The following manual procedure can be used to create a user in the Keycloak Shasta
realm. New accounts can be created with the Keycloak UI.
New administrator and user accounts are authenticated with Keycloak. Authenticated accounts are needed to use the Cray CLI.
This procedure assumes that the password for the Keycloak admin
account is known. The Keycloak password is set during the software installation process.
(ncn-mw#
) The password can be obtained with the following command:
kubectl get secret -n services keycloak-master-admin-auth --template={{.data.password}} | base64 --decode
Log in to the administration console.
See Access the Keycloak User Management UI for more information.
Click on Users
under the Manage
section on the left side of the window.
Click the Add User
button.
Enter the user name and other attributes as required.
Click the Create
button.
In the Credentials
tab, click Set password
.
Turn off the Temporary
selector.
Enter the password and repeat it again in the confirmation.
Click the Save
button.
Click the red Save Password
button.
Create a user and group ID for this user.
The User Access Service (UAS) requires these attributes. In the Attributes
tab, performing the following steps for both the uid
and gid
attributes:
Add the attribute name to the Key
column and its value to the Value
column.
Click the Save
button.
Click the Save
button at the bottom once both the uid
and gid
attributes have been added.
Optionally add other attributes.
Other attributes can be added as needed by site-specific applications.
User accounts need the following attributes defined in order to create a User Access Instance (UAI):
gidNumber
homeDirectory
loginShell
uidNumber
Click on the Role Mappings
tab to grant the user authority.
Click the Assign Role
button.
Click on the dropdown for Filter by realm roles
and select Filter by clients
.
Select the assigned role either shasta admin
or shasta user
.
Assign any other roles as needed per site such as system-nexus-client nx-admin
.
Click Assign
to assign the roles to the user.
Verify that the user account has been created in the Shasta
realm.
This can be verified by performing one or more of the following checks:
Users
on the Administration Console
page.Shasta
realm as the new user.
(linux#
) Verify that the new local Keycloak account can authenticate to the Cray CLI.
NOTE: Authorization with the Cray CLI is local to a host. The first time the CLI is used on a host where it has not been used before, it is first necessary to authenticate on that host. There is no provided mechanism to distribute CLI authorization across hosts.
For additional information, see Configure the Cray CLI.
cray auth login --username USERNAME