Summary
This technote documents the steps required to configure KeyCloak as an SSO for dremio.
Overview
Dremio supports multiple SSO authentication types and vendors. There are many enterprise scale vendors with solutions embedded on customer sites. An interesting alternative to this is the open source solution KeyCloak, which we'll look at configuring here. This is great for SSO testing purposes.
NOTE: this configuration example will be done using Kubernetes, however the configuration is relevant for any Dremio deployment type.
Relevant Versions Tools and Integrations
This is non-specific to any version of Dremio, although it does require the Enterprise version for SSO functionality.
Steps to Resolve
Full background on KeyCloak can be found at www.keycloak.org, and https://github.com/keycloak. Instruction on installing the KeyCloak (KC) pod and basic configuration is here.
You should be able to stand up a KC pod following the instruction there - the provided example YAML will stand up a kubernetes service endpoint for you to connect to, which you can retrieve with this command:
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default keycloak LoadBalancer 10.152.183.245 10.0.0.201 8080:30740/TCP 5d20h
Note port 8080. When you connect to the KC endpoint in your browser, you will be presented with a dashboard, choose the administrator console; the credentials are admin/admin.
This will take you into the master realm - you can configure a separate realm following the KC instruction if you wish, however the master realm is sufficient for this exercise. The settings for this example will be:
KC address: http://10.0.0.201:8080
KC Client ID: dremio
KC realm: master
Dremio co-ordinator: http://10.0.0.200:9047
Redirect URI: http://10.0.0.200:9047/sso
Select the Clients tab on the navigation bar, and Create Client. Name your client (i.e. "dremio") and on the next screen be sure to select Client Authentication. This generates the clientSecret for your OAuth config.
Note that the example k8s pod has no PVC allocated by default, so each time you restart the pod you will have to repeat these steps.
You should be presented with the Client OIDC configuration screen. Complete the redirect URI under Access settings (note that for AKS this will be an IP, for AWS you should use the FQDN of your co-ordinator pod). Ensure Client authentication is checked under Capability config, then save your configuration.
Now switch to your Helm chart location to populate your Dremio oauth.json in the normal way. The oauth.json should be placed under charts/dremio_v2/config, with content as normal.
To find your clientSecret, check the Credentials tab that has appeared in your Dremio client in the KC console. To find your authorityURL, go to Clients in the navigation bar. You're looking for the account URL:
Open a new tab in your browser, paste and edit the URL so it reads:
http://<IP address>:8080/realms/{realm}/.well-known/openid-configuration
This should present you with a JSON screen of data (use Firefox to get it in a nice formatted format):
Essentially, this is your realm address, but it's useful to know this page exists. So in this example, the oauth.json configuration would be:
{
"clientId": "dremio",
"clientSecret": "<redacted>",
"redirectUrl": "http://10.0.0.200:9047/sso",
"authorityUrl": "http://10.0.0.201:8080/realms/master",
"scope": "openid profile email",
"jwtClaims": {
"userName": "email"
}
}
Next add the relevant entries to the end of your dremio.conf under charts/dremio_v2/config. For example:
services.coordinator.web.auth.type: "oauth",
services.coordinator.web.auth.config: "/opt/dremio/conf/oauth.json"
Upgrade your pods, and you should be presented with your SSO login workflow as normal.
You should add any user accounts in the KC console under the Users tab. When you login with SSO, you should be presented with the KeyCloak login:
All done.
Common Challenges
There is one limitation with KeyCloak.
OIDC does not pass through attributes in the same way as SAML, but you can use SCIM to import groups from your OIDC provider. However with KeyCloak this functionality is not yet available. The alternative here is to combine use with LDAP for RBAC control.