Keycloak Configuration

As a part of some NVIDIA AI Workflows, Keycloak is used to provide authentication and authorization functionality to the services in the workflow. To do so, we will need to configure Keycloak as required for each service. Step-by-step instructions are provided below for a Keycloak Admin to create a user and a client.

Users

Users are entities that can log into your system. They can have attributes associated with themselves like email, username, address, phone number, and birthday. They can be assigned group membership and have specific roles assigned to them.

Realm

A realm manages users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users they control. An admin has access to/creates multiple realms.

Clients

Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that want to request identity information or an access token to securely invoke other services on the network that are secured by Keycloak.

Roles

Roles identify a type or category of user. Admin, user, manager, and employee are all typical roles that may exist in an organization. Applications often assign access and permissions to specific roles rather than individual users, as dealing with users can be too fine-grained and hard to manage.

Note these six values as you go through the below steps, as specified in the example below:

  • client-id

  • client-secret

  • Realm Name

  • Username

  • Password

  • token_endpoint

Example

  1. Sign in to your keycloak URL. On your system with the add-on pack installed, it is going to be https://auth.your-cluster.your-domain.com.

    image3.png

  2. Click on the Administration Console and log in. The standard admin username is admin. To get the password, on your Cloud Native Stack instance, run the following command.

Copy
Copied!
            

kubectl -n nvidia-platform get secret keycloak-initial-admin -o json | jq -r '.data.password' | base64 -d

Note

You will need jq installed. If this fails installed jq with this command

Copy
Copied!
            

sudo apt install jq # version 1.6-1ubuntu0.20.04.1

After logging the instance, go through the following steps:

  1. Click on the drop-down in the top left-hand corner under Master and click on Create Realm.

    image4.png

  2. Enter the realm name ai-workflows and click on create.

    image5.png

  1. Next, we create a user. To create a user, click on Users, then click the Create new user button.

    image6.png

  2. Fill in the required fields and then click on Create.

    image7.png

  3. Set a password for the created user, by going to the Credentials tab and clicking the Set password button. Be sure to turn the Temporary field off.

    image8.png
    image9.png

  1. Click on Clients, then click on Create client.

    image10.png

  2. Fill out the client ID, then click Next.

    image11.png

  3. Enable Client authentication and click on Save.

    image12.png

  4. Go to the Credentials tab and grab the Client ID (entered in the previous step) and the Client secret.

    image13.png

  5. Go to the Advanced tab, scroll down and change the Authentication flow overrides to match the image below. Click the Save button to save your changes.

    image14.png

  1. Click on Realm roles and then on Create role.

    image15.png

  2. Create two roles, admin and user

    image16.png
    image17.png

  3. Now we need to map these roles to the users. Go to Users, select the user you previously created, and then the Role mapping tab.

    image18.png

  4. Now click on Assign role and select the roles you have created previously and click on Assign.

    image19.png

  1. The access token for keycloak authentication expires in 5min. Typically, this is too short for the workflow. To increase the access token lifetime, navigate to Realm settings, then click the Sessions tab. Increase the SSO timeout to 30 hrs, as shown in the image below, then click on the Save button.

    image22.png

  2. Next, click on the Tokens tab and increase the access token lifespan to 15 hrs as shown below, then click on the Save button.

    image23.png

Save the token endpoint by going to the General tab under Realm Settings and clicking OpenId Endpoint Configuration.

image24.png

token_endpoint: https://auth.<your-domain-name>.com/realms/ai-workflows/protocol/openid-connect/token

image25.png

Note down the six required values that were created in the previous steps, and return to the AI Workflow documentation to continue setting up the workflow and generate an access token from Keycloak to use within the workflow.

  • client-id

  • client-secret

  • Realm Name

  • Username

  • Password

  • token_endpoint

Example

© Copyright 2022-2023, NVIDIA. Last updated on Apr 27, 2023.