Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENH] - Make Nebari admin group also have keycloak realm admin permissions #1177

Closed
costrouc opened this issue Mar 22, 2022 · 3 comments · Fixed by #1701
Closed

[ENH] - Make Nebari admin group also have keycloak realm admin permissions #1177

costrouc opened this issue Mar 22, 2022 · 3 comments · Fixed by #1701
Assignees
@costrouc
Labels
area: integration/keycloak type: enhancement 💅🏼 New feature or request
Milestone
Release 2023.5.1

Comments

@costrouc
Copy link
Member

Feature description

Currently users have to login with the root keycloak credentials to manage users/groups etc. It would be nice to make the admins of a particular realm in the "admin" group also have permissions to edit keycloak without requiring the root username and password.

Related docs https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/admin-console-permissions/master-realm.adoc#master-realm-access-control

Value and/or benefit

Security and easy ability to add users to self manage the cluster.

Anything else?

No response
@trallard trallard moved this to Needs Triage 🔍 in QHub Project Mangement 🚀 Apr 9, 2022
@costrouc
Copy link
Member Author

Currently admin root/pasword credentials are needed in order to modify users/groups and this should not be required. Instead the roles to perform this should be attached to the group admin. Below are the following roles that need to be added to the admin keycloak group.

image

We need to add the realm-admin role within realm-management in the nebari realm to the admin group as show above. Once this is done any user can visit https://nebari.quansight.dev/auth/admin/nebari/console and edit users/groups etc. You will see that we can give more fine grained permissions e.g. only edit users/groups but for now realm-admin will give everything ensuring that we don't have to give out the root, ... to everyone.

@costrouc
Copy link
Member Author

This will involve editing:

@costrouc
Copy link
Member Author

Adding to this issue since it would fit in well.

  • We need two groups for admin: admin and superadmin
  • admin will only do administrative tasks and should protect them from actions that can destroy the cluster so they should have the roles view-* actions, manage-users, impersonation, , create-client` anything that cannot break things on nebari
  • superadmin will have the realm-admin role which can do anything including things that can break the cluster.

@pavithraes pavithraes added this to the Release 2023.3.1 milestone Mar 7, 2023
@trallard trallard moved this from New 📬 to Planned 💾 in 🪴 Nebari Project Management Mar 14, 2023
@costrouc costrouc changed the title [ENH] - Make QHub admin group also have keycloak realm admin permissions [ENH] - Make Nebari admin group also have keycloak realm admin permissions Mar 28, 2023
This was referenced Apr 7, 2023
Merged
Closed
@github-project-automation github-project-automation bot moved this from Planned 💾 to Done 💪🏾 in 🪴 Nebari Project Management Apr 10, 2023
@github-project-automation github-project-automation bot moved this from Needs Triage 🔍 to Done 💪🏾 in QHub Project Mangement 🚀 Apr 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@costrouc costrouc

Labels
area: integration/keycloak type: enhancement 💅🏼 New feature or request
Projects
🪴 Nebari Project Management
Archived in project
Milestone
Release 2023.5.1
Development

Successfully merging a pull request may close this issue.

Adding newest conda-store 0.4.14 along with superadmin credentials nebari-dev/nebari
4 participants
@costrouc @trallard @pavithraes @iameskild