0

We are currently working on a POC of Spring Cloud Dataflow, deployed in an Azure Kubernetes Service. One of our requirements is to integrate it with an Azure Active Directory. The authentication part went smoothly, but for the authorization, we need SCDF to be able to recognize appRoles of users (RBAC). But the behaviour so far seems to be that only the scopes are exposed, and if all scopes were exposed, then the user has all the service-roles (ROLE_VIEW, ROLE_DESTROY, ROLE_DEPLOY,...).

For instance, we'd like one user to have ROLE_VIEW only, and another user to have both ROLE-VIEW and ROLE_DESTROY.

What we've done so far:

Following the documentation, we created an App Registration (dataflow-server) exposing the following scopes & API permissions:

  • api://dataflow-server/dataflow.destroy
  • api://dataflow-server/dataflow.view
  • api://dataflow-server/dataflow.deploy
  • api://dataflow-server/dataflow.manage
  • api://dataflow-server/dataflow.schedule
  • api://dataflow-server/dataflow.create
  • api://dataflow-server/dataflow.modify

We created 2 appRoles, "role_reader" and "role_writer", to grant to specific users.

And we updated the configmap of the SCDF server to include these configurations:

spring:
  cloud:
    dataflow:
      security:
        authorization:
          provider-role-mappings:
            dataflow-server:
              map-oauth-scopes:true
              role-mappings:
                ROLE_VIEW: role_reader
                ROLE_DESTROY:role_writer
                ROLE_DEPLOY: role_writer
                ROLE_CREATE: role_writer
                ROLE_MANAGE: role_writer
                ROLE_SCHEDULE: role_writer
                ROLE_MODIFY: role_writer

And:

spring:
  security:
    oauth2:
      client:
        registration:
          dataflow-server:
            provider: azure
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            client-id: <client_id_from_the_azure_app_registration>
            client-secret: <client_secret>
            scope:
            - openid
            - profile
            - email
            - offline_access
            - api://dataflow-server/dataflow.view
            - api://dataflow-server/dataflow.destroy
            - api://dataflow-server/dataflow.schedule
            - api://dataflow-server/dataflow.manage
            - api://dataflow-server/dataflow.create
            - api://dataflow-server/dataflow.deploy
            - api://dataflow-server/dataflow.modify
          provider:
            azure:
              issuer-uri: https://login.microsoftonline.com/<tenant-id>/v2.0
              user-name-attribute: name
        resourceserver:
          jwt:
            jwt-set-uti: https://login.microsoftonline.com/<tenant-id>/v2.0/keys

My understanding after reading the docs was that this should be sufficient to map the service roles (ROLE_VIEW) with the Azure AppRoles (role_reader) and allow to use RBAC.

Where did I go wrong ?

Thanks in advance for taking the time to read !

EreborOverflow
  • 1

0 Answers0