User management and permissions¶
On this page:
Assigning access and permissions to individual users can be too fine-grained and cumbersome for organizations to manage, so Anaconda Server enables you to assign access permissions to specific roles.
Understanding roles and permissions¶
Use roles to authorize individual or groups of users to perform specific actions. Default roles allow you to automatically assign user role mappings when any user is newly created or imported (for example, through LDAP).
Default user roles¶
By default, Anaconda Server contains the following preconfigured roles for the dev realm.
- Admin — the user who, in addition to managing all content, can manage mirrors and CVE data as well
- Author — an authenticated user who can create channels
- Everyone — a non-authenticated user
Permission categories¶
Within the Anaconda Server UI, any role created in Keycloak can be assigned these permission categories. Each of these support read/write admin values.
- channel
- channel.default-channel (managing default channel)
- channel.group (managing channel groups)
- channel.mirror (managing channel mirror)
- subchannel
- subchannel.group
- subchannel.mirror
- artifact
- cve
- roles
Each possible permission category can be assigned the value of read, write, manage, or none.
- read — provides the ability to view the resource
- write — provides the ability to view and create the resource
- manage — provides the ability to view, create, and edit the resource
- none - denies the ability to view, create, or edit the resource
Editing default permissions¶
It is possible to edit default permission settings for everyone and author roles. It is not possible to edit default settings for the admin role.
For example, you can grant CVE access to authors by switching user permissions for CVE from None to Manage in the User Management dashboard:
Creating custom roles¶
In order to do this, we must first create and map the role in Keycloak.
Accessing the Keycloak administration console¶
Follow these steps to access the Keycloak administration console:
Click on the My account button in the top right.
In the dropdown, under Admin, select User Management.
On the User Management screen, click the Manage Users button. You will be directed to the Keycloak login screen.
The default admin username is admin, and the admin password can be found in the installer output (an example of which is shown in the Installing with root access section of the install instructions). The installer will generate a random password for this user.
Alternatively, you can use <DOMAIN>/auth/admin
to reach the Keycloak admin login page.
Additional guides for Keycloak:
Creating new roles in Keycloak¶
Follow these steps to create a new role in Keycloak:
To create a new role, click Add Role on the Realm Roles tab.
Enter a name and description of the role, and click Save.
Note
Roles can be assigned to users automatically or require an explicit request. If a user has to explicitly request a realm role, enable the Scope Param Required switch. The role must then be specified using the scope
parameter when requesting a token.
The new role is now available to be used as a default role.
Setting and removing admin roles in Keycloak¶
Follow these steps to set or remove the admin role for a Anaconda Server user:
In Keycloak, under Manage, navigate to the Users page.
Go to the Role Mappings tab.
To set the admin role: Under Available Roles, select admin and click Add selected.
To remove the admin role: Under Assigned Roles, select the user and click Remove selected.
Log in again and check the available actions.
View existing users in Keycloak¶
Follow these steps to view a list of existing users currently present in Anaconda Server:
- Log in to Keycloak as the admin user.
- Select DEV realm.
- In the Manage menu on the left, click Users.
- On the Lookup tab, click View all users to list every user in the system, or search the user database for all users that match the criteria you enter, based on their first name, last name, or email address.
Note
This will search the local user database and not the federated database (such as LDAP) because not all external identity provider systems inlcude a way to page through users. If you want users from a federated database to be synced into the local database, select User Federation in the Configure menu on the left, and adjust the Sync Settings for your user federation provider.
Create a user in Keycloak¶
Follow these steps to create a user:
In Keycloak, go to the Users section on the left.
Click Add user and specify a user name—and optionally provide values for the other fields—before clicking Save.
Enter the username and ensure Email Verified is ON. User names containing unicode characters—special characters, punctuation, symbols, spaces—are not permitted.
Click save, then navigate to the Credentials tab.
Ensure Temporary is OFF.
Click Set Password.
Add a new master realm admin user¶
To add an additional admin user to the master realm, complete the following steps:
Open a terminal and connect to your Anaconda Server instance.
Exec into the Keycloak Docker container by running the following command:
# Replace <INSTALLER_DIRECTORY> with your keycloak container ID docker exec -it <INSTALLER_DIRECTORY>_keycloak_1 /bin/bash
Log in to your Keycloak admin console by running the following command:
/opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
Enter your admin password when prompted.
Create your new admin user by running the following command:
# Replace <USERNAME> with the new admins username /opt/keycloak/bin/kcadm.sh create users --server "http://localhost:8080/auth" -r master -s username=<USERNAME> -s enabled=true
Set a password for the new admin user by running the following command:
# Replace <USERNAME> with the new admins username # Replace <PASSWORD> with a password for the new admin user /opt/keycloak/bin/kcadm.sh set-password -r master --username <USERNAME> --new-password <PASSWORD>
Assign role permissions to the new admin user by running the following command:
# Replace <USERNAME> with the new admins username /opt/keycloak/bin/kcadm.sh add-roles --uusername <USERNAME> --rolename admin -r master
Log in to Keycloak using the newly created admin credentials from the following URL:
# Replace <FQDN> with your Anaconda Server fully qualified domain name <https://<FQDN>/auth/admin/master/console>
Adding and editing user roles in Anaconda Server¶
Once roles have been mapped in Keycloak, you can manage users in Anaconda Server.
Click on the My account button in the top right.
In the dropdown, under Admin, select User Management.
On the User Management screen, you can see the User Roles table listing the current roles. Click on a role to edit it, or click the + icon to add a new role. You can also delete a role by clicking the x icon. This will prompt a window to confirm the deletion.