After some insightful weeks of diving into the Ory platform, I am reverting back to Keycloak to investigate some other of its interesting features. The last few weeks spent in the Ory-land were enlightening.
One of my previous post, Introduction to Keycloak Authorization Services1, gets about 20 daily reads but authorization services isn’t the only awesome thing about Keycloak.
20th of February, 2022:
I have published a version of this article adapted for Keycloak 17: Keycloak 17.0.0 with TLS in Docker compose behind Envoy proxy.
The 24 hours of Nürburgring race was just red flagged for the remainder of the night due to the fog. That’s a perfect opportunity to add TLS to my Keycloak Docker Compose setup described previously here1.
While building a couple of browser based prototypes, I’ve hit an interesting problem. Basically, I am trying to replicate a full remote setup with a reverse proxy and TLS SNI while running everything on localhost. Getting the DNS functioning is pretty easy—I just add the required hosts to the /etc/hosts file and I’m done with it.
Oh boy, 20 years of software engineering definitely makes you tune your BS radar when reading claims about how awesome and mature a relatively new technology is. Every new project claims to solve all the problems for the current itch on hand. Do you know that feeling? You spend a week reading the documentation, prepare the test deployment, find out that documentation doesn’t match reality, look at GitHub and find dozens open issues. Finally, you throw it out in anger and curse at yourself because you just wasted a week of time.
S3, Azure Blob, Google Storage and Minio, they’re all a K/V storage at the core. Yes, of course, they provide much, much more functionality beyond that but—at the core—object storage systems, S3, GCS, Minio and the likes, are K/V stores.
Each one provides a HTTP interface. Putting the data in object storage is done via HTTP PUT or POST requests, fetching is available via GET. To check if an object under the key exists, that’s a HEAD request. Deleting is a single HTTP DELETE away.
I must admin—I struggled understanding Oathkeeper. Looking back, I think the reason was, I compared it one for one to things like Traefik or Envoy. Turns out, Oathkeeper does not necessarily intend replacing a reverse proxy, although many people probably use it as such.
There was an interesting question coming up related to the previous article on RBAC with Ory Keto1.
The question was:
how do I list the roles of a user
At the end of the previous article, the solution allowed finding out if the user is allowed to access the resources. But, indeed, what I have not discussed was how to get the roles the user is assigned to.
Role-base Access Control is an access control method whereby the entity roles define the level of access. Usually when talking about RBAC, the entity is a person and the object is a resource or a task (function) granted to a person. The usual example goes like this:
Software almost never runs in isolation. Today’s systems integrate with a vast number of external services. Ensuring reliability is difficult because the external dependencies, be it a database or an authentication system, adds an element of unpredictability which is difficult to emulate in isolation. A reliable system should account for the behavior of its dependencies. What does it help that an API is up and running when the underlying service it talks to hasn’t been accounted for a specific edge case and is causing an unexpected latency to my clients under certain conditions?
Some two months ago, when I started the Firecracker journey, I set myself a goal to run en etcd cluster in Firecracker microVMs. Many lines of code later, after tackling the problem the hard way, there’s an outcome.
Okay, it’s not etcd but rather HashiCorp Consul.