Accessing the Keycloak Administration Panel
To access the Keycloak administration panel, complete these actions:
- Go to the IDP JBoss CLI:
# kubectl exec -it $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- sh /opt/jboss/keycloak/bin/jboss-cli.sh --connect
- Enter the following commands:
# /subsystem=undertow/server=default-server/host=default-host/filter-ref=IM_adminPanel:remove()
# /:reloadFor versions earlier than 1.5.23, change the
filter-ref
value toadminUrls
:Important: Do not remove
IM_private filter-ref
. -
Log in to the panel using the following URL:
https://<brand_domain>/auth/admin
, for example:https://cidbe.brndff4f8cdb-f6d6cf.aqa.int.zone/auth/admin
with the credentials: admin/<password>.
Important: Do not open the administration panel if the master password is weak.
Ensure that the
keycloakadminpassword
IDP Helm value contains a strong password (at least 15 characters, including uppercase letters, lowercase letters, numbers, and special characters). If the password is strong, no actions are required. If not, make it strong by completing the following actions:- Generate a strong password using this command:
# openssl rand -base64 20 | base64
-
Download the
master_realm_expose.py
script to the management node.master_realm_expose.py
Copyimport urllib2
import json
import kc_cli_common as cc
# Change base url to run script from dev host. Preconditions:
# - IDP admin url filtering should be disabled.
# - ssh tunnel from dev host to MN set up: ssh -L 0.0.0.0:8081:idp:8080 root@$MN_HOST
#cc.kc_base_url = 'http://localhost:8081/auth'
#cc.user_password = '1q2w3e'
cc.authenticate()
token = cc.get_access_token()
# queries form https://www.keycloak.org/docs-api/5.0/rest-api/index.html should be based on /admin/realms/
base_url = "%s/admin/realms" % cc.get_base_url()
realm_id = 'master'
# get master realm
url = "%s/%s" % (base_url, realm_id)
data = None
method = 'GET'
print "calling %s" % url
request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
request.get_method = lambda: method
resp = urllib2.urlopen(request)
print "KC API called, result %d" % resp.code
rr = json.loads(resp.read())
rr["bruteForceProtected"] = True
rr["failureFactor"] = 5
# set master realm brute force protection
url = "%s/%s" % (base_url, realm_id)
data = json.dumps(rr)
method = 'PUT'
print "calling %s %s" % (method, url)
print "realm representation:"
print data
request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token, "Content-Type": "application/json;charset=UTF-8"})
request.get_method = lambda: method
resp = urllib2.urlopen(request)
print "KC API called, result %d" % resp.code
# get users
url = "%s/%s/users" % (base_url, realm_id)
data = None
method = 'GET'
print "calling %s" % url
request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
request.get_method = lambda: method
resp = urllib2.urlopen(request)
print "KC API called, result %d" % resp.code
body = json.loads(resp.read())
admin_user = filter(lambda u: u["username"] == 'admin', body)[0]
id = admin_user["id"]
print "admin user %s" % id
# delete admin user
url = "%s/%s/users/%s" % (base_url, realm_id, id)
method = 'DELETE'
print "calling %s" % url
request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
request.get_method = lambda: method
resp = urllib2.urlopen(request)
print "KC API called, result %d" % resp.code - Copy this script to the IDP pod using this command:
# kubectl cp master_realm_expose.py $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2):/opt/jboss/scripts/
- Drop the existing IDP master user by running this command from the management node:
# kubectl exec $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- bash -c "cd scripts && python /opt/jboss/scripts/master_realm_expose.py"
- Restart IDP with the master user password set:
# helm upgrade idp-backend a8n/idp-backend --set keycloakadminpassword=<password>
As a result, the IDP pod will be re-created with the master user re-created at startup. If not, drop the IDP pod manually.
Important: If you run the
master_realm_expose.py
script again, the master user will be dropped again. If you set the same master user password with thehelm upgrade
command, the IDP pod will not be restarted and the master user will not be re-created. In this case, kill the pod to force its re-creation. - Generate a strong password using this command: