Not for production
A quick (less than 10 minutes) and easy process to protect data with TDF using the opentdf stack.
-
Install Docker
-
Install kubectl
- On macOS via Homebrew:
brew install kubectl - On Linux or WSL2 for Windows:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl - Others see https://kubernetes.io/docs/tasks/tools/
- On macOS via Homebrew:
-
Install kind
- On macOS via Homebrew:
brew install kind - On Linux or WSL2 for Windows:
curl -Lo kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 && chmod +x kind && sudo mv kind /usr/local/bin/kind - Others see https://kind.sigs.k8s.io/docs/user/quick-start/#installation
- On macOS via Homebrew:
-
Install helm
- On macOS via Homebrew:
brew install helm - On Linux or WSL2 for Windows:
curl -LO https://get.helm.sh/helm-v3.8.2-linux-amd64.tar.gz && tar -zxvf helm-v3.8.2-linux-amd64.tar.gz && chmod +x linux-amd64/helm && sudo mv linux-amd64/helm /usr/local/bin/helm - Others see https://helm.sh/docs/intro/install/
- On macOS via Homebrew:
-
Install Tilt
- On macOS via Homebrew:
brew install tilt-dev/tap/tilt - On Linux or WSL2 for Windows:
curl -fsSL https://github.com/tilt-dev/tilt/releases/download/v0.27.2/tilt.0.27.2.linux.x86_64.tar.gz | tar -xzv tilt && sudo mv tilt /usr/local/bin/tilt - Others see https://docs.tilt.dev/install.html
- On macOS via Homebrew:
git clone https://github.com/opentdf/documentation.git
cd documentation/quickstartFollow these instructions to log in to ghcr.io.
kind create cluster --name opentdf
To initialize a basic OpenTDF cluster with a Keycloak identity provider, PostgresQL data store, and a single entry point at localhost with an nginx ingress controller, we provide a Tiltfile:
tilt upAs an alternative, the start.sh script can be used to set up a similar cluster.
This bash shell script will use helm to install the required services;
for more options, read the script and review the actions it takes.
Notably, has options to assist with loading an 'offline bundle' generated with
the build-offline-bundle script,
and options to disable or skip configuration of various features and services.
./start.shHit (space) and wait for all resources to turn green.
Or go to http://localhost:10350/
Services should be up in 4-6 minutes.
-
Install Octant
- On macOS via Homebrew:
brew install octant - Others see https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-1AEDB285-C965-473F-8C91-75724200D444.html
- On macOS via Homebrew:
-
Run the
octantcommand in any terminal window to open a more detailed services dashboard.
pip3 install --upgrade opentdfpython3 tests/oidc-auth.pySee success message
TDF Encrypt/Decrypt is successful!!
Nano TDF Encrypt/Decrypt is successful!!
See the TDF files under documentation/quickstart (the directory from which the oidc-auth.py was run)
Report errors to [email protected]
NOTE: Running kind delete will wipe your local cluster and any data associated with it. Delete at your own risk!
tilt down
kind delete cluster --name opentdf
pip3 uninstall opentdf
See the OpenTDF Client base repo for details about how to configure a Python or C++ application to use OpenTDF.
Manage attributes with rules used in ABAC
OpenAPI
The abacus web service provides a visual management interface for entitlements and attribute rules.
To access, we must first add a redirect uri in keycloak. Run tilt up, wait for services to start, navigate to https://localhost:65432/auth, and click on Administration Console.
Log in with the credentials generated by the values fed into the bootstrap script, currently the username is keycloakadmin and the password is mykeycloakpassword.
Then navigate to http://localhost:65432/auth/admin/master/console/#/realms/tdf/clients and click on tdf-entitlement.
You will see a field titled Valid Redirect URIs. Add http://localhost:65432/* as a valid redirect uri by adding it to the field as shown, clicking the + button, and scrolling to the bottom of the page and saving the changes.
Now, to view Abacus, navigate to http://localhost:65432.
Click Log In. Abacus will forward you to the login screen to acquire user credentials.
Log in using the credentials generated with the bootstrap script (supplied via Helm here), or with the default credentials, which are currently "user1" and the password is "testuser123".
If your credentials are accepted, keycloak will redirect you to the abacus home screen. If your credentials are not accepted, you can log in to keycloak separately with the client credentials and fix the user login information.
From here, you can get a list of attributes or clients.
Abacus provides a front-end that links a keycloak identity provider with a custom attribute-based access control system. To log in and use abacus itself, you must create and use User accounts in the tdf realm of the associated keycloak service.
To create an abacus login, open up keyloak, which will be available at port 65432.
Log in with the credentials generated by the values fed into the bootstrap script, currently ther username is keycloakadmin and the password is mykeycloakpassword.
The bootstrap script also binds this client to a custom, OpenTDF attribute mapper, which allows the entitlement service to link attributes to given subjects, either clients (NPE subjects that act as services or service providers) or users and services that act on behalf of a single account.
If you want to modify this sample to deploy to another domain, redirect and web origins need too be set under client > tdf-* > settings
Abacus users are keycloak users that have aud: tdf-entitlement. Unique for public access with standard flow, you need this or you will see an error saying ‘audience is not correct’.
In the users panel, to grant a user access to abacus to view and edit attributes, they must be associated with the realm role, default-tdf-role. To grant them access to list and view entities, required to assign attributes to a user, you must also grant them the realm-management roles view-events and view-users.
Manage assignment of attributes to entities
OpenAPI
Read the attributes that have been assigned to an entity
Access control of the key using ABAC
Swagger http://localhost:65432/api/kas/ui/ (update /kas/openapi.json)
See Solutions page on how to integrate opentdf.
If you need to restart, delete cluster and try again
kind delete cluster --name opentdf
kind create cluster --name opentdfAfter tilt up and hitting (space), and have trouble opening tilt UI with http://localhost:10350/ in Chrome
- Go to chrome://net-internals/#hsts
- Type
localhostin Delete domain security policies section and hit DELETE button
Error: writing tilt api configs: open /path/to/.tilt-dev/config.lock: file exists
rm -f /path/to/.tilt-dev/config.lockA stuck Status of "Runtime Pending" on a postgresql:statefulset.
Trigger a restart manually, once or twice.
python3 tests/oidc-auth.py
Unexpected error: <class 'RuntimeError'>
Traceback (most recent call last):
File "/Users/paul/Projects/opentdf-aux/documentation/quickstart/tests/oidc-auth.py", line 26, in <module>
client.encrypt_file("sample.txt", "sample.txt.tdf")
RuntimeError: Error code 1. [oidc_service.cpp:168] Get OIDC token failed status: 404{"error":"Realm does not exist"}
Wait. All services aren't up, namely keycloak.
Port conflicts
check that ports used in Tiltfile are not used on the host
attribute-provider: Name or service not known
hard-coded value in keycloak-bootstrap?
Database connection issue
pg_isready --dbname=tdf_database --host=opentdf-postgresql --port=5432 --username=postgres