Keycloak Configuration
If you are not delegating user authentication to an upstream identity provider such as LDAP, you should ensure that the Keycloak service integrated into Orchestrate is configured correctly. You should also change the Fuzzball password of the cluster admin user, which was given the default password when Orchestrate was deployed.
This guide walks through the necessary Keycloak adjustments that should be applied once per deployment to improve security and user experience.
This configuration process involves two main tasks. Both of the following will be accomplished via the steps below:
- Configure password policies to require users to change their password on first login.
- Change the password of the Fuzzball admin user that owns the default organization.
First, you need to log into your Keycloak admin interface. The URL will depend on your deployment but will fit the pattern below.
https://auth.YOUR_DOMAIN/auth
See the guide to accessing the web interface for details on how to obtain the URL, connect via a tunnel if necessary, and fetch the keycloak login details from Kubernetes.
After logging into Keycloak, ensure you’re working in the correct realm:
- Change the realm to “Fuzzball” using the dropdown menu below the Keycloak logo
The name of the realm created for Fuzzball defaults to “Fuzzball” but is configurable in local deployments. If you selected a different name switch to the realm name you specified.
The organization owner account (configured as keycloak.create.ownerEmail in
the Orchestrate configuration)
initially uses the default password (keycloak.create.defaultUserPassword which
defaults to a secure random string) for new users created without an explicit
password. This should be changed to a unique password.
- Navigate to Users in the left sidebar.
- You should see your existing users. In the case of a new deployment the only user here should be the Fuzzball organization owner created automatically during deployment.
- Click on the organization owner user account.
- Select the Credentials tab.
- Click Reset Password.
- Enter a new, secure password for the organization owner.
- Deselect “Temporary” if you don’t want the admin user to have to reset again immediately.
To improve security, configure Keycloak to force new users to change their password on first login:
- Go to Authentication in the left sidebar.
- Select the Required Actions tab.
- Find Update Password in the list.
- Toggle Set as default action to ON.
This ensures that when new users log in for the first time they will be required to change their password from the password explicitly set when the user was created with the Fuzzball CLI or the default password when no explicit password was provided.
After completing these steps:
- Log out of Keycloak.
- Test the configuration by logging into the Fuzzball UI with the organization owner account using the new password set above.
- If you did not select “Temporary” you should not be forced to change the admin user’s password.
With Keycloak properly configured, you can now proceed with:
- As of the time of this writing, the password shown as the cluster admin’s password in the output of the deployment info script is the default new user password that was assigned to the admin user when Orchestrate was initially configured. It does not reflect any changes made to the cluster admin in keycloak (as described above). Changes to the default user password after the initial configuration will be reflected in this password but will not affect the existing admin user.
- If you edit the Orchestrate deployment to change
keycloak.create.defaultUserPassword, the Fuzzball agent service has to be restarted for the change to become effective. This can be done withkubectl rollout restart -n fuzzball deployment/fuzzball-agent. - Share the default password securely with new users when you create their accounts.
- New users will be forced to change this default password on their first login.
- This configuration only needs to be done once per Fuzzball deployment.