[Hawkular-dev] Default user, or alternative realm file?

Thu Mar 12 04:31:02 EDT 2015

On 03/11/2015 08:20 PM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/11/2015 05:55 PM, Thomas Heute wrote:
>> Not sure to understand the alternatives but I have comments: -
>> Having 'admin' or 'root' for a super user IMO simplifies
>> documentation/usage. (I can imagine that a user could forget what
>> username he chose as superadmin for instance).
> I don't think we have a "super user" or "root". Do we actually need one?
Ok, we just discussed that on IRC, for the records as I was afraid that 
an admin would lock himself out by removing his own grants accidentally.

There are "owners" of resources, so they can't remove particular 
privileges unless they transfer full ownership. (They are superuser of 
their resources).

What is not yet defined is what happens when a user is deleted (who gets 
control)

>> - We need to force "complex passwords", this is actually a product
>> requirement
> That could be enforced on Keycloak, via the same realm configuration
> file. I'll take a look at how to configure that and will add. Do you
> have a definition of "complex password"?
Same as default rules when you add an admin user in EAP:
Password requirements are listed below. To modify these restrictions 
edit the add-user.properties configuration file.
  - The password must not be one of the following restricted values 
{root, admin, administrator}
  - The password must contain at least 8 characters, 1 alphabetic 
character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
  - The password must be different from the username
>> - Copying a file is a step that needs to be documented and is
>> unfriendly + either you need to encode the password (some tool like
>> for Wildfly) or worse have the password in clear in a file for
>> import.
> Note that, right now, no file needs to be copied: we ship with a realm
> template that does not contain any users. Opening the console when not
> logged in presents the user with the login screen. If the user is not
> registered yet, said user can self-register. This step (self-register)
> is what is being questioned here: it's a PITA to self-register every
> time a new build is done locally. So, to prevent self-registration, we
> could ship with a default user.
>
> In fact, I think we might have a third option: use the "dev" maven
> profile to determine which realm template to use. If the "dev" profile
> is active, then we can use the realm with a default user. Otherwise,
> no default users.
I quite like this idea, I would let developers comment if that's 
satisfactory.

Thomas

>
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVAJV+AAoJECKM1e+fkPrX8D4IAJiOU/ZgBhxpacbVW5Fv3CSt
> H+ItVQz+qw8oVRNPdD/9LevmKr3wJXlCtzJV+YKvw5O7xVm/KmfWdHdKDpwRKgG8
> EC7ETw8LZAN18Du5URMKWzgixZZdMBIcQeFZfzwuEGZjw4rIj66XtK/HXT+jLim+
> KPqq3qq5p4nidOJmhO0oODQ7JXBJN/bifyrYvMG+wRTCrFwJdHpjk5RHnOU1DrLV
> 7TR3H8mtaX3PEjyGKxwmisEPdKgcWdeFuf7JAYybbyxLECpOVcz+tgQJUlxj+9I7
> VRlvxE+uXl/sKHDhAay7xwYR5obJ0qXSWDjIQspoEceodOwqCDQYq0tJk74CnEE=
> =rlWT
> -----END PGP SIGNATURE-----