Accessing the Keycloak Administration Panel

To access the Keycloak administration panel, complete these actions:

1. Go to the IDP JBoss CLI:

   # kubectl exec -it $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- sh /opt/jboss/keycloak/bin/jboss-cli.sh --connect

2. Enter the following commands:

   # /subsystem=undertow/server=default-server/host=default-host/filter-ref=IM_adminPanel:remove()
   # /:reload

   For versions earlier than 1.5.23, change the filter-ref value to adminUrls:

   Important: Do not remove IM_private filter-ref.

3. Log in to the panel using the following URL:

   https://<brand_domain>/auth/admin, for example: https://cidbe.brndff4f8cdb-f6d6cf.aqa.int.zone/auth/admin

   with the credentials: admin/<password>.

   Important: Do not open the administration panel if the master password is weak.

   Ensure that the keycloakadminpassword IDP Helm value contains a strong password (at least 15 characters, including uppercase letters, lowercase letters, numbers, and special characters). If the password is strong, no actions are required. If not, make it strong by completing the following actions:

   1. Generate a strong password using this command:

      # openssl rand -base64 20 | base64

   2. Download the master_realm_expose.py script to the management node.

      master_realm_expose.py

      Copy

      import urllib2
      import json
      import kc_cli_common as cc
      
      # Change base url to run script from dev host. Preconditions:
      # - IDP admin url filtering should be disabled.
      # - ssh tunnel from dev host to MN set up: ssh -L 0.0.0.0:8081:idp:8080 root@$MN_HOST
      #cc.kc_base_url = 'http://localhost:8081/auth'
      #cc.user_password = '1q2w3e'
      cc.authenticate()
      token = cc.get_access_token()
      
      # queries form https://www.keycloak.org/docs-api/5.0/rest-api/index.html should be based on /admin/realms/
      base_url = "%s/admin/realms" % cc.get_base_url()
      
      realm_id = 'master'
      
      # get master realm
      url = "%s/%s" % (base_url, realm_id)
      data = None
      method = 'GET'
      print "calling %s" % url
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code
      rr = json.loads(resp.read())
      rr["bruteForceProtected"] = True
      rr["failureFactor"] = 5
      
      # set master realm brute force protection
      url = "%s/%s" % (base_url, realm_id)
      data = json.dumps(rr)
      method = 'PUT'
      print "calling %s %s" % (method, url)
      print "realm representation:"
      print data
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token, "Content-Type": "application/json;charset=UTF-8"})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code
      
      # get users
      url = "%s/%s/users" % (base_url, realm_id)
      data = None
      method = 'GET'
      print "calling %s" % url
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code
      body = json.loads(resp.read())
      admin_user = filter(lambda u: u["username"] == 'admin', body)[0]
      id = admin_user["id"]
      print "admin user %s" % id
      
      # delete admin user
      url = "%s/%s/users/%s" % (base_url, realm_id, id)
      method = 'DELETE'
      print "calling %s" % url
      request = urllib2.Request(url, data, headers={"Authorization" : "bearer %s" % token})
      request.get_method = lambda: method
      resp = urllib2.urlopen(request)
      print "KC API called, result %d" % resp.code

   3. Copy this script to the IDP pod using this command:

      # kubectl cp master_realm_expose.py $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2):/opt/jboss/scripts/

   4. Drop the existing IDP master user by running this command from the management node:

      # kubectl exec $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- bash -c "cd scripts && python /opt/jboss/scripts/master_realm_expose.py"

   5. Restart IDP with the master user password set:

      helm get values idp-backend -o yaml > idp_values.yaml
      helm upgrade idp-backend a8n/idp-backend -f idp_values.yaml --set keycloakadminpassword=<password>

      Notes:
      
      1. Before running these commands, ensure that you use Helm 3.5.4 (or later).
      
      2. In the CloudBlue Commerce documentation, command options are provided for Helm 3. Helm 2 can also be used, but there may be differences in command options. If you already have Helm 2 installed, you can either migrate from it to Helm 3 or take into account differences in command options. For example, if a Helm 3 command cannot be performed due to such differences, you can find suitable Helm 2 command options.

   As a result, the IDP pod will be re-created with the master user re-created at startup. If not, drop the IDP pod manually.

   Important: If you run the master_realm_expose.py script again, the master user will be dropped again. If you set the same master user password with the helm upgrade command, the IDP pod will not be restarted and the master user will not be re-created. In this case, kill the pod to force its re-creation.