Keycloak SSO Authentication in Redpanda Console
Install Keycloak and create a super admin user account, which has permissions for setting up an OAuth application. For details, see the Keycloak documentation.
Create an OpenID Connect (OIDC) client. For details, see the Keycloak documentation.
Provide the following inputs when you are asked for them:
Client type: OpenID Connect
Client ID: Enter a alphanumeric that the Keycloak database can use to identify the client
Name: Enter any name for the client
Valid Redirect URIs: Enter the domain where Redpanda Console is hosted followed by the
/login/callbacks/keycloakpath. For example,
(Optional) Create at least one realm for managing and authenticating a specific group of users
You can use the master realm, or you can create a realm for managing and authenticating a specific group of users. Copy the client ID and client secret. The console configuration file uses these credentials to establish communication with Keycloak.
Edit the console configuration file associated with your deployment method and incorporate the details from your client application. For example, Kubernetes deployments use the
values.yaml file. Linux deployments use the
redpanda-console-config.yaml file, which is in
login: enabled: true # jwtSecret is the secret key you must use to sign and encrypt the JSON # web token used to store user sessions. This secret key is # critical for the security of Redpanda Console's authentication and # authorization system. Use a long, complex key with a combination of # numbers, letters, and special characters. The minimum number of # characters is 10, but Redpanda recommends using more than 32 # characters. For additional security, use a different secret key for # each environment. jwtSecret can be securely generated with the following # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32 # # If you update this secret key, any users who are # already logged in to Redpanda Console will be logged out and will have # to log in again. jwtSecret: "" keycloak: enabled: true url: https://keycloak.internal.company.com realm: <realm-name> # Replace <realm-name> with the actual realm name. clientId: "" clientSecret: "" # The directory configuration is only required if you want to # use Keycloak groups in your role bindings. # This is described further in the next section. # directory: # adminUser: "" # adminPassword: ""
To bind roles to Keycloak groups, you must specify admin user credentials, which are used to resolve group memberships when communicating with Keycloak’s API. These credentials must be the same ones that are used to log in to the Keycloak admin panel, and they must be associated with the realm where the group memberships will be resolved.
login: keycloak: directory: adminUser: "" adminPassword: ""
When you set up the Keycloak login configuration, you can bind Keycloak users or groups to roles. Following is a sample role binding:
roleBindings: - metadata: name: Developers subjects: - kind: group provider: Keycloak name: 55e999ff-7923-4750-b2e1-7387768958a0 # Group ID - kind: user provider: Keycloak name: martin # Keycloak login / username roleName: editor