Default user administration

HCL DevOps Loop uses Keycloak (https://www.keycloak.org/) to manage and authenticate users. You can manage user access by logging in to the Keycloak instance that is installed with DevOps Loop.

Keycloak uses the concept of a realm to manage and authenticate users. When you install DevOps Loop, a realm called platform is created for you in Keycloak. All server users belong to this realm and when they log in to DevOps Loop, they log into that realm.

As an administrator, it is important to consider the following points about the platform administration:

  • To begin with, there is no administrator for DevOps Loop.

    Such an administrator is required for accessing additional functions, which include claiming ownership of projects and unarchiving them. However, you can assign administrative privileges to any user. You must assign the privilege by adding the admin role to the user in Keycloak.

  • You must add a user that you want to be the administrator in Keycloak by logging in to the Keycloak Admin Console at https://<fully-qualified-dns-name>/auth/.
    Note: Do not use that admin user to perform non-administration tasks. Instead, add another user.
    The default username for the Keycloak administrator is keycloak. The password is randomly generated when the software is installed. You can see the password by using the following kubectl command: 
    kubectl get secret -n <namespace> <helm name>-keycloak -o jsonpath="{.data.password}" | base64 --decode; echo
  • After you add the user that you want to be the administrator for DevOps Loop, you must make that user the administrator.

    In the Keycloak Admin Console, on the Users page, you can search and select the user that you want to make an administrator. Then, in the Groups tab, you can add the user to the Admins group.

  • All users must have the Users group assigned to them to access DevOps Loop.

    In the Keycloak Admin Console, on the Users page, you can search and select a user, and then in the Groups tab, you can add the user to the Users group.

    For more information about assigning user roles, see Groups in the Keycloak documentation.

Now that you are the platform administrator, it is important to consider the following points about the default user management and authentication:
  • Minimum password length is 8 characters
  • Email verification of new users is turned off
  • The Forgot Password feature is turned on by default but no instructions are sent to the user to reset their password
  • Forgotten user passwords are changed by you if you do not enable Keycloak to send instructions to reset a password
Note: If a user is added through the user management of HCL DevOps Plan, then that user must have the Users or Admins group assigned in the Keycloak Admin Console to get access to DevOps Loop.

You can review the following sections about changing the default authentication controls.

Email settings

The default status of the Forgot Password switch is ON in the devops-automation realm. However, as an administrator, you must enable Keycloak to send an email to the user with instructions to reset their password. If you want to verify an email, you must also enable Keycloak to send an email to the user to verify their email address.

You must provide SMTP server settings for Keycloak to send an email. After you log in to the Keycloak Admin Console, see Email Settings in the Keycloak documentation.

Then, to set up the email verification, see Forgot Password in the Keycloak documentation.

Password policy

The devops-automation realm has a password policy where the minimum length of a password is 8. As an administrator, you can update password policies in Keycloak.

After you log in to the Keycloak Admin Console, see Password Policies in the Keycloak documentation.

User password

When you create a user, you must create credentials for the user by clicking the Set password button in the Credentials tab. Then, you must share the username and password with the user. While setting the password, if the Temporary slider button is set to On, then the user must set a new password before logging in to the platform.

If you did not enable Keycloak to send instructions to a user about how to reset a password, you must use the Keycloak Admin Console to change their password for them.

After you log in to the Keycloak Admin Console, see User Credentials in the Keycloak documentation.

User deletion

When a user is inactive or no longer needs to access the platform, you can delete that user.

After you log in to the Keycloak Admin Console, see Deleting Users in the Keycloak documentation.