    "SOCIAL_AUTH_SAML_ORG_INFO": {
+        "en-US": {
+            "url": "https://{{ container_reference }}:8443",
+            "name": "Keycloak",
+            "displayname": "Keycloak Solutions Engineering"
+        }
+    },
+    "SOCIAL_AUTH_SAML_TECHNICAL_CONTACT": {
+        "givenName": "Me Myself",
+        "emailAddress": "noone@nowhere.com"
+    },
+    "SOCIAL_AUTH_SAML_SUPPORT_CONTACT": {
+        "givenName": "Me Myself",
+        "emailAddress": "noone@nowhere.com"
+    },
+    "SOCIAL_AUTH_SAML_ENABLED_IDPS": {
+        "Keycloak": {
+            "attr_user_permanent_id": "name_id",
+            "entity_id": "https://{{ container_reference }}:8443/auth/realms/awx",
+            "attr_groups": "groups",
+            "url": "https://{{ container_reference }}:8443/auth/realms/awx/protocol/saml",
+            "attr_first_name": "first_name",
+            "x509cert": "{{ public_key_content | regex_replace('\\n', '') }}",
+            "attr_email": "email",
+            "attr_last_name": "last_name",
+            "attr_username": "username"
+        }
+    },
+    "SOCIAL_AUTH_SAML_SECURITY_CONFIG": {
+        "requestedAuthnContext": false
+    },
+    "SOCIAL_AUTH_SAML_SP_EXTRA": null,
+    "SOCIAL_AUTH_SAML_EXTRA_DATA": null,
+    "SOCIAL_AUTH_SAML_ORGANIZATION_MAP": {
+        "Default": {
+            "users": true
+        }
+    },
+    "SOCIAL_AUTH_SAML_TEAM_MAP": null,
+    "SOCIAL_AUTH_SAML_ORGANIZATION_ATTR": {},
+    "SOCIAL_AUTH_SAML_TEAM_ATTR": {},
+    "SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR": {
+        "is_superuser_attr": "is_superuser",
+        "is_system_auditor_attr": "is_system_auditor"
+    }
+}