doc: add Chinese translation of authz-keycloak plugin (#1729)

doc/README.md

@@ -65,6 +65,7 @@ Plugins
 * [kafka-logger](plugins/kafka-logger.md): Log requests to External Kafka servers.
 * [cors](plugins/cors.md): Enable CORS(Cross-origin resource sharing) for your API.
 * [batch-requests](plugins/batch-requests.md): Allow you send mutiple http api via **http pipeline**.
+* [authz-keycloak](plugins/authz-keycloak.md): Authorization with Keycloak Identity Server
 
 Deploy to the Cloud
 =======

doc/README_CN.md

@@ -66,3 +66,4 @@ Reference document
 * [kafka-logger](plugins/kafka-logger-cn.md): 将请求记录到外部Kafka服务器。
 * [cors](plugins/cors-cn.md): 为你的API启用CORS.
 * [batch-requests](plugins/batch-requests-cn.md): 以 **http pipeline** 的方式在网关一次性发起多个 `http` 请求。
+* [authz-keycloak](plugins/authz-keycloak-cn.md): 支持 Keycloak 身份认证服务器

doc/plugins/authz-keycloak-cn.md

@@ -0,0 +1,124 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+[English](authz-keycloak.md)
+
+# 目录
+- [**名字**](#名字)
+- [**属性**](#属性)
+- [**如何启用**](#如何启用)
+- [**测试插件**](#测试插件)
+- [**禁用插件**](#禁用插件)
+- [**示例**](#示例)
+
+## 名字
+
+`authz-keycloak` 是和 Keycloak Identity Server 配合使用的鉴权插件。Keycloak 是一种兼容 OAuth/OIDC 和 UMA 协议的身份认证服务器。尽管本插件是和 Keycloak 服务器配合开发的，但也应该能够适配任意兼容 OAuth/OIDC 和 UMA 协议的身份认证服务器。
+
+有关 Keycloak 的更多信息，可参考 [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) 查看更多信息。
+
+## 属性
+
+|名称           |选项    |描述|
+|---------      |--------       |-----------|
+| token_endpoint|必填       |接受 OAuth2 兼容 token 的接口，需要支持 `urn:ietf:params:oauth:grant-type:uma-ticket` 授权类型|
+| grant_type    |选填       |默认值为 `urn:ietf:params:oauth:grant-type:uma-ticket`|
+| audience      |选填       |客户端应用访问相应的资源服务器时所需提供的身份信息。当 permissions 参数有值时这个参数是必填的。|
+| permissions   |选填       |描述客户端应用所需访问的资源和权限范围的字符串。格式必须为：`RESOURCE_ID#SCOPE_ID`|
+| timeout       |选填       |与身份认证服务器的 http 连接的超时时间。默认值为 3 秒。|
+| policy_enforcement_mode|必填     |只能是 ENFORCING 或 PERMISSIVE。|
+
+### 策略执行模式
+
+定义了在处理身份认证请求时如何应用策略
+
+**Enforcing**
+
+- （默认）如果资源没有绑定任何访问策略，请求默认会被拒绝。
+
+**Permissive**
+
+- 如果资源没有绑定任何访问策略，请求会被允许。
+
+## 如何启用
+
+创建一个 `route` 对象，并在该 `route` 对象上启用 `authz-keycloak` 插件：
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "/get",
+    "plugins": {
+        "authz-keycloak": {
+        	"token_endpoint": "http://127.0.0.1:8090/auth/realms/{client_id}/protocol/openid-connect/token",
+        	"permissions": ["resource name#scope name"],
+            "audience": "Client ID"
+        }
+    },
+    "upstream": {
+    	"type": "roundrobin",
+    	"nodes": {
+        	"127.0.0.1:8080": 1
+    	}
+    }
+}
+```
+
+## 测试插件
+
+```shell
+curl http://127.0.0.1:9080/get -H 'Authorization: Bearer {JWT Token}'
+```
+
+## 禁用插件
+
+在插件设置页面中删除相应的 json 配置即可禁用 `authz-keycloak` 插件。APISIX 的插件是热加载的，因此无需重启 APISIX 服务。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "/get",
+    "plugins": {
+    },
+    "upstream": {
+    	"type": "roundrobin",
+    	"nodes": {
+        	"127.0.0.1:8080": 1
+    	}
+    }
+}
+```
+
+## 示例
+
+请查看 authz-keycloak.t 中的单元测试来了解如何将身份认证策略与您的 API 工作流集成。运行以下 docker 镜像并访问 `http://localhost:8090` 来查看单元测试中绑定的访问策略：
+
+```bash
+docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 sshniro/keycloak-apisix
+```
+
+下面这张截图显示了如何在 Keycloak 服务器上配置访问策略：
+
+![Keycloak policy design](../images/plugin/authz-keycloak.png)
+
+## 后续开发
+
+- 目前 `authz-plugin` 仅支持通过定义资源名和访问权限范畴来应用 `route` 的访问策略。但是 Keycloak 官方适配的其他语言的客户端 (Java, JS) 还可以通过动态查询 Keycloak 路径以及懒加载身份资源的路径来支持路径匹配。未来版本的 `authz-plugin` 将会支持这项功能。
+
+- 支持从 Keycloak JSON 文件中读取权限范畴和其他配置项。

doc/plugins/authz-keycloak.md

@@ -17,7 +17,7 @@
 #
 -->
 
-[Chinese](authz-keycloak-cn.md)
+[中文](authz-keycloak-cn.md)
 
 # Summary
 - [**Name**](#name)
@@ -34,16 +34,16 @@
 UMA compliant Ideneity Server. Although, its developed to working in conjunction with Keycloak it should work with any
 OAuth/OIDC and UMA compliant identity providers as well.
 
-For more information on JWT, refer to [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) for more information.
+For more information on Keycloak, refer to [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) for more information.
 
 ## Attributes
 
 |Name           |Requirement    |Description|
 |---------      |--------       |-----------|
-| token_endpoint|required       |A OAuth2-compliant Token Endpoint that supports the urn:ietf:params:oauth:grant-type:uma-ticket grant type.|
+| token_endpoint|required       |A OAuth2-compliant Token Endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type.|
 | grant_type    |optional       |Default value is `urn:ietf:params:oauth:grant-type:uma-ticket`.|
 | audience      |optional       |The client identifier of the resource server to which the client is seeking access. This parameter is mandatory in case the permission parameter is defined.|
-| permissions   |optional       |This parameter is optional. A string representing a set of one or more resources and scopes the client is seeking access.  The format of the string must be: RESOURCE_ID#SCOPE_ID.|
+| permissions   |optional       |This parameter is optional. A string representing a set of one or more resources and scopes the client is seeking access.  The format of the string must be: `RESOURCE_ID#SCOPE_ID`.|
 | timeout       |optional       |Timeout for the http connection with the Identity Server. Default is 3 seconds|
 | policy_enforcement_mode|required     |Enforcing or Permissive.|
 
@@ -63,7 +63,7 @@ Specifies how policies are enforced when processing authorization requests sent
 
 ## How To Enable
 
-Create a route and enable the authz-keycloak plugin on the route:
+Create a `route` and enable the `authz-keycloak` plugin on the route:
 
 ```shell
 curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
@@ -128,8 +128,8 @@ The following image shows how the policies are configures in the Keycloak server
 
 ## Future Development
 
-- Currently the authz-plugin requires to define the resource name and required scopes inorder to enforce policies for the routes.
+- Currently the `authz-plugin` requires to define the resource name and required scopes in order to enforce policies for the routes.
 However, Keycloak's official adapters (Java, JS) also provides path matching by querying Keycloak paths dynamically, and
-lazy loading the paths to identify resources. Future version on authz-plugin will support this functionality.
+lazy loading the paths to identity resources. Future version on authz-plugin will support this functionality.
 
 - Support to read scope and configurations from the Keycloak JSON File