[Hawkular-dev] Default user, or alternative realm file?

Wed Mar 11 13:29:05 EDT 2015

The alternative of a file to be copied over would be used mostly for development, where after building we would copy it over so that after each rebuild it's not needed to go through the registrations process.

But, I think if the credentials are preset to admin/admin, needing to be changed on first login (with whichever strength enforcement we decide and keycloak supports) along with email address, it would be safe. The only possibility of an attacker logging in with default credentials would be for a never configured installation.. and for that, even the keycloak "master" realm is exposed to the same risk.

Actually, thinking of it, the "master" realm situation is dangerous, if a user never needs to login directly to it, he may leave it in "unconfigured" state, where it can be accessed later by an attacker.

So I vote for option 1. And we need to figure a solution for also forcing the user to change the default admin/admin of "master" realm.

Alexandre

----- Original Message -----
From: "Thomas Heute" <theute at redhat.com>
To: jpkroehling at redhat.com, hawkular-dev at lists.jboss.org
Sent: Wednesday, March 11, 2015 4:55:27 PM
Subject: Re: [Hawkular-dev] Default user, or alternative realm file?

Not sure to understand the alternatives but I have comments:
     - Having 'admin' or 'root' for a super user IMO simplifies 
documentation/usage. (I can imagine that a user could forget what 
username he chose as superadmin for instance).
     - We need to force "complex passwords", this is actually a product 
requirement
     - Copying a file is a step that needs to be documented and is 
unfriendly + either you need to encode the password (some tool like for 
Wildfly) or worse have the password in clear in a file for import.

So I am a +1 on setting up the superuser password on first request as 
default. An alternative with a preset file (if present) would be welcome 
for those who are afraid of first request hijacking.

Thomas

On 03/11/2015 05:26 PM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> Alexandre (and others) asked about the possibility of adding a default
> user on Keycloak for the Hawkular realm.
>
> While adding a default user with the requirement of changing the
> password on the first login is a possibility, I'd rather have an
> alternative realm file to import during first boot.
>
> This means: a dev (or user) have to actively copy this JSON file into
> standalone/configuration in order to have a default user.
>
> The idea is that we wouldn't ship with a default username/password on
> the main distribution. Having a default username is usually not
> recommended from the security perspective, as it's half of the
> information required to login with super power rights (and you would
> be surprised to know how many admins set their passwords to "admin").
>
> Given these two alternatives, which one would you prefer? Voting is
> open and I'll take the results on Monday 9am CET (08:00 UTC).
>
> [ ] Default user on the main realm JSON file that will ship with Kettle
> [ ] Alternate JSON realm file with a default user, which can be copied
> over the default JSON realm file.
>
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVAGy2AAoJECKM1e+fkPrXIkMH/jyS4BIJCpcIntF12G6+Ofai
> IaxuopgbS6rDqNnemABBQhb14Kd1mJelAz8/xnyFQsjHtzV3BZr4cqJqgC4vMpkX
> cuCQWqmz5v3nTFsoxYjFXNMK2FR/K6srG/N95eg0/vO+pXVOmC5Fy8FSE1h2cUmh
> 9yL1Zd8hR28xV8JDQgnRulmAsE4INY3QhpzaBpVnJczZKSsM54Hq4mDEQx5Wmr+i
> k1PE9sdcysoWXmjqHSpR4cG4HNHKZXkbaBWubpaFzrI40ZkGiYVg5Vg//LqPtvQe
> G16+/HNo4cgUw0HBbiVUvcXTRE3k2y/UFWVw9laQxZrAadl9Byr/7B4PnRcZxEw=
> =G8QS
> -----END PGP SIGNATURE-----
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev

_______________________________________________
hawkular-dev mailing list
hawkular-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev