Skip to content

Commit

Permalink
feat: add user management (#76)
Browse files Browse the repository at this point in the history
  • Loading branch information
@srodenhuis
srodenhuis authored Nov 1, 2024
1 parent 9f5f165 commit c6322c9
Show file tree
Hide file tree
Showing 7 changed files with 148 additions and 90 deletions.
32 changes: 32 additions & 0 deletions docs/for-devs/console/usermgnt.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
slug: user-management
title: Team - User Management
sidebar_label: User Management
---

## About User Management

What you need to know about the User Management feature:

- Only platform administrators can create or delete users. Ask your Platform admin to create an account for a new Team member.
- Platform admin can assign users the Team admin role.
- Team admins can assign existing users to get access to the Team they administer.
- Team members are not able to see the User Management section in the menu.
- A password reset can only be performed by a Platform admin.

## Assinging Users to Teams

1. Select the `Team` view in the top bar and the Team that you would like to administer.

2. Search for the user you would like to make a member.

3. Select the `Assign to team <team-name>` checkbox.

4. Click on `Update Users`.

5. Click on `Deploy Changes`.





2 changes: 1 addition & 1 deletion docs/for-ops/console/dashboard.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The platform dashboard gives a global overview of information most relevant for

## Prerequisites

The Platform dashboard uses the Platform Grafana and prometheus to get it's information from. Make sure both are enabled.
The Platform dashboard uses the Platform Grafana and Prometheus to get it's information from. Make sure both are enabled.

## Dashboard elements

Expand Down
1 change: 1 addition & 0 deletions docs/for-ops/console/overview.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ The Platform View provides access to:
- [Dashboard](dashboard.md): A global overview of cluster resource utilization and cluster resource request commitments.
- [Apps](apps.md): All active and inactive apps. Activate apps clicking on the power-on button.
- [Teams](teams.md): A list of all Teams.
- [User Management](usermgnt.md): Manage Users.
- [Projects](projects.md): A list of all Projects.
- [Builds](builds.md): A list of all Builds.
- [Workloads](workloads.md): A list of all Workloads.
Expand Down
79 changes: 79 additions & 0 deletions docs/for-ops/console/usermgnt.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
slug: user-management
title: Platform - User Management
sidebar_label: User Management
---

:::info
User Management will only be available when Keycloak is configured as the Identity Provider (default). When OIDC is configured, the User Management section will not be available.
:::

:::info
User Management can only be used to manage the users of the platform instance (single cluster).
:::

## About User Management

What you need to know about the User Management feature:

- Only Platform admins can create or delete users in the platform view.
- A Platform admins can assign users the role of `platform admin`, `Team admin` or `Team member`.
- Users can be created without assigning them directly to a Team.
- Team admins can assign users the role of Team member of the Team they administer.
- Team admins can not remove themselves from Teams they administer (this can only be done by the platform admin).
- Team admins can not remove other Team admins from their teams (this can only be done by the platform admin).
- Team admins can not add Platform admins to their Teams.
- Team members are not able to see the User Management section in the menu.
- Users are stored encrypted in the `values` repository `env/secrets.users.yaml` file.
- The initial login credentials of a new User can be copied from the platform view user management page by Platform admins only.
- Users’ passwords are not stored in the values repo (except initial password).
- A password reset can only be performed by a Platform admin. Password restest need to be done in the Keycloak app using the `otomi-admin` credentials. As an alternative Platform admin can also re-create a user.
- The User management feature follows the Single Source of Truth principle by referencing the `env/secrets.users.yaml` file in the `values` repository. If a new user is created directly in Keycloak, this user will be deleted at the next commit.
- Kubernetes secrets are used to pass user data between Pods, but there is a limit for user-defined variables. The maximum size of a user-defined environment variable is 32,767 characters. This limits the amount of users that can be created to around 200.

## Creating Users

1. Select the `Platform` view in the top bar.

2. Click on `User Management` in the left menu.

3. Click on `Create User`.

4. Fill in a unique `email` address and the first and last name of the new user.

5. Add the new user to the required groups:

- Select `Is platform admin` to add the user to the `Platform Administrators` group.
- Select `Is team admin` to add the user to the `Team Administrators` group. When the user becomes a Team admin, optionally also select the Teams the user is going to administer.
- Select a `Team` to add the user to the `team members` group.

6. Click `Submit`.

7. Click `Deploy Changes`.

8. In the list of Users, click on the `copy initial credentials to clipboard` icon.

9. Send the initial credentials to the new user.

The new user will be prompted to change the initial password at first login.

The following example shows how to create a user account and assign the user the `team-admin` role for the Team `Demo`:

![User Management](../../img/create-user.png)

## Assinging Users to Teams

1. Select the `Team` view in the top bar and the Team that you would like to administer.

2. Search for the user you would like to make a member.

3. Select the `Assign to team <team-name>` checkbox.

4. Click on `Update Users`.

5. Click on `Deploy Changes`.





117 changes: 30 additions & 87 deletions docs/get-started/installation/post-install-steps.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,35 @@ sidebar_label: Post Installation Steps

Follow the post-installation steps after initial installation.

## Step 1: Get the log output of the installer job
## Step 1: Get the initial administrator credentials

When the installer job (in the default namespace) has finished, copy the URL and use the generated password from the bottom of the logs, sign in to the Console.
When the installer job (in the default namespace) has finished you can obtain the initial administrator credentials and sign in to the Console.

Use the following command to get the logs of the installer job:

```
kubectl logs jobs/apl -n default -f
```

At the end of the logs you should see the following message:

```bash
########################################################################################################################################
#
# The Application Platform console is available at https://console.${domainSuffix}
#
# Obtain login credentials by using the below commands:
# kubectl get secret platform-admin -n keycloak -o jsonpath='{.data.username}' | base64 -d
# kubectl get secret platform-admin -n keycloak -o jsonpath='{.data.password}' | base64 -d
#
########################################################################################################################################
```

Perform the 2 commands to get the initail credentails and use them to sign in to the Console. You will need to change your password at first login.

## Step 2 (optional): Add the auto generated CA to your keychain

When installed without DNS, a CA is automatically generated. The generated CA is not trusted on your local machine. Here are some options to prevent you from clicking away lots of security warning in your browser:
The generated CA is not trusted on your local machine when installed using Let's Encrypt `staging` certificates. Here are some options to prevent you from clicking away lots of security warning in your browser:

1. In the left menu of the console, click on "Download CA"
2. Double click the downloaded CA.crt or add the CA to your keychain on Mac using the following command:
Expand Down Expand Up @@ -46,49 +62,7 @@ But you could also run Chrome in insecure mode:
alias chrome-insecure='/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors --ignore-urlfetcher-cert-requests &> /dev/null'
```

## Step 3 (Optional): Create a new admin user

:::info
We strongly advise to not use the default `otomi-admin` account after activation and to not change the password. Store it somewhere safe and only use it in case absolutely required.
:::

Create a new user account in Keycloak and add the new user to the `otomi-admin` and `team-admin` group:

To create users in Keycloak, follow these steps:

1. Open the Keycloak app

2. Click on `Administration Console`.

3. Login with admin credentials (using `otomi-admin` user and password provided in the installer log or the `otomi.adminPassword` provided in the initial values).

4. Select the `Otomi` realm.

5. Click on `Users` then `Add user`.

6. Fill in a user name in the `Username` field.

7. Fill in your email address in the `Email` field.

8. Select `Email verified`.

9. Click `Join Groups`.

10. Add the user to the required group (otomi-admin).

11. Click `Create`.

12. Choose the `Credentials` tab and then `Set password`.

13. Fill in a password.

14. Optional: Make the password `Temporary`. This requires the user to change the password at the first login.

15. Click on "Save".

16. Click `Save password`.

## Step 4 (Optional): Add the URL of the Kubernetes API
## Step 3 (Optional): Add the URL of the Kubernetes API

:::info
Adding the URL of the K8s cluster API is required by teams to be able to download the KUBECONFIG
Expand All @@ -104,7 +78,7 @@ Adding the URL of the K8s cluster API is required by teams to be able to downloa

5. Click on `Deploy Changes`.

## Step 5 (Optional): Configure Object Storage
## Step 4 (optional): Configure Object Storage

If you're planning on activating apps that can use Object Storage (like Loki, Harbor, Tempo, Velero), then first configure Object Storage. Check the table in Step 6 to see which App requires Object Storage configured.

Expand All @@ -129,7 +103,7 @@ When Linode is selected, create the buckets for the apps you are planning to use

5. Click on `Deploy Changes`.

## Step 6 (Optional): Add a Linode Personal Access Token to backup Persistent Volumes (Linode only)
## Step 5 (Optional): Add a Linode Personal Access Token to backup Persistent Volumes (Linode only)

To use the self-service feature to create backups of Persistent Volumes in Linode, first create a new Personal Access Token with Read/Write access for Volumes:

Expand Down Expand Up @@ -163,7 +137,7 @@ Then Add the Token:

When Object Storage is configured and an API Token is added, then activate the Velero App. You can now use the Backup self-service feature to create backup schedules to backup Persistent Volumes.

## Step 7 (Optional): Activate more Apps
## Step 6 (optional): Activate more Apps

Application Platform for LKE is a composable platform. Activate more Apps based on the required platform capabilities:

Expand All @@ -179,48 +153,17 @@ Application Platform for LKE is a composable platform. Activate more Apps based
| Database backups | CloudnativePG | Required |
<!-- | Long term retention of Logs, Metrics and Traces | Thanos | Required | -->

## Step 8: Create Teams
## Step 7: Create Teams

Create your first team. Follow the instructions [here](/docs/for-ops/console/teams#creating-a-team).

## Step 9: Create users and add them to a Team

Create users in Keycloak and add the users to a Team `Group` in Keycloak:

1. Open the Keycloak app

2. Click on `Administration Console`.

3. Login with admin credentials (using `otomi-admin` user and password provided in the installer log or the `otomi.adminPassword` provided in the initial values).

4. Select the `Otomi` realm.

5. Click on `Users` then `Add user`.

6. Fill in a user name in the `Username` field.

7. Fill in your email address in the `Email` field.

8. Select `Email verified`.

9. Click `Join Groups`.

10. Add the user to the required Team group (`team-<team-name>`).

11. Click `Create`.

12. Choose the `Credentials` tab and then `Set password`.

13. Fill in a password.

14. Optional: Make te password `Temporary`. This requires the user to change the password at the first login.

15. Click on "Save".

16. Click `Save password`.


## Step 8: Create users and add them to a Team

:::info
The option to create users and add them to Teams is not available when installed with [OIDC](oidc.md).
:::

Create Users and add them to a Team. Follow the instructions [here](/docs/for-ops/console/user-management)



Expand Down
Binary file added docs/img/create-user.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 5 additions & 2 deletions sidebar-docs.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,19 +65,22 @@ module.exports = {
"for-devs/console/netpols",
"for-devs/console/services",
"for-devs/console/security-policies",
"for-devs/console/usermgnt",
"for-devs/console/settings",
"for-devs/console/sealed-secrets",
"for-devs/console/shell",
"for-devs/console/settings",

],
},
],
"For Platform Admins": [
"For Platform Adminstrators": [
{
"Console - Platform View": [
"for-ops/console/overview",
"for-ops/console/dashboard",
"for-ops/console/apps",
"for-ops/console/teams",
"for-ops/console/usermgnt",
"for-ops/console/projects",
"for-ops/console/builds",
"for-ops/console/workloads",
Expand Down

0 comments on commit c6322c9

Please sign in to comment.