This page details the default Keycloak realms, accounts, and clients that are created when the system software is installed.
Master
Shasta
Username: admin
(ncn-mw#
) The password can be obtained with the following command:
kubectl get secret -n services keycloak-master-admin-auth --template={{.data.password}} | base64 --decode
The password for the admin
account can be changed. See Change the Keycloak admin
Password.
Users authenticate to Keycloak on behalf of a client. Keycloak clients own configurations, such as the mapping of Keycloak user information to data available to either the
userinfo
endpoint, or in the JWT token. Keycloak clients also own resources, such as URIs.
admin-client
admin-client
client represents a service account that is used during the install to register the services with the API gateway. The secret for this account is
generated during the software installation process.oauth2-proxy-*
oauth2-proxy-*
clients are used by the oauth2-proxies
to authenticate web UIs using OAUTH.system-compute-client
system-compute-client
client is used by the Cray Operating System (COS) for compute nodes and some NCN services for boot orchestration and management.system-pxe-client
system-pxe-client
client is used by the cray-ipxe
service to communicate with cray-bss
to prepare boot scripts and other boot-related content.system-nexus-client
system-nexus-client
client is used by the cray-nexus
service to login to Nexus with Keycloak users. The system-nexus-client
has two roles created for
authorization: nx-admin
and nx-anonymous
that can be added to any account to give permissions to that user in Nexus.shasta
shasta
client is meant to be a generic client that can be used to access any Cray micro-service. The software install process creates the shasta
client in the Shasta
realm.
The shasta
client is public and has mappers set up so that the uidNumber
, gidNumber
, homeDirectory
, and loginShell
user attributes are included in the userinfo
response.
The shasta
client has two roles created for authorization: admin
and user
.