How to set role-based login for jenkins in keycloak
I managed it the following way (Using Keycloak 8.0.1, Jenkins 2.208):
Keycloak:
- create realm
- create client "jenkins" - set root url to Jenkins-url (e.g. http://127.0.0.1:8080)
- In client "jenkins" select tab "installation" - format "keycloak OIDC JSON" - copy to clipboard for Jenkins Setup below
- create role "jenkins_admin"
- create role "jenkins_readonly"
- create user "admin" and assign role "jenkins_admin"
- create named user and assign role "jenkins_readonly"
Jenkins
- verify that you have the necessary plugins installed (if not, install them):
- "Keycloak Authentication Plugin"
- "Matrix Authorization Strategy Plugin"
- "Role-based Authorization Strategy plugin"
Switch authorization mode to Role-Based Strategy by going in "Configure Global Security" - Select "Authorization": "Role-Based Strategy" and then click on save
Add Keycloak authentication JSON by going to "Manage Jenkins" - "Configure System" - "Global Keycloak Settings" and paste the previously copied JSON (Keycloak step 3) to "Keycloak JSON" Area
Verify that an admin role is present by going to "Manage Jenkins" - "Manage and Assign Roles" - "Manage Roles" - "Global Roles". If not present, add the role "admin" with all checkboxes selected; then click on SAVE
Add a "read_only" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Manage Roles" - "Global Roles" and add role "read_only" with "Overall Read" selected; then click on SAVE
Create group "jenkins_admin" and assign to "admin" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Assign Roles" and add group "jenkins_admin" to global roles; then select "admin" and click on SAVE
Create group "jenkins_readonly" and assign to "read_only" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Assign Roles" and add group "jenkins_readonly" to global roles; then select "read_only" and click on SAVE
Change the "Security Realm" to Keycloak Authentication Plugin by going to "Configure Global Security" and selecting "Security Realm": "Keycloak Authentication Plugin", then click on save.
Logout
Now, when you try to perform a login, you should be redirected to the Keycloak login page.Try to log in as admin with admin rights, and as named user with read only rights.
Besides answer of Christop :
- you need to configure a Mapper for Group Membership under the keycloak client.
- validate that by making sure that "groups" comes in the scope of access token.
Another point, you can use one of two plugins :
- Either keycloak plugin
- Or oic-auth plugin (open id connect) indeed, keycloak implements the openid connect protocol at the end.
Last point :
make configuration-as-code an essential plugin in your jenkins stack.
Check always examples in configuration-as-code plugin, it might help a lot. For this case, these links can help a lot :