[keycloak-user] Admin's password override

Stian Thorgersen stian at redhat.com
Wed Mar 18 04:31:33 EDT 2015 


----- Original Message -----
> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, March 18, 2015 9:15:55 AM
> Subject: Re: [keycloak-user] Admin's password override
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/18/2015 05:07 AM, Stian Thorgersen wrote:
> >> Sounds a bit hackish to me ;)
> 
> Indeed :)
> 
> >> Why not just use the same user for the Hawkular admin console?
> >> That way they'll change the password when they login to Hawkular
> >> for the first time.
> 
> Each Hawkular user is an "account", that have "tenancy" semantics. So,
> there's no notion of "admin" for Hawkular yet, and we are not
> convinced we need one. Perhaps that will change in the future, and if
> so, this would certainly be an option.
> 
> But I'm not sure what you are suggesting: to use the "master" realm as
> the realm for Hawkular? Or to create an user on "hawkular" realm and
> assign this user as an "admin" on the master realm? Wouldn't it mean
> that there would be two users?

Interesting, who can create a tenant then? Do you not need an admin for that?

> 
> >> An alternative is that we need to support a way to recover the
> >> admin password if it's lost. Would be a script or something that
> >> can only be used locally. With that you could just set the
> >> Keycloak admin password to something random.
> 
> Agree on the first two parts, but what would be a good way to
> accomplish the third part (when to do it, and how to do it)? On first
> boot?

Think this is something we'll need to figure out for KC in either case. We need to be able to provision KC instances in the cloud without default username/passwords I reckon. Also, we do need the recover password option.

Do you reckon that users of Hawkular will use the KC admin console at all? If not then just set the password to something random with the mechanism Marek pointed out.

> 
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJVCTQ7AAoJEDnJtskdmzLMHF0H/0m5fokXt/IgyOd3Bu6+y5i4
> BR8hXU0bziKtwHdLOnfgmOKGNd5cxrlvwY07Udo6IAqvuvwgvmoz470l87XEKfW5
> GwiRT3HXoSbh+0kZRCBQgJaThH7k0PVbGRM5DzeoL+zsl6U6uqkZ47oLSgrL2dO8
> 6d0epTcg5PdAyJcFbDGi5SYa/PW6TkPQrR3wsA78IIippDP4FtrUPQzWVRdVaq+E
> GITYoVovWgGkuzm/WzaP58YyihxDXyO8t8MDDoyV/QAq5rJjWKbXhN6kM28Jtv02
> toizoDyvr4sVW25qCqaHjOYzfEsUYw4KCNugAfYoXrfnNNfzrk93dEh+/2j+SRU=
> =J7vu
> -----END PGP SIGNATURE-----
>

More information about the keycloak-user mailing list