Keycloak Configuration
As a part of some NVIDIA AI Workflows, Keycloak is used to provide authentication and authorization functionality to the services in the workflow. To do so, we will need to configure Keycloak as required for each service. Step-by-step instructions are provided below for a Keycloak Admin to create a user and a client.
- Users
- Realm
- Clients
- Roles
Users are entities that can log into your system. They can have attributes associated with themselves like email, username, address, phone number, and birthday. They can be assigned group membership and have specific roles assigned to them.
A realm manages users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users they control. An admin has access to/creates multiple realms.
Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that want to request identity information or an access token to securely invoke other services on the network that are secured by Keycloak.
Roles identify a type or category of user. Admin, user, manager, and employee are all typical roles that may exist in an organization. Applications often assign access and permissions to specific roles rather than individual users, as dealing with users can be too fine-grained and hard to manage.
Note these six values as you go through the below steps, as specified in the example below:
client-id
client-secret
Realm Name
Username
Password
token_endpoint
Example
client-id: ai-workflow-client
client-secret: <keycloak-generated secret>
Realm Name: ai-workflows
Username: nvidia
Password: <user defined password>
token_endpoint: https://auth.your.domainname.com/realms/ai-workflows/protocol/openid-connect/token
Sign in to your keycloak URL. On your system with the add-on pack installed, it is going to be
https://auth.your-cluster.your-domain.com
.
Click on the Administration Console and log in. The standard admin username is admin. To get the password, on your Cloud Native Stack instance, run the following command.
kubectl -n nvidia-platform get secret keycloak-initial-admin -o json | jq -r '.data.password' | base64 -d
You will need jq installed. If this fails installed jq with this command
sudo apt install jq # version 1.6-1ubuntu0.20.04.1
After logging the instance, go through the following steps:
Click on the drop-down in the top left-hand corner under Master and click on Create Realm.
Enter the realm name ai-workflows and click on create.
Next, we create a user. To create a user, click on Users, then click the Create new user button.
Fill in the required fields and then click on Create.
Set a password for the created user, by going to the Credentials tab and clicking the Set password button. Be sure to turn the Temporary field off.
Click on Clients, then click on Create client.
Fill out the client ID, then click Next.
Enable Client authentication and click on Save.
Go to the Credentials tab and grab the Client ID (entered in the previous step) and the Client secret.
Go to the Advanced tab, scroll down and change the Authentication flow overrides to match the image below. Click the Save button to save your changes.
Click on Realm roles and then on Create role.
Create two roles, admin and user
Now we need to map these roles to the users. Go to Users, select the user you previously created, and then the Role mapping tab.
Now click on Assign role and select the roles you have created previously and click on Assign.
The access token for keycloak authentication expires in 5min. Typically, this is too short for the workflow. To increase the access token lifetime, navigate to Realm settings, then click the Sessions tab. Increase the SSO timeout to 30 hrs, as shown in the image below, then click on the Save button.
Next, click on the Tokens tab and increase the access token lifespan to 15 hrs as shown below, then click on the Save button.
Save the token endpoint by going to the General tab under Realm Settings and clicking OpenId Endpoint Configuration.
token_endpoint: https://auth.<your-domain-name>.com/realms/ai-workflows/protocol/openid-connect/token
Note down the six required values that were created in the previous steps, and return to the AI Workflow documentation to continue setting up the workflow and generate an access token from Keycloak to use within the workflow.
client-id
client-secret
Realm Name
Username
Password
token_endpoint
Example
client-id: ai-workflow-client
client-secret: <keycloak-generated secret>
Realm Name: ai-workflows
Username: nvidia
Password: <user defined password>
token_endpoint: https://auth.your.domainname.com/realms/ai-workflows/protocol/openid-connect/token