As far as I know 1.2.0 is out, and it brings a new authentication backend to Operate. It is mentioned in the release notes with some IAM documentation on the official camunda documentation site.
Operate used to only support:
- User information in ES (not acceptable for us in production)
- Camunda Cloud (not relevant for us, we use Camunda Cloud Self Managed)
- LDAP (annoying, we have an SSO / OIDC stack and no LDAP)
IAM is the fourth authentication mechanism, and would also allow giving read only access to some users in Operate.
This is what we did to try and have this work:
- Started from a working local docker-compose setup with
- Zeebe 1.2.1
- Operate 1.2.0
- ES 7.12.1
- Added IAM to the stack with its own PG database (based on the official documentation)
- Tweaked the Operate configuration to authenticate with IAM (based on another official documentation
The docker-compose diff is basically
operate:
image: camunda/operate:1.2.0
+ environment:
+ - SPRING_PROFILES_ACTIVE=iam-auth
+
ports:
- 9080:8080
volumes:
- ./config/operate/application.yml:/usr/local/operate/config/application.yml
depends_on:
- zeebe
- elasticsearch
+ - iam
@@ -168,3 +173,34 @@ services:
- 5432:5432
volumes:
- postgres_data:/var/lib/postgresql/data/
+
+ iam:
+ image: camunda/iam:latest
+ environment:
+ DEFAULT_CLIENT_CREATE: "false"
+ IAM_CLIENT_ID: operate-iam-client
+ IAM_CLIENT_SECRET: d66eb844-0e14-4da0-939c-8794cc105e16
+ # For localhost usage
+ ENFORCE_HTTPS: "false"
+ FEATURE_USER_MANAGEMENT: "true"
+ DB_URL: jdbc:postgresql://postgres-iam:5432/pgiamdb
+ DB_USER: pgiamuser
+ DB_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+ ports:
+ - 8080:8080
+ depends_on:
+ - postgres-iam
+
+ postgres-iam:
+ image: postgres:12.5
+ environment:
+ POSTGRES_DB: pgiamdb
+ POSTGRES_USER: pgiamuser
+ POSTGRES_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+ volumes:
+ - postgres_iam_data:/var/lib/postgresql/data/
+ healthcheck:
+ test: pg_isready -d pgiamdb -U pgiamuser
+ interval: 30s
+ timeout: 15s
+ retries: 10
And the operate configuration diff (./config/operate/application.yml):
# Operate configuration file
# FROM https://raw.githubusercontent.com/zeebe-io/zeebe-docker-compose/master/lib/application.yml
camunda.operate:
# ELS instance to store Operate data
elasticsearch:
# Cluster name
clusterName: elasticsearch
# Host
host: elasticsearch
# Transport port
port: 9200
# Zeebe instance
zeebe:
# Broker contact point
brokerContactPoint: zeebe:26500
# ELS instance to export Zeebe data to
zeebeElasticsearch:
# Cluster name
clusterName: elasticsearch
# Host
host: elasticsearch
# Transport port
port: 9200
# Index prefix, configured in Zeebe Elasticsearch exporter
prefix: caseflow-zeebe-record
+ # IAM configuration
+ iam:
+ issuer: http://localhost:9080
+ issuerUrl: http://localhost:9080
+ clientId: operate-iam-client
+ clientSecret: d66eb844-0e14-4da0-939c-8794cc105e16
logging:
level:
ROOT: INFO
org.camunda.operate: DEBUG
#Spring Boot Actuator endpoints to be exposed
management.endpoints.web.exposure.include: health,info,conditions,configprops,prometheus
I can correctly start my docker-compose with this configuration
docker-compose up iam postgres-iam operate
With IAM logs looking good:
iam_1 | 2021-10-22 14:49:34.320 INFO 1 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
iam_1 | 2021-10-22 14:49:34.321 INFO 1 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.44]
iam_1 | 2021-10-22 14:49:34.327 INFO 1 --- [ main] o.a.c.c.C.[Tomcat-1].[localhost].[/] : Initializing Spring embedded WebApplicationContext
iam_1 | 2021-10-22 14:49:34.327 INFO 1 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 146 ms
iam_1 | 2021-10-22 14:49:34.352 INFO 1 --- [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 3 endpoint(s) beneath base path '/actuator'
iam_1 | 2021-10-22 14:49:34.447 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8081 (http) with context path ''
iam_1 | 2021-10-22 14:49:34.502 INFO 1 --- [ main] io.camunda.iam.IamApplicationKt : Started IamApplicationKt in 27.945 seconds (JVM running for 29.378)
And operate logs showing that it is activating the IAM backend
operate_1 | 2021-10-22 14:49:12.220 INFO 8 --- [ main] i.c.o.Application : Starting Application using Java 11.0.12 on d1691fd254ce with PID 8 (/usr/local/operate/lib/operate-webapp-1.2.0-exec.jar started by root in /usr/local/operate)
operate_1 | 2021-10-22 14:49:12.244 INFO 8 --- [ main] i.c.o.Application : The following profiles are active: iam-auth
[...]
operate_1 | 2021-10-22 14:49:41.451 INFO 8 --- [ main] o.a.c.h.Http11NioProtocol : Starting ProtocolHandler ["http-nio-8080"]
operate_1 | 2021-10-22 14:49:41.472 INFO 8 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
operate_1 | 2021-10-22 14:49:42.497 INFO 8 --- [ main] i.c.o.Application : Started Application in 32.237 seconds (JVM running for 36.304)
operate_1 | 2021-10-22 14:49:42.510 INFO 8 --- [ main] i.c.o.s.m.SchemaMigration : SchemaMigration finished.
Now, I can’t quite understand what I need to do next.
Opening a browser at http://localhost:9080
(Operate URL) redirects to http://localhost:9080/api/authorize?client_id=operate-iam-client&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fiam-callback&response_type=code&scope=
This fails with a 401 and an error message
{"message":"Full authentication is required to access this resource"}
Did anyone get IAM to work for with a Self Managed setup?