From dc480c47223f6ed5d36beccb6eebacf999176c9c Mon Sep 17 00:00:00 2001 From: Minhyeok LEE <130422754+raccoon-mh@users.noreply.github.com> Date: Thu, 31 Oct 2024 16:29:21 +0900 Subject: [PATCH] Update README.md --- README.md | 218 ++++++++++++++++++++---------------------------------- 1 file changed, 79 insertions(+), 139 deletions(-) diff --git a/README.md b/README.md index 674f3f4..2f3e76c 100644 --- a/README.md +++ b/README.md @@ -26,12 +26,11 @@ Use this guide to start MC-IAM-MANAGER using the docker. The Quick Start guide s - Ubuntu (22.04 is tested) with external access (https-443, http-80, ssh-ANY) - docker and docker-compose - Domain (for Keycloak and Public buffalo) and Email for register SSL with certbot -- Stop or Disable Services using 80 or 443 ports such as nginx ### Step one : Clone this repo ```bash -git clone https://github.com/m-cmp/mc-iam-manager +git clone ``` ### Step two : Go to Scripts Folder @@ -40,93 +39,36 @@ git clone https://github.com/m-cmp/mc-iam-manager cd /scripts ``` -### Step three : Excute generate_nginx_conf.sh +### Step three : Excute keycloakimportsetting.sh ```bash -./generate_nginx_conf.sh +./keycloakimportsetting.sh -# >.env (DOMAIN): yourdomain.com -# >.env (EMAIL): yourEmail@test.com +## MC-IAM-MANAGER Init Setup ## + - Please enter the changes. If not, use the environment variable. + - You can set Values in ./.mciammanager_init_env -================================================ - * DOMAIN = yourdomain.com - * EMAIL = yourEmail@test.com -================================================ - -** Nginx configuration file has been created at ./nginx/nginx.conf ** -``` - -This process creates two versions of nginx.conf: - -the first (nginx-cert.conf) to receive SSL certificates and the second (nginx.conf) to set up an internal proxy for mc-iam-manager and keycloak, and certbot, as well as an SSL reverse proxy - -### Step four : Excute init docker-compose for SSL setup - -```bash -docker-compose -f docker-compose.init.yml up -# check the log "Successfully received certificate." and "ertbot exited with code 0" -# ctrl + C to exit docker-compose and shutdown with below command -docker-compose -f docker-compose.init.yml down -``` - -This process creates a SSL certificate in the `~/.m-cmp/data/certbot` path through the nginx-cert.conf setting. ****If you have checked the console log (Successfully received certificate. ~~ certbot exited with code 0) as below, you have successfully issued an SSL certificate and created it at the designated location. - -```bash -$ docker-compose -f docker-compose.init.yml up -.... -certbot | Successfully received certificate. -certbot | Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem -certbot | Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem -certbot | This certificate expires on 2024-09-11. -certbot | These files will be updated when the certificate renews. -certbot | NEXT STEPS: -certbot | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. -certbot | -certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -certbot | If you like Certbot, please consider supporting our work by: -certbot | * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate -certbot | * Donating to EFF: https://eff.org/donate-le -certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -certbot exited with code 0 +COMPANY_NAME : +... ``` -And you don't have to consider the renewal. The next docker-compose checks the certificate every 12 hours and automatically updates it to the symbol link if it needs to be renewed. In other words, this is only the first time you need it, and it doesn't need to be applied from the next update. +This step defines the environment variables that you want to use by default or creates `./scripts/container-volume/mc-iam-manager/keycloak/data/import/realm-import.json` based on the variables defined in `./scripts/.env`. Therefore, "Keycloak" completes the initial setup based on the file, creating the first login user in the process. -### Step five : Excute docker-compose +### Step four: Excute docker-compose ```bash -docker-compose up --build -d +cd scripts +sudo docker-compose up --build -d ``` -If you check the log as below, it seems that you have successfully built and deployed the mc-iam-manager without any problems. +This step is time consuming. Don't worry if the console fails. "Keycloak" is a natural error that occurs during initial installation when MC-IAM-MANAGER requests Keyclaok readiness and certification to initialize the database and import the required data. -```bash -$ docker-compose up --build -d - -Creating network "scripts_mciammanagernet" with the default driver -Building mciammanager -Step 1/19 : FROM gobuffalo/buffalo:v0.18.14 as builder - ---> dbcc9d3a40f5 -Step 2/19 : ENV GOPROXY http://proxy.golang.org - ---> Using cache - ---> 05e55ac7f5eb - .... - Step 10/19 : RUN buffalo build --static -o /bin/app - ---> Running in 3c1d37d71384 - .... -Successfully built 7d0ed2aa6a89 -Successfully tagged scripts_mciammanager:latest -Creating scripts_postgresdb_1 ... done -Creating certbot ... done -Creating scripts_keycloak_1 ... done -Creating scripts_mciammanager_1 ... done -Creating nginx ... done -``` +Once the server completes successfully, you can access the readyz endpoint with the message that it has been loaded successfully. -### Step six : Check Alive enpoint +### Step final: Check Readyzenpoint ```bash -$ curl https://:5000/alive +$ curl https://:5000/readyz # {"ststus":"ok"} ``` @@ -134,74 +76,72 @@ If `{"stststus":"ok"}` is received from the endpoint, it means that the service ### WELCOME : Now you can use MC-IAM-MANAGER -You can get tokens issued and see the default Role created through some of the built-in accounts below. For more API information, check the following swagger link. - -```bash -$ curl --location 'https://yourdomain.com:5000/api/auth/login' \ ---header 'Content-Type: application/json' \ ---data '{ - "id":"mcpsuper", - "password":"mcpuserpassword" -}' - -$ curl --location 'https://yourdomain.com:5000/api/auth/login' \ ---header 'Content-Type: application/json' \ ---data '{ - "id":"mcpadmin", - "password":"mcpuserpassword" -}' - -$ curl --location 'https://yourdomain.com:5000/api/auth/login' \ ---header 'Content-Type: application/json' \ ---data '{ - "id":"mcpoperator", - "password":"mcpuserpassword" -}' - -$ curl --location 'https://yourdomain.com:5000/api/auth/login' \ ---header 'Content-Type: application/json' \ ---data '{ - "id":"mcpviewer", - "password":"mcpuserpassword" -}' - -200 OK application/json -{ - "access_token": "xxxxx", # Rolelist in token (claims : realmRole[]) - "id_token": "xxxxx", - "expires_in": 36000, - "refresh_expires_in": 1800, - "refresh_token": "xxxxx", - "token_type": "Bearer", - "not-before-policy": 0, - "session_state": "xxxxx", - "scope": "openid microprofile-jwt profile email" -} -``` +To use MC-IAM-MANAGER, you need to register the resources of the framework to be used as the first registered user. + +For example, MC-WEB-CONSOLE must register a menu so that the user can load the web screen normally. + +This section describes how to use scripts that made the process simple. + +- init.sh + + ```bash + # ./scripts/init/init.sh + ./init.sh + + -------------------- + 0. exit + + 1. login + + 2. Init Resource Data from api.yaml + (MCADMINCLI_APIYAML: https://raw.githubusercontent.com/m-cmp/mc-admin-cli/refs/heads/main/conf/api.yaml) + + 3. Init Menu Data from menu.yaml + (MCWEBCONSOLE_MENUYAML: https://raw.githubusercontent.com/m-cmp/mc-web-console/refs/heads/main/conf/webconsole_menu_resources.yaml) + + 4. Init Role Data PREDEFINED_ROLE + (PREDEFINED_ROLE: admin,operator,viewer,billadmin,billviewer) + + 5. Get permission CSV + + 6. Update permission CSV + (./permission.csv) + + 99. auto init + + -------------------- + select Number : + ``` + + Running this script allows you to view the menu above, using the information defined in .env to perform tasks according to the numbers you enter. + + However, the first priority is to log in by entering the user's information that you entered. If you run number 1 and run numbers 2 to 6, you will be able to use MC-WEB-CONSOLE. + +- initauto.sh + + ``` + # ./scripts/init/initauto.sh + ./initauto.sh + ``` + + This script automatically performs all procedures based on the user defined in the environment variables, but it cannot define detailed role-specific menus, and it is automatically imported to the version listed in GitHub. + + If you want more detailed settings, we recommend init.sh . + +- add_demo_user.sh + + ``` + # ./scripts/init/add_demo_user.sh + ./add_demo_user.sh + ``` + + This script registers the demo user defined in ./scripts/init/add_demo_user.json. The process of registering is very simple and you can automatically activate the registered user. Use MC-WEB-CONSOLE for role setup and workspace interworking. + + +swagger docs -### swagger docs https://m-cmp.github.io/mc-iam-manager/ - ``` - # https://m-cmp.github.io/mc-iam-manager/ - ``` - -### Get CB-Tumblebug namespace Data - -You can run the following script to assign the configured existing data to the Default Workplace. - -```bash -$ cd /scripts/init -$ nano ./init.env -# TB_HOST= -# TB_username= -# TB_password= -# -# MCIAM_HOST= - -$ ./init-default-workspace-project.sh -``` - ---