integrate

OpenTDF Integrate

Not for production

For local development

Overview

OpenID Connect (OIDC) is used by OpenTDF.

Keycloak is used for identity management.

PostgreSQL is the database.

Prerequisites

• Install Docker

  • see https://docs.docker.com/get-docker/

• Install kubectl

  • On macOS via Homebrew: brew install kubectl
  • On Linux or WSL2 for Windows: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl
  • Others see https://kubernetes.io/docs/tasks/tools/

• Install kind

  • On macOS via Homebrew: brew install kind
  • On Linux or WSL2 for Windows: curl -Lo kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 && chmod +x kind && sudo mv kind /usr/local/bin/kind
  • Others see https://kind.sigs.k8s.io/docs/user/quick-start/#installation

• Install helm

  • On macOS via Homebrew: brew install helm
  • On Linux or WSL2 for Windows: curl -LO https://get.helm.sh/helm-v3.8.2-linux-amd64.tar.gz && tar -zxvf helm-v3.8.2-linux-amd64.tar.gz && chmod +x linux-amd64/helm && sudo mv linux-amd64/helm /usr/local/bin/helm
  • Others see https://helm.sh/docs/intro/install/

• Install Tilt

  • On macOS via Homebrew: brew install tilt-dev/tap/tilt
  • On Linux or WSL2 for Windows: `curl -fsSL https://github.com/tilt-dev/tilt/releases/download/v0.27.2/tilt.0.27.2.linux.x86_64.tar.gz | tar -xzv tilt && sudo mv tilt /usr/local/bin/tilt
  • Others see https://docs.tilt.dev/install.html

Start

Create cluster

kind create cluster --name opentdf-integrate

Keycloak

kubectl create namespace keycloak
helm install --version 5.1.1 --values helm/keycloak-values.yaml --namespace keycloak keycloak bitnami/keycloak

Configure

Keycloak

Operator documentation

Add realm

Add clients

The clients are web services and applications that use this for authentication.
The services are entitlements and attributes.
The web application is abacus.

Set audience on client

The web application is abacus and it requires audiences of entitlements and attributes.

Add abacus user

This user will be able to create attributes and entitle.
Add user and set role for viewing clients and users.

Add entity (person, PE)

Set password on entity (person)

Add entity (client, NPE)

Set password on entity (client, NPE)

Set OIDC User Info Signing

User Info Signed Response Algorithm set to RS256 under Fine Grain OpenID Connect Configuration

Set mapper to apply claims

Attribute Provider URL is an internal service (use internal URL)
Token Claim Name must be tdf_claims