Please follow the next blog post on this topic instead. This post is outdated.
This post discusses how to install Kheops and Keycloak in Centos 8.
First, install docker and docker-compose.
You may also need to add the user to docker group
$ sudo usermod -aG docker $USER
and either log out and log in again (or restart, in case of a VM).
Install Keycloak with Docker, together with a user account
$ docker run -e KEYCLOAK_USER=
Now go to http://localhost:8081
Log in with the user name and password you specified before.
Now to configure a log in connect for Kheops
1. Keycloak KHEOPS Login Client
Click the "Clients" tab, and choose the "Create" option.
Client ID = loginConnect
Click "Save", which will then open more configurations for the "LoginConnect" that you just created.
Turn on the option "Implicit Flow Enabled"
Turn off the "Direct Access Grants Enabled"
Valid Redirect URIs: http://localhost:8081/*
Web origin: http://localhost:8081
Click "Save" again.
2. Client Scope (kheops)
Click the "Client Scopes" tab, and choose the "Create" option.
Name: kheops
Turn off the "Display On Consent Screen"
Click "Save"
Click "Clients" again and go to "LoginConnect"
Go to the "Client Scopes" tab.
Choose "kheops" from the Available Client Scopes and choose the "Add selected" option. Remove all the other options from the Assigned Default Client Scopes as well as Assigned Default Client Scopes.
Add the email and full name token mappers to the kheops Client Scope by clicking on the Add Builtin button.
3. Service Account
Create another client "kheopsAuthorization".
Save, and then disable "Standard Flow Enabled" and "Direct Access Grants Enabled".
Change "Access Type" to "Confidential". and save.
Change "Service Accounts Enabled" to "On" and save.
The Service Account’s credentials (secret) can be found under the Credentials tab.
Choose the "KheopsAuthorization" Scope mappings. Under the "scope", disable "Full Scope Allowed" option. Choose "master-realm" as the "Client Roles", and add "view-users" option.
Now, repeat the above step for "Service Account".
The Service Account’s credentials (secret) can be found under the Credentials tab. Copy it to replace the default secret provided in kheopsDocker/kheops/secrets/kheops_keycloak_clientsecret.
4. Logging Impersonations
Under the "LoginConnect" client's Mappers tab, click "Add Bulletin", and add the Impersonator User ID."
Change the "Token Claim Name" to "act.sub". Then disable "Add to ID token" option.
Finally, click "Save". This is supposed to conclude the configurations unless I missed something.
Run OHIF Viewer with Docker
$ docker run -p 3000:80 -p 3443:443 ohif/viewer:latest
Confirm that OHIF Viewer is running fine, by going to localhost:3000 in your browser.
Run Kheops with Docker
$ git clone git@github.com:OsiriX-Foundation/kheopsDocker.git
$ cd kheopsDocker/kheops
Change the property values of docker-compose.env as shown below.
KHEOPS_KEYCLOAK_CLIENTID=kheopsAuthorization
KHEOPS_KEYCLOAK_URI=https://localhost:9443
KHEOPS_KEYCLOAK_REALMS=demo
KHEOPS_VIEWER_URL=http://localhost:3000
Save and exit.
Start the Kheops containers.
$ cd ..
$ sh script_run_docker.sh
Now go to http://localhost:8042 from your favorite browser to access Kheops.
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c340d0e1f214 osirixfoundation/kheops-reverse-proxy:ci-test "./etc/nginx/conf.d/…" About an hour ago Up About an hour 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8042->8042/tcp, 0.0.0.0:8048->8048/tcp kheopsreverseproxy
0f9a44db1bfb osirixfoundation/kheops-dicomweb-proxy:master "./replaceSecretsAnd…" About an hour ago Up About an hour 0.0.0.0:8049->8080/tcp kheopsdicomwebproxy
0416a8badd18 osirixfoundation/kheops-ui:master "./docker-entrypoint…" About an hour ago Up About an hour 80/tcp, 3000/tcp kheopsui
38a3b77ca2a2 osirixfoundation/kheops-authorization:dev "./replaceSecretsAnd…" About an hour ago Up About an hour 8080/tcp kheopsauthorization
2e2f7e7282bd osirixfoundation/kheops-zipper:master "./replaceSecretsAnd…" About an hour ago Up About an hour 8080/tcp kheopszipper
3908f545ff49 osirixfoundation/pacs-authorization-proxy:master "/bin/sh -c '. $NGIN…" About an hour ago Up About an hour 0.0.0.0:82->80/tcp pacsauthorizationproxy
88cf4203c434 osirixfoundation/kheops-dcm4chee-arc-psql:latest "/script_entrypoint.…" About an hour ago Up About an hour 0.0.0.0:2575->2575/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:8787->8787/tcp, 0.0.0.0:9990->9990/tcp, 0.0.0.0:11112->11112/tcp pacsarc
b4147f1c4244 osirixfoundation/kheops-database:demo "verify-secret-env-v…" About an hour ago Up About an hour 5432/tcp db
7edb16bc1868 dcm4che/slapd-dcm4chee:2.4.44-15.0 "/docker-entrypoint.…" About an hour ago Up About an hour 389/tcp pacsldap
d5290c892e16 jboss/keycloak "/opt/jboss/tools/do…" About an hour ago Up About an hour 0.0.0.0:9443 -> 8443/tcp, 0.0.0.0:8081->8080/tcp jovial_varahamihira
279bf6a09ce0 ohif/viewer:latest "/usr/src/entrypoint…" About an hour ago Up About an hour 0.0.0.0:3000->80/tcp, 0.0.0.0:3443->443/tcp dreamy_hawking
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c340d0e1f214 osirixfoundation/kheops-reverse-proxy:ci-test "./etc/nginx/conf.d/…" About an hour ago Up About an hour 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8042->8042/tcp, 0.0.0.0:8048->8048/tcp kheopsreverseproxy
0f9a44db1bfb osirixfoundation/kheops-dicomweb-proxy:master "./replaceSecretsAnd…" About an hour ago Up About an hour 0.0.0.0:8049->8080/tcp kheopsdicomwebproxy
0416a8badd18 osirixfoundation/kheops-ui:master "./docker-entrypoint…" About an hour ago Up About an hour 80/tcp, 3000/tcp kheopsui
38a3b77ca2a2 osirixfoundation/kheops-authorization:dev "./replaceSecretsAnd…" About an hour ago Up About an hour 8080/tcp kheopsauthorization
2e2f7e7282bd osirixfoundation/kheops-zipper:master "./replaceSecretsAnd…" About an hour ago Up About an hour 8080/tcp kheopszipper
3908f545ff49 osirixfoundation/pacs-authorization-proxy:master "/bin/sh -c '. $NGIN…" About an hour ago Up About an hour 0.0.0.0:82->80/tcp pacsauthorizationproxy
88cf4203c434 osirixfoundation/kheops-dcm4chee-arc-psql:latest "/script_entrypoint.…" About an hour ago Up About an hour 0.0.0.0:2575->2575/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:8787->8787/tcp, 0.0.0.0:9990->9990/tcp, 0.0.0.0:11112->11112/tcp pacsarc
b4147f1c4244 osirixfoundation/kheops-database:demo "verify-secret-env-v…" About an hour ago Up About an hour 5432/tcp db
7edb16bc1868 dcm4che/slapd-dcm4chee:2.4.44-15.0 "/docker-entrypoint.…" About an hour ago Up About an hour 389/tcp pacsldap
d5290c892e16 jboss/keycloak "/opt/jboss/tools/do…" About an hour ago Up About an hour 0.0.0.0:9443 -> 8443/tcp, 0.0.0.0:8081->8080/tcp jovial_varahamihira
279bf6a09ce0 ohif/viewer:latest "/usr/src/entrypoint…" About an hour ago Up About an hour 0.0.0.0:3000->80/tcp, 0.0.0.0:3443->443/tcp dreamy_hawking
Hi, thanks for putting together these instructions.
ReplyDeleteI'm trying to reproduce these steps to setup a Kheops instance on a DigitalOcean VM.
The system builds ok and I reproduced exactly your keycloak and environment variable configuration (besides the typo of the "demo" realm in
docker-compose.env, when no demo realm has been defined).
The problem that I have is that my custom endpoint for KHEOPS_KEYCLOAK_URI that I defined in docker-compose.env is not copied to the KheopsUI container.
For some reason when I access the Kheops dashboard at port 8042, it tries to load the auth information from "localhost:9443" instead of my custom endpoint.
Do you have any clues about what I may be doing wrong?
Thanks
Can you follow https://kkpradeeban.blogspot.com/2020/01/this-post-discusses-how-to-instal.html instead please?
DeleteHaving this configured in 2 VMs is relatively easier.
I will update my post with the pointer to the other post shortly.
Let me know how it goes.