Skip to content

Integration with Keycloak

SACHIDANAND ALLE edited this page Mar 22, 2023 · 4 revisions

Overview

This page explains how we can integration MONAI Label with Keycloak for User Authentication and Role Based Access.

Installing Keycloak

  1. Before you start
  2. Download Keycloak
  3. Start Keycloak
  4. Create an admin user
  5. Log in to the Admin Console
  6. Create a realm with Realm name monailabel
  7. Create a user
    • Create user with Username monai
    • Create user with Username user
  8. Log in to the Account Console
  9. Create Client with Client ID as monailabel-app

Add Groups/Roles

Creating Roles

image

Create following roles:

  1. monailabel-admin - all admins will be assigned with this role.
  2. monailabel-reviewer - all reviewers will be assigned with this role.
  3. monailabel-annotator - all annotators will be assigned with this role.
  4. monailabel-user - all (normal) users will be assigned with this role.

Name of the roles can be customized via MONAI Label configs. image

Create groups

Either you can create groups or assign roles to user directly. However creating groups is recommended for easier management. Create following groups:

  1. MONAILabel Admins - will be assigned with this role.
  2. MONAILabel Reviewers - all reviewers will be assigned with this role.
  3. MONAILabel Annotators - all annotators will be assigned with this role.
  4. MONAILabel Users - all (normal) users will be assigned with this role. image

Assign roles

Assign corresponding roles to each of the groups.

Group Role Mapping
MONAILabel Admins
  • monailabel-admin
  • monailabel-reviewer
  • monailabel-annotator
  • monailabel-user
MONAILabel Reviewers
  • monailabel-reviewer
  • monailabel-annotator
  • monailabel-user
MONAILabel Annotators
  • monailabel-annotator
  • monailabel-user
MONAILabel Users
  • monailabel-user

Example: image

Enable Auth in MONAI Label

Auth is enabled only from 0.7.0rc2

Run pip install monailabel>=0.7.0rc2 -U to update/install latest monailabel

Following are corresponding configs for Auth Related in MONAI Label

Name Type Default Description
MONAI_LABEL_AUTH_ENABLE bool False Enable or Disable Auth
MONAI_LABEL_AUTH_REALM_URI str http://localhost:8080/realms/monailabel Realm URI for Auth Server
MONAI_LABEL_AUTH_TIMEOUT int 10 Connect Timeout (in seconds) to Auth Server
MONAI_LABEL_AUTH_CLIENT_ID str monailabel-app Client ID for Auth Server
MONAI_LABEL_AUTH_ROLE_ADMIN str monailabel-admin Admin role name
MONAI_LABEL_AUTH_ROLE_REVIEWER str monailabel-reviewer Revierw role name
MONAI_LABEL_AUTH_ROLE_ANNOTATOR str monailabel-annotator Annotator role name
MONAI_LABEL_AUTH_ROLE_USER str monailabel-user User role name
MONAI_LABEL_AUTH_TOKEN_USERNAME str preferred_username Key name to fetch user name field from JWT token
MONAI_LABEL_AUTH_TOKEN_EMAIL str email Key to fetch email field from JWT token
MONAI_LABEL_AUTH_TOKEN_NAME str name Key to fetch name from JWT token
MONAI_LABEL_AUTH_TOKEN_ROLES str realm_access#roles Key to fetch roles assigned for the user from JWT token

For Windows:

set MONAI_LABEL_AUTH_ENABLE=True
monailabel start_server -a sample-apps\radiology -s C:\Dataset\Radiology -c models segmentation_spleen

For Ubuntu:

export MONAI_LABEL_AUTH_ENABLE=True
monailabel start_server -a sample-apps/radiology -s ~/Dataset/Radiology -c models segmentation_spleen

If you are using different ClientID or RealmURI etc.. make sure you to set the corresponding configs before starting the server.

image

API Access control

Visit http://127.0.0.1:8000/ on web-browser to understand which are roles have access to MONAI Label REST APIs. image

Using 3D Slicer

Use latest version of 3D Slicer(https://download.slicer.org/). Preview version is more preferred.

If you have already installed MONAI Label plugin, you have to uninstall existing one. Please configure/install MONAI Label plugin in developer mode.

As normal user

Open 3D Slicer and switch to MONAI Label plugin. When you refresh the MONAI Label server and if Auth is enabled, it will automatically prompt for login. Enter user name and password. In this case, you can try normal user.

image

As a normal user you can fetch new image and run inference. However when you can save annotations or run training as normal user, server will throw an error saying operation is not permitted. And in such case you can reload MONAILabel Plugin (or restart 3D Slicer) to login as different user.

Clone this wiki locally