From 5e58d7d3712a4b6007325e6b1410cb5f2d56bdc2 Mon Sep 17 00:00:00 2001 From: Nico Koprowski Date: Wed, 7 Aug 2024 13:37:25 +0800 Subject: [PATCH 1/4] feat(BPDM): add BPDM Orchestrator authentication configuration - add an Orchestrator client - add Orchestrator client roles - add technical roles into technical role management client - add client scope role mappings - add Orchestrator Admin role to BPDM admin service accounts --- .../catenax-central/CX-Central-realm.json | 288 +++++++++++++++++- 1 file changed, 284 insertions(+), 4 deletions(-) diff --git a/import/realm-config/generic/catenax-central/CX-Central-realm.json b/import/realm-config/generic/catenax-central/CX-Central-realm.json index 3a6774fc..561aca4a 100644 --- a/import/realm-config/generic/catenax-central/CX-Central-realm.json +++ b/import/realm-config/generic/catenax-central/CX-Central-realm.json @@ -1623,6 +1623,80 @@ "attributes": {} } ], + "Cl25-CX-BPDM-Orchestrator": [ + { + "id": "4b20dc8b-0231-41a0-acef-662ed5353c18", + "name": "create_result_poolSync", + "description": "Allowed to create results for reserved golden record tasks in the 'PoolSync' queue.", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + }, + { + "id": "0a5befef-6ecf-4bc8-ab94-7f0e3731c858", + "name": "read_task", + "description": "Allowed to read the processing state and result of golden record tasks.", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + }, + { + "id": "4632b001-25e2-4ef8-bd04-05f7b9e0453d", + "name": "create_result_cleanAndSync", + "description": "Allowed to create results for reserved golden record tasks in the 'CleanAndSync' queue.", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + }, + { + "id": "d335c39d-d160-40d6-86b1-11a6e1889ddd", + "name": "create_task", + "description": "Allowed to create new golden record tasks", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + }, + { + "id": "1f15361f-c5ee-40e5-9169-fd32b3d0c8da", + "name": "create_reservation_clean", + "description": "Allowed to create reservations for golden record tasks inside the 'Clean' queue.", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + }, + { + "id": "90451361-9282-4cee-bb43-96f084a43d7e", + "name": "create_reservation_poolSync", + "description": "Allowed to create reservations for golden record tasks in the 'PoolSync' queue.", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + }, + { + "id": "f972bf5c-7454-4c3f-882b-0535eacd7dd9", + "name": "create_result_clean", + "description": "Allowed to create results for reserved golden record tasks in the 'Clean' queue.", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + }, + { + "id": "dbb4cbda-671b-4b8c-8ed8-a9c3e8ad7256", + "name": "create_reservation_cleanAndSync", + "description": "Allowed to create reservations for golden record tasks in the 'CleanAndSync' queue", + "composite": false, + "clientRole": true, + "containerId": "632271be-e00c-47c2-b2e9-4b12d75c8c5b", + "attributes": {} + } + ], "technical_roles_management": [ { "id": "1e3bef93-036c-44a8-b37a-04ca9effcfcb", @@ -1872,6 +1946,97 @@ "clientRole": true, "containerId": "6df310ed-500e-43d5-b510-fa4668e939ee", "attributes": {} + }, + { + "id": "3fbeeb23-c281-43a4-b76a-f0805e919905", + "name": "BPDM Orchestrator Admin", + "description": "Full read and write access to the BPDM Orchestrator component", + "composite": true, + "composites": { + "client": { + "Cl25-CX-BPDM-Orchestrator": [ + "create_result_poolSync", + "read_task", + "create_result_cleanAndSync", + "create_task", + "create_reservation_clean", + "create_reservation_poolSync", + "create_result_clean", + "create_reservation_cleanAndSync" + ] + } + }, + "clientRole": true, + "containerId": "6df310ed-500e-43d5-b510-fa4668e939ee", + "attributes": {} + }, + { + "id": "a0dab74a-13d2-4ced-b0af-fa8a3894c2ec", + "name": "BPDM Orchestrator Task Creator", + "description": "Allowed to create new golden record tasks, monitor the processing state and result.", + "composite": true, + "composites": { + "client": { + "Cl25-CX-BPDM-Orchestrator": [ + "read_task", + "create_task" + ] + } + }, + "clientRole": true, + "containerId": "6df310ed-500e-43d5-b510-fa4668e939ee", + "attributes": {} + }, + { + "id": "efb560b1-3649-4af9-931e-4799c61504e6", + "name": "BPDM Orchestrator Processor Clean", + "description": "Allowed to process golden record tasks in the 'Clean' queue", + "composite": true, + "composites": { + "client": { + "Cl25-CX-BPDM-Orchestrator": [ + "create_reservation_clean", + "create_result_clean" + ] + } + }, + "clientRole": true, + "containerId": "6df310ed-500e-43d5-b510-fa4668e939ee", + "attributes": {} + }, + { + "id": "4444626e-b5dd-4c8d-8897-0b7ad3ccdf21", + "name": "BPDM Orchestrator Processor CleanAndSync", + "description": "Allowed to process golden record tasks in the 'CleanAndSync' queue", + "composite": true, + "composites": { + "client": { + "Cl25-CX-BPDM-Orchestrator": [ + "create_result_cleanAndSync", + "create_reservation_cleanAndSync" + ] + } + }, + "clientRole": true, + "containerId": "6df310ed-500e-43d5-b510-fa4668e939ee", + "attributes": {} + }, + { + "id": "a1e82d28-ab78-40ac-aae5-cda1f3615c61", + "name": "BPDM Orchestrator Processor PoolSync", + "description": "Allowed to process golden record tasks in the 'PoolSync' queue", + "composite": true, + "composites": { + "client": { + "Cl25-CX-BPDM-Orchestrator": [ + "create_result_poolSync", + "create_reservation_poolSync" + ] + } + }, + "clientRole": true, + "containerId": "6df310ed-500e-43d5-b510-fa4668e939ee", + "attributes": {} } ], "admin-cli": [], @@ -2986,7 +3151,8 @@ "clientRoles": { "technical_roles_management": [ "BPDM Sharing Admin", - "BPDM Pool Admin" + "BPDM Pool Admin", + "BPDM Orchestrator Admin" ] }, "notBefore": 0, @@ -3013,7 +3179,8 @@ "clientRoles": { "technical_roles_management": [ "BPDM Sharing Admin", - "BPDM Pool Admin" + "BPDM Pool Admin", + "BPDM Orchestrator Admin" ] }, "notBefore": 0, @@ -3098,14 +3265,16 @@ "client": "sa-cl7-cx-5", "roles": [ "BPDM Pool Admin", - "BPDM Sharing Admin" + "BPDM Sharing Admin", + "BPDM Orchestrator Admin" ] }, { "client": "sa-cl7-cx-7", "roles": [ "BPDM Pool Admin", - "BPDM Sharing Admin" + "BPDM Sharing Admin", + "BPDM Orchestrator Admin" ] } ], @@ -4219,6 +4388,117 @@ "microprofile-jwt" ] }, + { + "id": "983159fa-37f3-4519-9c98-8fe23d8ab8bf", + "clientId": "Cl25-CX-BPDM-Orchestrator", + "name": "BPDM Orchestrator", + "description": "Roles resource for the BPDM Orchestrator component", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": false, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1722276592", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "de42377c-8b7a-466c-91d6-c95d8a8533b8", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "3f29cf79-e84c-4c1a-bf71-29238f655bfc", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "831b2dfd-0c87-4328-b5ed-49a4efced60e", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "bpn", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "bpn", + "jsonType.label": "String" + } + }, + { + "id": "200ce257-7bee-4662-988a-750bf3e03790", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, { "id": "213ea3ce-b036-405f-8abd-3ee08ff72857", "clientId": "realm-management", From 6e6c7a9b247e1c48df3094fd5e4e0816b45fb483 Mon Sep 17 00:00:00 2001 From: Nico Koprowski Date: Wed, 7 Aug 2024 14:14:09 +0800 Subject: [PATCH 2/4] feat(BPDM): add separate BPDM technical users for establishing the golden record process - add technical user for the Pool to access the Orchestrator component - add technical user for the Cleaning Dummy to access the Orchestrator component - add technical user for the Portal Gate to access the Orchestrator component - add technical user for the Portal Gate to access the Pool component --- .../catenax-central/CX-Central-realm.json | 598 ++++++++++++++++++ 1 file changed, 598 insertions(+) diff --git a/import/realm-config/generic/catenax-central/CX-Central-realm.json b/import/realm-config/generic/catenax-central/CX-Central-realm.json index 561aca4a..dd6f6846 100644 --- a/import/realm-config/generic/catenax-central/CX-Central-realm.json +++ b/import/realm-config/generic/catenax-central/CX-Central-realm.json @@ -1697,6 +1697,10 @@ "attributes": {} } ], + "sa-cl25-cx-1": [], + "sa-cl25-cx-2": [], + "sa-cl25-cx-3": [], + "sa-cl7-cx-1": [], "technical_roles_management": [ { "id": "1e3bef93-036c-44a8-b37a-04ca9effcfcb", @@ -3158,6 +3162,85 @@ "notBefore": 0, "groups": [] }, + { + "id": "e24da044-7290-45f4-a2ea-cb8165393f0a", + "createdTimestamp": 1722276592957, + "username": "service-account-sa-cl25-cx-2", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "sa-cl25-cx-2", + "attributes": { + "bpn": [ + "BPNL00000003CRHK" + ] + }, + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cx-central" + ], + "clientRoles": { + "technical_roles_management": [ + "BPDM Orchestrator Processor PoolSync" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "72351810-a1b4-42e6-9686-8abe6b0d5cb0", + "createdTimestamp": 1722276592957, + "username": "service-account-sa-cl25-cx-3", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "sa-cl25-cx-3", + "attributes": { + "bpn": [ + "BPNL00000003CRHK" + ] + }, + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cx-central" + ], + "clientRoles": { + "technical_roles_management": [ + "BPDM Orchestrator Task Creator" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "bbb919dd-b3aa-4ec3-8786-582787886276", + "createdTimestamp": 1722276592957, + "username": "service-account-sa-cl25-cx-1", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "sa-cl25-cx-1", + "attributes": { + "bpn": [ + "BPNL00000003CRHK" + ] + }, + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cx-central" + ], + "clientRoles": { + "technical_roles_management": [ + "BPDM Orchestrator Processor CleanAndSync", + "BPDM Orchestrator Processor Clean" + ] + }, + "notBefore": 0, + "groups": [] + }, { "id": "3f9fc7e8-d312-4912-a9a1-4db8849ce8f7", "createdTimestamp": 1722276592957, @@ -3211,6 +3294,32 @@ }, "notBefore": 0, "groups": [] + }, + { + "id": "95796de5-c9c6-46fc-a3f7-7af782ea9024", + "createdTimestamp": 1722276592957, + "username": "service-account-sa-cl7-cx-1", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "sa-cl7-cx-1", + "attributes": { + "bpn": [ + "BPNL00000003CRHK" + ] + }, + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cx-central" + ], + "clientRoles": { + "technical_roles_management": [ + "BPDM Pool Sharing Consumer" + ] + }, + "notBefore": 0, + "groups": [] } ], "scopeMappings": [ @@ -3276,6 +3385,31 @@ "BPDM Sharing Admin", "BPDM Orchestrator Admin" ] + }, + { + "client": "sa-cl25-cx-1", + "roles": [ + "BPDM Orchestrator Processor CleanAndSync", + "BPDM Orchestrator Processor Clean" + ] + }, + { + "client": "sa-cl25-cx-2", + "roles": [ + "BPDM Orchestrator Processor PoolSync" + ] + }, + { + "client": "sa-cl25-cx-3", + "roles": [ + "BPDM Orchestrator Task Creator" + ] + }, + { + "client": "sa-cl7-cx-1", + "roles": [ + "BPDM Pool Sharing Consumer" + ] } ], "Cl5-CX-Custodian": [ @@ -4499,6 +4633,470 @@ "microprofile-jwt" ] }, + { + "id": "4ebeb21b-055e-403f-8bfa-738bb935395d", + "clientId": "sa-cl25-cx-1", + "name": "BPDM Dummy Cleaning Task Processor", + "description": "Client for the BPDM cleaning service dummy component to process golden record tasks from the Orchestrator", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1722276592", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "5386537c-2b62-4675-94aa-38f7f056a50e", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "eb517cbb-1f6c-4862-a230-fecf893df8bf", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "c9d1f428-0ad8-4665-9d40-82cd4eb63109", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "bpn", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "bpn", + "jsonType.label": "String" + } + }, + { + "id": "64f17173-6918-444d-9aa7-e97ab6f5d7e0", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "0dffae1b-5a95-4253-857e-b84c6904d012", + "clientId": "sa-cl25-cx-2", + "name": "BPDM Pool Task Processor", + "description": "Client for the BPDM Pool component to process golden record tasks from the Orchestrator", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1722276592", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "33525cbd-2aae-49b9-8fda-ae2d0752ed21", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "061cf481-3df4-4b07-921a-fc574ca2ea75", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "02952ea5-5834-42d4-a16c-519448474085", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "bpn", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "bpn", + "jsonType.label": "String" + } + }, + { + "id": "97681229-fdb3-46fa-96a6-f0a18455deeb", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "dfb5e903-2509-4d52-bef5-2c6a85e34d5c", + "clientId": "sa-cl25-cx-3", + "name": "BPDM Portal Gate Task Creator", + "description": "Client for the BPDM Portal Gate to create and monitor golden record tasks inside the Orchestrator", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1722276592", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "cef30c81-427c-496b-a715-289f237a47a8", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "7b517bee-6230-4ab6-ad4b-21e1935ab91f", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "84d26429-8401-4271-a9bf-61c519b2f2d1", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "bpn", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "bpn", + "jsonType.label": "String" + } + }, + { + "id": "43488006-09e9-4e43-9223-8a492b955c61", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "fd3c0f0d-40f6-4522-9a87-17ea147e7cfe", + "clientId": "sa-cl7-cx-1", + "name": "BPDM Portal Gate Pool Consumer", + "description": "Client for the BPDM Portal Gate to consume golden record data from the Pool", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1722276592", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "a38f5a71-c7e9-47e8-966d-fb6ec3bcf382", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "d28bf27f-b56c-4ccc-b912-f4c58f8f5d0c", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "9d722fd1-f545-434e-b7c9-e519b8e3519c", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "bpn", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "bpn", + "jsonType.label": "String" + } + }, + { + "id": "cfd2e1ca-f87e-40b4-9e45-40656fd414a0", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, { "id": "213ea3ce-b036-405f-8abd-3ee08ff72857", "clientId": "realm-management", From 830487dbb25ed5a353127ebeb7247caadfc0b7e8 Mon Sep 17 00:00:00 2001 From: Nico Koprowski Date: Wed, 7 Aug 2024 17:20:05 +0800 Subject: [PATCH 3/4] fix(BPDM): entries for composite BPDM roles - making sure that the Portal Data Manager has read and writing access to the Portal Gate - giving the BPDM Pool Sharing Consumer role the permissions to read all Pool data - restricting the BPDM Pool Consumer reading access to Pool member data only - removing outdated write permission for the Cl16-CX-BPDMGate --- .../catenax-central/CX-Central-realm.json | 32 ++++--------------- 1 file changed, 6 insertions(+), 26 deletions(-) diff --git a/import/realm-config/generic/catenax-central/CX-Central-realm.json b/import/realm-config/generic/catenax-central/CX-Central-realm.json index dd6f6846..eee130e6 100644 --- a/import/realm-config/generic/catenax-central/CX-Central-realm.json +++ b/import/realm-config/generic/catenax-central/CX-Central-realm.json @@ -873,13 +873,10 @@ "composite": true, "composites": { "client": { - "Cl7-CX-BPDM": [ - "read_metadata", - "read_partner_member", - "read_changelog_member" - ], "technical_roles_management": [ - "BPDM Pool Consumer" + "BPDM Pool Consumer", + "BPDM Sharing Output Consumer", + "BPDM Sharing Input Manager" ], "Cl24-CX-SSI-CredentialIssuer": [ "view_credential_requests" @@ -908,11 +905,6 @@ "composite": true, "composites": { "client": { - "Cl7-CX-BPDM": [ - "read_changelog_member", - "read_partner_member", - "read_metadata" - ], "technical_roles_management": [ "BPDM Pool Consumer" ], @@ -1276,7 +1268,6 @@ "client": { "Cl16-CX-BPDMGate": [ "read_input_changelog", - "write_output_partner", "read_output_changelog", "read_output_partner", "read_input_partner", @@ -1844,8 +1835,8 @@ "client": { "Cl7-CX-BPDM": [ "read_metadata", - "read_changelog", - "read_changelog_member" + "read_changelog_member", + "read_partner_member" ] } }, @@ -1885,7 +1876,6 @@ "client": { "Cl16-CX-BPDMGate": [ "read_input_changelog", - "write_output_partner", "read_output_changelog", "read_stats", "write_sharing_state", @@ -1942,8 +1932,7 @@ "Cl7-CX-BPDM": [ "read_metadata", "read_changelog", - "read_partner_member", - "read_changelog_member" + "read_partner" ] } }, @@ -2266,15 +2255,6 @@ "containerId": "52f90723-b4c1-44c3-bef2-fd8ebe59ae6c", "attributes": {} }, - { - "id": "08009ffe-2058-4fcd-82ef-12ee52d86557", - "name": "write_output_partner", - "description": "", - "composite": false, - "clientRole": true, - "containerId": "52f90723-b4c1-44c3-bef2-fd8ebe59ae6c", - "attributes": {} - }, { "id": "39b49fc2-e48b-4653-97ce-43229b411691", "name": "read_output_changelog", From 69d562032fb27fdfc4967ef1bc152aefbe0d70db Mon Sep 17 00:00:00 2001 From: Nico Koprowski Date: Thu, 19 Sep 2024 12:34:22 +0800 Subject: [PATCH 4/4] docs(BPDM): adapt rights and roles concept and add newly introduced clients - add rights and roles documentation of BPDM Orchestrator - adapt documentation to rights and roles of BPDM Pool and Gate - add Orchestrator client and new fine-granular BPDM service accounts to list of initial clients --- docs/technical documentation/03. Clients.md | 5 + .../06. Roles & Rights Concept.md | 121 ++++++++++++++---- 2 files changed, 99 insertions(+), 27 deletions(-) diff --git a/docs/technical documentation/03. Clients.md b/docs/technical documentation/03. Clients.md index efde7d31..4a682c59 100644 --- a/docs/technical documentation/03. Clients.md +++ b/docs/technical documentation/03. Clients.md @@ -34,6 +34,7 @@ During the [import of the realms](/import/realm-config/) at startup, the relevan | CentralIdP | Public | SSI Credential Issuer | Cl24-CX-SSI-CredentialIssuer | | CentralIdP | Confidential | BPDM | Cl7-CX-BPDM | | CentralIdP | Confidential | BPDM Portal Gate | Cl16-CX-BPDMGate | +| CentralIdP | Confidential | BPDM Orchestrator | Cl25-CX-BPDM-Orchestrator | | CentralIdP | Confidential | Managed Identity Wallet | Cl5-CX-Custodian | | CentralIdP | Service Account | Portal Backend to call Keycloak | sa-cl1-reg-2 | | CentralIdP | Service Account | Clearinghouse update application | sa-cl2-01 | @@ -49,6 +50,10 @@ During the [import of the realms](/import/realm-config/) at startup, the relevan | CentralIdP | Service Account | SSI Credential Issuer | sa-cl24-01 | | CentralIdP | Service Account | SSI Credential Issuer - Portal to SSI Credential Issuer | sa-cl2-04 | | CentralIdP | Service Account | DIM (Decentral Identity Management) Middle Layer to Portal | sa-cl2-05 | +| CentralIdP | Service Account | BPDM Dummy Cleaning Task Processor | sa-cl25-cx-1 | +| CentralIdP | Service Account | BPDM Pool Task Processor | sa-cl25-cx-2 | +| CentralIdP | Service Account | BPDM Portal Gate Task Creator | sa-cl25-cx-3 | +| CentralIdP | Service Account | BPDM Portal Gate Pool Consumer | sa-cl7-cx-1 | | SharedIdP | Service Account | in master realm for Portal Backend to call Keycloak | sa-cl1-reg-1 | ## Client Authentication Concept diff --git a/docs/technical documentation/06. Roles & Rights Concept.md b/docs/technical documentation/06. Roles & Rights Concept.md index e2ec1419..2402e68b 100644 --- a/docs/technical documentation/06. Roles & Rights Concept.md +++ b/docs/technical documentation/06. Roles & Rights Concept.md @@ -276,25 +276,31 @@ For example: Managed via Client: **Cl7-CX-BPDM** -| | **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** | -|-|----------|-----------------|---------------|----------------|----------|---------|-----------|-------------|----------|------|-----------|--------------| -|Business Partner Data Management| | | | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | | -| read_changelog **new** | x | x | x | x | x | x | x | x | x | x | x | x | -| read_changelog_member **new** | x | x | x | x | x | x | x | x | x | x | x | x | -| read_metadata **new** | x | x | | | | | | | | | | x | -| read_partner **new** | x | x | | | | | | | | | | | -| read_partner_member **new** | x | x | x | | | | | | | | | | -| write_metadata **new** | x | x | x | x | x | x | x | x | x | x | x | x | -| write_partner **new** | x | x | | | | | | | | | | | - -Technical Users*: BPDM Admin & BPDM Pool Consumer. +|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** | +|----------------------------------|---------------|---------------------|-------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|------------------------------|-----------------------------------| +| Business Partner Data Management |   | | | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | By role "BPDM Pool Consumer" | | +| read_changelog | x | x |  x | x | x | x | x | x | x | x | x | x | +| read_changelog_member | x | x |  x | x | x | x | x | x | x | x | x | x | +| read_metadata | x | x | | | | | | | | | | x | +| read_partner | x | x | | | | | | | | | | | +| read_partner_member | x | x | x | | | | | | | | | | +| write_metadata | x | x |  x | x | x | x | x | x | x | x | x | x | +| write_partner | x | x | | | | | | | | | | | + +Technical Users*: BPDM Admin, BPDM Pool Consumer & BPDM Pool Sharing Consumer. Following the permission assignment - BPDM Pool Consumer - - read_changelog + - read_partner_member - read_changelog_member - read_metadata + +- BPDM Pool Sharing Consumer + - read_partner + - read_metadata + - read_changelog + - BPDM Pool Admin - read_partner - write_partner @@ -305,7 +311,7 @@ Following the permission assignment - write_metadata >**_NOTE_:** -> BPDM Admin as well as BPDM Pool Consumer is only available for the CX-Operator. +> All technical roles are only available for the CX-Operator. No other customers can create such technical user roles. #### 2.5.6 BPDM Gate @@ -313,18 +319,16 @@ No other customers can create such technical user roles. Managed via Client: **Cl16-CX-BPDMGate** As well as on runtime created gates -| | **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** | -|-|----------|-----------------|---------------|----------------|----------|---------|-----------|-------------|----------|------|-----------|--------------| -|Business Partner Data Management| | | | | | | | | | | | | -| read_input_partner | | x | | | | | | | | | | | -| write_input_partner - exclusively for the platform operator | | x | | | | | | | | | | | -| read_input_changelog | | x | | | | | | | | | | | -| read_output_partner | | x | | | | | | | | | | | -| write_output_partner - exclusively for the platform operator | | x | | | | | | | | | | | -| read_output_changelog | | x | | | | | | | | | | | -| read_sharing_state | | x | | | | | | | | | | | -| write_sharing_state - exclusively for the platform operator | | | | | | | | | | | | | -| read_stats | | x | | | | | | | | | | | +|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** | +|-----------------------|---------------|---------------------|-------------------|--------------------|--------------|-------------|---------------|-----------------|-------------------|-------------------|---------------------|-----------------------------------| +| read_input_partner |   | x | | | | | | | | | | x | +| write_input_partner |   | x | | | | | | | | | | x | +| read_input_changelog |   | x | | | | | | | | | | x | +| read_output_partner |   | x | | | | | | | | | | x | +| read_output_changelog |   | x | | | | | | | | | | x | +| read_sharing_state |   | x | | | | | | | | | | x | +| write_sharing_state |   | x | | | | | | | | | | x | +| read_stats |   | x | | | | | | | | | | x | Technical Users Roles/Profiles: @@ -340,7 +344,6 @@ Following the permission assignment - write_input_partner - read_input_changelog - read_output_partner - - write_output_partner - read_output_changelog - read_sharing_state - write_sharing_state @@ -394,6 +397,70 @@ Managed via Client: **Cl24-CX-SSI-CredentialIssuer** | Revoke owned credentials (revoke_credential) | x | | x | x | x | | | | | | | | | Revoke any credentials (revoke_credential_issuer) | x | | | | | | | | | | | | +#### 2.5.6 BPDM Orchestrator + +Managed via Client: **Cl25-CX-BPDM-Orchestrator** + +|   |  **CX Admin** | **Technical User*** | **Company Admin** | **Business Admin** | **IT Admin** | **CX User** | **Purchaser** | **App Manager** | **App Developer** | **Sales Manager** | **Service Manager** | **Business Partner Data Manager** | +|---------------------------------|---------------|---------------------|-------------------|--------------------|--------------|-------------|---------------|-----------------|-------------------|-------------------|---------------------|-----------------------------------| +| create_task |   | x | | | | | | | | | | | +| read_task |   | x | | | | | | | | | | | +| create_reservation_clean |   | x | | | | | | | | | | | +| create_result_clean |   | x | | | | | | | | | | | +| create_reservation_cleanAndSync |   | x | | | | | | | | | | | +| create_result_cleanAndSync |   | x | | | | | | | | | | | +| create_reservation_poolSync |   | x | | | | | | | | | | | +| create_result_poolSync |   | x | | | | | | | | | | | + + +Technical Users Roles/Profiles: +- BPDM Orchestrator Admin +- BPDM Orchestrator Task Creator +- BPDM Orchestrator Processor Clean +- BPDM Orchestrator Processor CleanAndSync +- BPDM Orchestrator Processor PoolSync + +Following the permission assignment + +- BPDM Orchestrator Admin: + - create_task + - read_task + - create_reservation_clean + - create_result_clean + - create_reservation_cleanAndSync + - create_result_cleanAndSync + - create_reservation_poolSync + - create_result_poolSync + +- BPDM Orchestrator Task Creator + - create_task + - read_task + +- BPDM Orchestrator Processor Clean + - create_reservation_clean + - create_result_clean + +- BPDM Orchestrator Processor CleanAndSync + - create_reservation_cleanAndSync + - create_result_cleanAndSync + +- BPDM Orchestrator Processor PoolSync + - create_reservation_poolSync + - create_result_poolSync + +>**_NOTE:_** +>All technical roles are only available for the Operator. +No other customers can create such technical user roles. + + +Following Tech User Roles are available for the Operator via the Self-Service: + +- BPDM Orchestrator Admin +- BPDM Orchestrator Task Creator +- BPDM Orchestrator Processor Clean +- BPDM Orchestrator Processor CleanAndSync +- BPDM Orchestrator Processor PoolSync + ### 2.6 Segregation of duties The concept of segregation of duties involves having more than one person or role required to complete a task. However, this scenario does not currently exist within the portal.