ROND and Keycloak

[rafpor75]

Description

What product are you having troubles with?
ROND

What Console version are you using?
Console
Version: 1.93.1
Hi,
I’m successfully running Keycloak authentication using the authentication service.
However, when I enable Authorization (ROND service) on the CRUD service, authentication fails.
I noticed that the /token request is missing a cookie and results in a 500 Internal Server Error, followed by a /authorize request that fails with a 400 Bad Request.

In the logs of the authentication service, there is a 401 error on the /userinfo endpoint.

Thank you
Raffaele

[fredmaggiowski]

Hi @rafpor75

This is most likely due to the authentication service not being able to update the user information after login completion. After login completes it tries to contact the CRUD Service, thus mat be failing due to Rönd not knowing the API.

You should be able to confirm this by looking at the logs of the authn-service and the rbac-container within the crud-service pod.

If that's the case you have to define the desired API and open them with a proper policy, by using the Manual Routes and Policies tabs in the Authorization section.

Please remember that once you enable Rönd on a microservice it will block all the incoming requests for which there is no known route.

[rafpor75]

To test it:
The same issue occurs both when I only activate ROND on the CRUD service

and when I add the route GET "/*" with the following policy rule:
allow_all {
true
}

[fredmaggiowski]

This is weird, can you provide me the rônd container logs to see what is going on?

You can set up the logging verbosity by changing the crud service LOG_LEVEL variable, setting it to either trace or debug should provide enough information

[rafpor75]

with ALL /* route it works, I'll try to configure the single route and let you know
Thank you :)

[rafpor75]

Hi @fredmaggiowski ,
I'm having a lot of trouble getting Rond to work;
I set a simple policy:

package policies

allow_all {
true
}

filter_process_by_tenant {
query := data.resources[_]
}

I set a single route on crud-service
: ALL /* allow_all
and everything is ok

then I added the routes as shown in the image

I tried the second route even without "*"
and also

but the result is always:

{"allowed":false,"evaluationTimeMicroseconds":161,"level":20,"matchedPath":"/main-process-view/*","method":"GET","msg":"policy evaluation completed","partialEval":false,"policyName":"filter_process_by_tenant","reqId":"8bcaa20738a2a4b581561b306bad7e80","requestedPath":"/main-process-view/","resultsLength":0,"time":1729594005389} {"allowed":false,"level":30,"msg":"policy result","policyName":"filter_process_by_tenant","reqId":"8bcaa20738a2a4b581561b306bad7e80","time":1729594005389} {"error":{"message":"policy not allowed","policyName":"filter_process_by_tenant"},"level":50,"msg":"RBAC policy evaluation failed","reqId":"8bcaa20738a2a4b581561b306bad7e80","time":1729594005389} {"level":50,"msg":"RBAC policy evaluation failed","reqId":"8bcaa20738a2a4b581561b306bad7e80","time":1729594005389} {"host":{"hostname":"myapplicationurl.it","forwardedHost":"myapplicationurl.it","ip":"10.204.88.14, 10.204.88.14"},"http":{"request":{"method":"GET","userAgent":{"original":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"}},"response":{"statusCode":403,"body":{"bytes":170}}},"level":30,"msg":"request completed","reqId":"8bcaa20738a2a4b581561b306bad7e80","responseTime":56,"time":1729594005389,"url":{"path":"/main-process-view/?_p=_id%2C__STATE__%2CcreatedAt%2Cemail%2Cstatus%2Cwebhook%2ClastEvent%2CidentificationMethod%2Ccountry%2CtenantId%2CsagaId\u0026_l=10\u0026_sk=0\u0026_s=-createdAt"}}

Thank you

[rafpor75]

It works with:

[rafpor75]

thank you