cluster-redis
keycloak-connector-server-cluster-redis
Description
Provides cluster communications through Redis, enabling synchronized scaling without interruption to security nor user experience.
Why?
When scaling a project that uses keycloak-connector-server
, each instance will have its own set of generated client JWKs and when polled a single public key will be given to Keycloak. This will likely result in failed logins as Keycloak doesn't know all the live public keys.
This plugin is written in order to synchronize this and other activities, such as backdoor logouts from Keycloak.
Fastify Configuration
const fastify = Fastify({
// Extend the fastify plugin timeout in order to allow for key negotiation
pluginTimeout: 120000,
});
Setup Redis on AWS ElastiCache
STOP! If you're already using AWS ElastiCache, skip to Authenticating each application
- Create a new EC2 security group to link Redis to EC2 instances
- Allow inbound connections on tcp/6379
- Create a new ElastiCache default user
- User Id:
keycloak-connector-aws-redis-admin
(or any other) - Username:
default
(do not change) - Authentication mode:
Password(s)
- Password 1:
<Use a 64 character or more password>
- Access string:
on ~* &* +@all
- Or to disable logins with this account:
off ~* &* +@all
- Or to disable logins with this account:
- User Id:
- Create a new ElastiCache user group
- Add the new default user
- Create Redis Cluster
- Note: Careful when selecting the size of the instance, the tiniest one probably works for now
- Transit encryption mode:
required
- Access control:
user group access control list
- User group:
keycloak-connector-aws-redis-channel
(or any other) - Add cluster to the new security group
- Add the security group to any EC2 instances you want to have access
Authenticating each application
- Create new users (under "User management")
- User settings: <see below>
- Recommend creating
<app name>-prod
&<app name>-dev
accounts
- Recommend creating
- Authentication mode:
IAM authentication(not yet implemented by AWS SDKs), use password - Access string: <see below>
- To restrict access to a specific of commands & partition data between users, we'll build a unique authentication string.
- Template (fill in blanks):
on clearselectors resetkeys ~<app name>-<prod|dev>:* resetchannels &<app name>-<prod|dev>:* -@all +@fast +@pubsub +@keyspace +@string +@read +@write +@scripting -@dangerous +client|setname +info
- The above allows read/write access to keys & pub/sub channels that match the
my-cool-app-prod:*
glob and allows commands in theFAST
category.- Note: After submitting, the final access string will not have
clearselectors
,resetkeys
, andresetchannels
. These are directives to force clear permissions for existing sessions.
- Note: After submitting, the final access string will not have
- User settings: <see below>
- Tie new users to the user group (under "User groups")
- Select
keycloak-connector-aws-redis-channel
(or your group) - Modify
- Manage
- Enable the desired users
- Select
Connecting through EC2 (bastion) instance
- Copy the endpoint url
- Install redis
sudo yum install -y redis
- Check redis-cli version number. At least
>=6.0.0
...if the version is less than 6.0, skip to "Building redis from the source"redis-cli -v
- Connect to the cluster
redis-cli --tls -h {replace_with_primary_endpoint} -p {replace_with_port_number}
- Ensure lack of permissions at this point
> PING
< (error) NOAUTH Authentication required. - Authenticate
Note: You may need to wrap your password in quotation marks (and even escape question marks in the password itself with a forward slash)
> AUTH default <password>
< OK - Test connection
> PING hi
< "hi"
Building Redis from the source
-
Remove existing
redis
sudo yum remove redis
-
Install the required utilities
sudo yum install -y make gcc openssl-devel
-
Build and install Redis
cd ~
wget https://download.redis.io/redis-stable.tar.gz
tar -xzvf redis-stable.tar.gz
cd redis-stable
make distclean
make BUILD_TLS=yes MALLOC=libc
sudo make install -
Cleanup redis install files
WAIT!!! Careful with the following command, ensure it points to the correct directory...
rm -rf ~/redis-*