This page details the default Keycloak realms, accounts, and clients that are created when the system software is installed.
MasterShastaUsername: admin
(ncn-mw#) The password can be obtained with the following command:
kubectl get secret -n services keycloak-master-admin-auth --template={{.data.password}} | base64 --decode
The password for the admin account can be changed. See Change the Keycloak admin Password.
Users authenticate to Keycloak on behalf of a client. Keycloak clients own configurations, such as the mapping of Keycloak user information to data available to either the
userinfo endpoint, or in the JWT token. Keycloak clients also own resources, such as URIs.
admin-client
admin-client client represents a service account that is used during the install to register the services with the API gateway. The secret for this account is
generated during the software installation process.gatekeeper
gatekeeper client is used by the keycloak-gatekeeper to authenticate web UIs using OAUTH.system-compute-client
system-compute-client client is used by the Cray Operating System (COS) for compute nodes and some NCN services for boot orchestration and management.system-pxe-client
system-pxe-client client is used by the cray-ipxe service to communicate with cray-bss to prepare boot scripts and other boot-related content.shasta
shasta client is meant to be a generic client that can be used to access any Cray micro-service. The software install process creates the shasta client in the Shasta realm.
The shasta client is public and has mappers set up so that the uidNumber, gidNumber, homeDirectory, and loginShell user attributes are included in the userinfo response.
The shasta client has two roles created for authorization: admin and user.