Skip to content

Add signed batch machine run context / ADR #1772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
krowvin wants to merge 18 commits into
base: develop
Choose a base branch
from
Open

Add signed batch machine run context / ADR #1772

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
efbd26f
Add signed batch run context
krowvin Jun 9, 2026
c7833ea
Report expired batch job context tokens
krowvin Jun 9, 2026
aec1c95
Document signed batch machine run context
krowvin Jun 9, 2026
db72d62
Test signed batch job context
krowvin Jun 9, 2026
6b821f8
Merge branch 'develop' into batch-dynamic-runtime/cda-job-context
krowvin Jun 9, 2026
bc40f8b
Harden batch machine context handling
krowvin Jun 10, 2026
2b732ff
Merge branch 'develop' into batch-dynamic-runtime/cda-job-context
krowvin Jun 22, 2026
819a2a1
Support Keycloak batch run context claims
krowvin Jun 10, 2026
ee7b8b7
Merge remote-tracking branch 'origin/develop' into batch-dynamic-runt…
krowvin Jun 26, 2026
6a75856
Add local Keycloak batch service accounts
krowvin Jun 26, 2026
f8a69f8
Add local cwms audience mapper
krowvin Jun 26, 2026
8a1fbf3
Add local SWT Airflow service account
krowvin Jun 26, 2026
7b2ad68
Add scheduled M2M flow diagram to ADR
krowvin Jun 26, 2026
5eb849e
Add local Batch Events admin user
krowvin Jun 27, 2026
1fb7f67
Align local Batch Events admin principal
krowvin Jun 27, 2026
362e8bf
Align batch M2M ADR with office service accounts
krowvin Jun 27, 2026
a88f35e
Update batch M2M ADR diagrams
krowvin Jun 27, 2026
dca48b1
Document batch Keycloak service accounts
krowvin Jun 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
264 changes: 264 additions & 0 deletions compose_files/keycloak/realm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -713,6 +713,20 @@
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "5edb86b8-82c7-4d9b-9f58-7a8febf50a3d",
"name": "cwms audience",
"protocol": "openid-connect",
"protocolMapper": "oidc-audience-mapper",
"consentRequired": false,
"config": {
"included.client.audience": "cwms",
"id.token.claim": "false",
"access.token.claim": "true"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
Expand All @@ -728,6 +742,210 @@
"microprofile-jwt"
]
},
{
"id": "76dbdfad-5201-4a9d-bac4-ee9b89a794f1",
"clientId": "cwms-batch-runner-swt",
"name": "CWMS Batch Runner SWT",
"description": "Local test service account for SWT batch jobs",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": true,
"clientAuthenticatorType": "client-secret",
"secret": "local-cwms-batch-runner-swt-secret",
"redirectUris": [],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"client_credentials.use_refresh_token": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "74f0d829-2921-4df2-93d4-468d6cd77d38",
"name": "machine_auth",
"protocol": "openid-connect",
"protocolMapper": "oidc-hardcoded-claim-mapper",
"consentRequired": false,
"config": {
"access.token.claim": "true",
"claim.name": "machine_auth",
"claim.value": "true",
"id.token.claim": "false",
"jsonType.label": "boolean",
"userinfo.token.claim": "false"
}
},
{
"id": "422385db-9fd4-4c8c-b1c7-8d12ce41418c",
"name": "run_as_office",
"protocol": "openid-connect",
"protocolMapper": "oidc-hardcoded-claim-mapper",
"consentRequired": false,
"config": {
"access.token.claim": "true",
"claim.name": "run_as_office",
"claim.value": "SWT",
"id.token.claim": "false",
"jsonType.label": "String",
"userinfo.token.claim": "false"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
},
{
"id": "9620b229-ea0e-48f9-9f2f-cb601f2d6ee1",
"clientId": "cwms-batch-airflow-swt",
"name": "CWMS Batch Airflow SWT",
"description": "Local test service account for SWT scheduled batch job triggers",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": true,
"clientAuthenticatorType": "client-secret",
"secret": "local-cwms-batch-airflow-swt-secret",
"redirectUris": [],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"client_credentials.use_refresh_token": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "e8865c36-fb89-45cb-8b81-a20562c5a154",
"name": "cwms audience",
"protocol": "openid-connect",
"protocolMapper": "oidc-audience-mapper",
"consentRequired": false,
"config": {
"included.client.audience": "cwms",
"id.token.claim": "false",
"access.token.claim": "true"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
},
{
"id": "7bed3c57-6b95-45a7-b94f-1d85103776e2",
"clientId": "cwms-batch-runner-spk",
"name": "CWMS Batch Runner SPK",
"description": "Local test service account for SPK batch jobs",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": true,
"clientAuthenticatorType": "client-secret",
"secret": "local-cwms-batch-runner-spk-secret",
"redirectUris": [],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"client_credentials.use_refresh_token": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "019637fa-9fe7-4ee1-b372-5d20cb8b4a05",
"name": "machine_auth",
"protocol": "openid-connect",
"protocolMapper": "oidc-hardcoded-claim-mapper",
"consentRequired": false,
"config": {
"access.token.claim": "true",
"claim.name": "machine_auth",
"claim.value": "true",
"id.token.claim": "false",
"jsonType.label": "boolean",
"userinfo.token.claim": "false"
}
},
{
"id": "f6fde48e-c253-472d-8ed1-6267b4db1227",
"name": "run_as_office",
"protocol": "openid-connect",
"protocolMapper": "oidc-hardcoded-claim-mapper",
"consentRequired": false,
"config": {
"access.token.claim": "true",
"claim.name": "run_as_office",
"claim.value": "SPK",
"id.token.claim": "false",
"jsonType.label": "String",
"userinfo.token.claim": "false"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
},
{
"id": "f09103f0-5563-4dc0-bc70-2ff0309edae7",
"clientId": "realm-management",
Expand Down Expand Up @@ -2321,6 +2539,52 @@
"cwms_user",
"new_user"
]
},
{
"id": "6049479d-e783-4c7f-9024-57a7d29649f7",
"username": "m5batcheventadmin",
"enabled": true,
"email": "noreply-batch-admin@data.test",
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "m5batcheventadmin"
}
],
"realmRoles": [
"cwms_user"
]
},
{
"id": "a4e88497-0ffc-41d5-b0fd-cc91760e366b",
"username": "service-account-cwms-batch-runner-swt",
"enabled": true,
"emailVerified": false,
"serviceAccountClientId": "cwms-batch-runner-swt",
"realmRoles": [
"cwms_user"
]
},
{
"id": "b70c2e60-ce11-42c7-8271-10bb2b3fd4bd",
"username": "service-account-cwms-batch-airflow-swt",
"enabled": true,
"emailVerified": false,
"serviceAccountClientId": "cwms-batch-airflow-swt",
"realmRoles": [
"cwms_user"
]
},
{
"id": "d2d6f91b-a5dd-40c3-8ee6-49a52da9892e",
"username": "service-account-cwms-batch-runner-spk",
"enabled": true,
"emailVerified": false,
"serviceAccountClientId": "cwms-batch-runner-spk",
"realmRoles": [
"cwms_user"
]
}
]
}
67 changes: 67 additions & 0 deletions compose_files/sql/users.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,73 @@ begin
cwms_sec.add_user_to_group('m5testadmin','CWMS User Admins', 'LRL');
cwms_sec.add_user_to_group('m5testadmin','SHOW STACK TRACE', 'LRL');

begin
insert into at_sec_cwms_users(userid, createdby, principle_name)
values(
'M5BATCHEVENTADMIN',
'CWMS_20',
'http://localhost:8081/auth/realms/cwms::6049479d-e783-4c7f-9024-57a7d29649f7'
);
exception
when dup_val_on_index then
update at_sec_cwms_users
set principle_name = 'http://localhost:8081/auth/realms/cwms::6049479d-e783-4c7f-9024-57a7d29649f7'
where userid = 'M5BATCHEVENTADMIN';
end;
cwms_sec.add_user_to_group('M5BATCHEVENTADMIN', 'All Users', 'SWT');
cwms_sec.add_user_to_group('M5BATCHEVENTADMIN', 'CWMS Users', 'SWT');
cwms_sec.add_user_to_group('M5BATCHEVENTADMIN', 'Data Acquisition Mgr', 'SWT');

begin
insert into at_sec_cwms_users(userid, createdby, principle_name)
values(
'SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SWT',
'CWMS_20',
'http://localhost:8081/auth/realms/cwms::a4e88497-0ffc-41d5-b0fd-cc91760e366b'
);
exception
when dup_val_on_index then
update at_sec_cwms_users
set principle_name = 'http://localhost:8081/auth/realms/cwms::a4e88497-0ffc-41d5-b0fd-cc91760e366b'
where userid = 'SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SWT';
end;
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SWT', 'All Users', 'SWT');
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SWT', 'CWMS Users', 'SWT');
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SWT', 'TS ID Creator', 'SWT');

begin
insert into at_sec_cwms_users(userid, createdby, principle_name)
values(
'SERVICE-ACCOUNT-CWMS-BATCH-AIRFLOW-SWT',
'CWMS_20',
'http://localhost:8081/auth/realms/cwms::b70c2e60-ce11-42c7-8271-10bb2b3fd4bd'
);
exception
when dup_val_on_index then
update at_sec_cwms_users
set principle_name = 'http://localhost:8081/auth/realms/cwms::b70c2e60-ce11-42c7-8271-10bb2b3fd4bd'
where userid = 'SERVICE-ACCOUNT-CWMS-BATCH-AIRFLOW-SWT';
end;
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-AIRFLOW-SWT', 'All Users', 'SWT');
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-AIRFLOW-SWT', 'CWMS Users', 'SWT');

begin
insert into at_sec_cwms_users(userid, createdby, principle_name)
values(
'SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SPK',
'CWMS_20',
'http://localhost:8081/auth/realms/cwms::d2d6f91b-a5dd-40c3-8ee6-49a52da9892e'
);
exception
when dup_val_on_index then
update at_sec_cwms_users
set principle_name = 'http://localhost:8081/auth/realms/cwms::d2d6f91b-a5dd-40c3-8ee6-49a52da9892e'
where userid = 'SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SPK';
end;
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SPK', 'All Users', 'SPK');
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SPK', 'CWMS Users', 'SPK');
cwms_sec.add_user_to_group('SERVICE-ACCOUNT-CWMS-BATCH-RUNNER-SPK', 'TS ID Creator', 'SPK');

end;
/
quit;
Loading
Loading