Accessing the Keycloak Administration Panel

To access the Keycloak administration panel, complete these actions:

  1. Go to the IDP JBoss CLI:
    # kubectl exec -it $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- sh /opt/jboss/keycloak/bin/jboss-cli.sh --connect
  2. Enter the following commands:
    # /subsystem=undertow/server=default-server/host=default-host/filter-ref=IM_adminPanel:remove()
    # /:reload

    For versions earlier than 1.5.23, change the filter-ref value to adminUrls:

    Important: Do not remove IM_private filter-ref.

  3. Log in to the panel using the following URL:

    https://<brand_domain>/auth/admin, for example: https://cidbe.brndff4f8cdb-f6d6cf.aqa.int.zone/auth/admin

    with the credentials: admin/<password>.

    Important: Do not open the administration panel if the master password is weak.

    Ensure that the keycloakadminpassword IDP Helm value contains a strong password (at least 15 characters, including uppercase letters, lowercase letters, numbers, and special characters). If the password is strong, no actions are required. If not, make it strong by completing the following actions:

    1. Generate a strong password using this command:
      # openssl rand -base64 20 | base64

    2. Download the master_realm_expose.py script to the management node.

      Copy 
      import urllib2
      import json
      import kc_cli_common as cc

      # Change base url to run script from dev host. Preconditions:
      # - IDP admin url filtering should be disabled.
      # - ssh tunnel from dev host to MN set up: ssh -L 0.0.0.0:8081:idp:8080 root@$MN_HOST
      #cc.kc_base_url = 'http://localhost:8081/auth'
      #cc.user_password = '1q2w3e'
      cc.authenticate()
      token = cc.get_access_token()

      # queries form https://www.keycloak.org/docs-api/5.0/rest-api/index.html should be based on /admin/realms/
      base_url = "%s/admin/realms" % cc.get_base_url()

      realm_id = 'master'

      # get master realm
      url = "%s/%s" % (base_url, realm_id)
      data = None
      method = 'GET'
      print "calling %s" % url
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code
      rr = json.loads(resp.read())
      rr["bruteForceProtected"] = True
      rr["failureFactor"] = 5

      # set master realm brute force protection
      url = "%s/%s" % (base_url, realm_id)
      data = json.dumps(rr)
      method = 'PUT'
      print "calling %s %s" % (method, url)
      print "realm representation:"
      print data
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token, "Content-Type": "application/json;charset=UTF-8"})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code

      # get users
      url = "%s/%s/users" % (base_url, realm_id)
      data = None
      method = 'GET'
      print "calling %s" % url
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code
      body = json.loads(resp.read())
      admin_user = filter(lambda u: u["username"] == 'admin', body)[0]
      id = admin_user["id"]
      print "admin user %s" % id

      # delete admin user
      url = "%s/%s/users/%s" % (base_url, realm_id, id)
      method = 'DELETE'
      print "calling %s" % url
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code
    3. Copy this script to the IDP pod using this command:
      # kubectl cp master_realm_expose.py $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2):/opt/jboss/scripts/
    4. Drop the existing IDP master user by running this command from the management node:
      # kubectl exec $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- bash -c "cd scripts && python /opt/jboss/scripts/master_realm_expose.py"
    5. Restart IDP with the master user password set:
      # helm upgrade idp-backend a8n/idp-backend --set keycloakadminpassword=<password>

    As a result, the IDP pod will be re-created with the master user re-created at startup. If not, drop the IDP pod manually.

    Important: If you run the master_realm_expose.py script again, the master user will be dropped again. If you set the same master user password with the helm upgrade command, the IDP pod will not be restarted and the master user will not be re-created. In this case, kill the pod to force its re-creation.

© 2021 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal