In this Exercise-4, we will create Keycloak Users and Groups
admin1
admin2
dev1
dev2
dev3
dev4
superadmin
cluster-admin-group1
cluster-admin-group2
senior-dev-group
junior-dev-group
super-admin-group
admin1 ---> cluster-admin-group1
admin2 ---> cluster-admin-group2
dev1 ----> senior-dev-group
dev2 ----> senior-dev-group
dev3 ----> junior-dev-group
dev4 ----> junior-dev-group
superadmin ---> super-admin-group
Login to Keycloak UI
Open lab-credentials file
Look for keyword "keycloak_url", "keycloak_admin_user" and "keycloak_admin_password"
Copy and past Keycloak URL link in your favourite browser.
Keycloak URL = "keycloak_url"
user = admin
password = keycloak_admin_password
HOME > Manage > Users
Click "Add user"
Create / Name as below
Username = superadmin
First Name = superadmin
Last Name = admin
Rest all set to default settings
Click on Save
User creation Success message
Next step is to set the superadmin user password under Credentials tab
Click "Set Password"
You will be re-prompted to set password again
Now your user Set Password Success message
Repeat the above steps for adding new user "admin1" and set login credentials under Credentials tab
Create / Name as below
Username = admin1
First Name = admin1
Last Name = admin
Rest all set to default settings
Click on Save
Repeat above steps of user creation and setting credentials for following users
admin1
admin2
dev1
dev2
dev3
dev4
superadmin
Finally check all required users are created as below and set with login credentials
Now modify Role Mappings for each user by clicking on "Edit"
Click on Edit for admin1 user
Select "Role Mappings" tab
Click on Client Roles (dropdown) and select "realm-management"
Under Available Roles, select view-users option and click on Add selected
"view-users" roles assigned successfully
You can notice them under the Effective Roles section
You need to repeat the above steps of Role Assignments "view-users" for all the Keycloak users as below
admin1
admin2
dev1
dev2
dev3
dev4
superadmin
Now Create Groups
Home > Manage > Groups
Click New
Name = cluster-admin-group1
Group created Success messages
Click on Role Mappings tab and add Available Roles as below
Select Available Roles and click on Add selected
Add selected Success message
Repeat above steps for all Groups as listed below
cluster-admin-group1
cluster-admin-group2
senior-dev-group
senior-dev-group
junior-dev-group
junior-dev-group
super-admin-group
Finally verify all Groups are created as below
admin1 ---> cluster-admin-group1
admin2 ---> cluster-admin-group2
dev1 ----> senior-dev-group
dev2 ----> senior-dev-group
dev3 ----> junior-dev-group
dev4 ----> junior-dev-group
superadmin ---> super-admin-group
Now add user "admin1" to group "cluster-admin-group1"
Home > Manage > Users
Select admin1 user and click on Edit
Click on Groups Tab
Select cluster-admin-group1 from Available Groups and click on Join
Now repeat above steps of adding users to respective groups as below.
admin1 ---> cluster-admin-group1
admin2 ---> cluster-admin-group2
dev1 ----> senior-dev-group
dev2 ----> senior-dev-group
dev3 ----> junior-dev-group
dev4 ----> junior-dev-group
superadmin ---> super-admin-group
Now assign admin user to all groups
Home > Manage > Users
Select admin user and click on Edit
Click on Groups Tab
Click on Join on all groups from Available Groups
Ensure all Groups are listed under **Group Membership **as below
Now, Switch to Rancher UI interface and add all keycloak groups as shown below
cluster-admin-group1
cluster-admin-group2
senior-dev-group
senior-dev-group
junior-dev-group
junior-dev-group
super-admin-group
Click on Save Button
We will now login to Rancher with all the Keycloak users we created
The url for accessing SUSE rancher is already shared over email, please copy and past in your favorite browser window.
You will now notice in UI that you are presented with two options to authenticate in Rancher
- Use a Local user
- Log in with Keycloak
Since we need to check authentication of newly created Keycloak users, we will use the option no. 2 "Log in with Keycloak"
<<<<<<<<<<<< highligh the below image
On clicking with "log in with Keycloak" you would automatically routed to Keycloak URL and you will presented with Keycloak login page
In the below example we are login with "superadmin" user and credentials
You will be prompted to password reset
Upon successful login you will be re-routed back to Rancher UI
If you notice on exploring the UI you will not find lot of Rancher features and any downstream clusters which is typically visible to Rancher Admin
Log out from this session.
Login with rest of the users created in Keycloak by following above steps
admin1, admin2, dev1, dev2, dev3, dev4, superadmin
Now we have successfully logged in with all the above Keycloak users
The next step is to verify all the Keycloak users are reflected in its local database
For this we need to login as "admin" user using Log in with Keycloak option and using the credentials as set in the above steps
Navigate to Home > Configuration > Users & Authentication > Users
Now you can see all Keycloak users are listed with provider "Keycloak" in Rancher.
With this, we have successfully completed all required steps in Exercise 4: Create Keycloak User and Groups.
We are ready to move to the Exercise 5: Exercise 5 - Rancher Roles & Assignment