Mapping Keycloak Roles to Polaris
IMPORTANT
Keycloak user names are mapped to Polaris principal. And,
Keycloak roles are mapped to principal-roles.Configure the following Polaris properties for
Keycloak:
quarkus.oidc.tenant-enabled to true
quarkus.oidc.auth-server-url to OIDC provider with realm
quarkus.oidc.client-id set cliend_id, by default on DF cluster is edf-client
quarkus.oidc.roles.role-claim-path to userRoles
polaris.authentication.type to external
polaris.oidc.principal-mapper.name-claim-path set to preferred_usernameExample Configuration:
quarkus.oidc.tenant-enabled=true
quarkus.oidc.auth-server-url=https://<HOSTNAME>:6443/realms/master
quarkus.oidc.client-id=edf-client
quarkus.oidc.roles.role-claim-path=userRoles
polaris.authentication.type=external
polaris.oidc.principal-mapper.name-claim-path=preferred_username
polaris.oidc.principal-roles-mapper.filter=^.*
polaris.oidc.principal-roles-mapper.mappings[0].regex=^.*$
polaris.oidc.principal-roles-mapper.mappings[0].replacement=PRINCIPAL_ROLE:$0Polaris has an
admin user that can create principals and catalogs. In
Keycloak, Admin configuration properties must match to the admin user. Ensure that
matching is done as follows:| Polaris properties | Description | Default value |
|---|---|---|
polaris.admin.name |
Admin user name. | root |
polaris.admin.service.role |
Role for the service admin. | service_admin |
polaris.admin.catalog.role |
Role for the catalog admin. | catalog_admin |
configure.sh configures the SSO by default, if SSO properties are
already available in the cluster. After you configure Polaris, the settings of admin
user configuration changes to default settings of Data Fabric Keycloak as follows:polaris.admin.nametoadmin- polaris.admin.service.role to
fabric-manager polaris.admin.catalog.roletofabric-manager.