Keycloak group provider#

Starburst Enterprise platform (SEP) can be configured to map users to groups using Keycloak. This integration allows platform administrators to assign built-in access control roles to groups within Keycloak.

Prerequisites#

Before configuring the integration, ensure that your Keycloak server is properly set up and accessible, and you have configured a client with the following specifications:

The client must use the Client credentials grant type.
The client must have the confidential access type.
The Service Account Roles option must be ON for the client.
The view-users role must be assigned to the client as a service account role.

Configuration#

SEP needs to be configured to use Keycloak. Create an etc/group-provider.properties file on the coordinator with the following properties, replacing the example values with appropriate values for your setup:

group-provider.name=keycloak
keycloak.url=https://keycloak-server:443
keycloak.realm=company_realm
keycloak.client-id=client
keycloak.client-secret=client_secret_credential

The following properties are available:

Property name	Description
`keycloak.url`	The URL to Keycloak. *Required.
`keycloak.realm`	The Keycloak realm where your client exists. Required.
`keycloak.client-id`	Your Keycloak client ID. Required.
`keycloak.client-secret`	Client secret found in your Keycloak Credentials tab. Required.
`keycloak.cache.enabled`	Enables caching of user group lookups. Defaults to `true`.
`keycloak.cache.ttl`	Duration of caching user group lookups. Defaults to `5s`.
`keycloak.maxiumum.size`	Maximum number of entries in the per-user group cache. This property does not have a size limit by default. You can adjust the value to decrease the limit as appropriate for your setup.