Keycloak is the name of the open-source user management software that’s automatically deployed within QHub. It’s used to store the database of all users in your QHub instance, and can provide connectivity to other services such as GitHub/Auth0 single sign-on.
As with many user admin tools, in Keycloak you start with an initial login (
root) that has the ability to administer
and create new users. The
root user is a Keycloak-specific user. It can only be used to login and manage the Keycloak
identity management section of QHub. It’s not a user of the wider QHub data science platform.
Change Keycloak root password#
root’s password is generated by the
qhub init command. If you ran this command while following the steps under
Usage, you should have seen something like the following in your terminal output:
Securely generated default random password=<alphanumeric-string> for Keycloak root user
The init command also saves the root user password to your
qhub-config.yaml configuration file under the following
After the initial deployment, it is highly recommended that you change the Keycloak
root user password as soon as
NOTE: Once you change the root password you will not be able to add users from the command line
NOTE: From this point on, the
qhub-config.yamlhas no effect. If you redeploy QHub it will not reset the password back to the old one (or anything else that might be in the field in your YAML file). We strongly recommend you delete this field to prevent later confusion.
To change the
rootuser password, go to your QHub instance’s admin dashboard—e.g., something like https://myqhubsite.com/auth/admin/—and log in with the password provided.
From there, click on the ‘Root’ dropdown in the top right of the screen, and select ‘Manage account’.
Under ‘Account Security’ click ‘Signing In’.
In the Password section, click the ‘Update’ button. This will guide you through entering your existing root password, and then creating a new password.
Adding a QHub user#
You will need to add a QHub user in order to log in to your QHub platform. If you have chosen to use GitHub or Auth0 single-sign-on, you must ensure the value you enter in Keycloak under ‘Username’ exactly matches the usernames from GitHub or Auth0, respectively.
Add user using Keycloak console#
To add a QHub user from the web console for Keycloak, visit https://myqhubsite.com/auth/admin/. Log in using the
root, as shown above.
All QHub users will be part of the
qhub realm (a realm is a distinct identity provider and set of users in Keycloak).
NOTE: The root user alone is a member of the
qhub realm is selected by default, we strongly recommend leaving it as is.
Steps to create a new user:
Click ‘Users’ along the left-hand side of the page.
Click the ‘Add user’ button and you will see the new user form:
Fill out the three fields outlined above. These are ‘Username’, ‘Email’, and ‘Groups’. (We explain these fields below.) Then click save.
Username. Depending on the authentication provider selected (‘password’, ‘GitHub’ or ‘Auth0’), the values entered into the ‘Username’ field will differ slightly. The following table outlines those differences:
Email to login with
Once the ‘Username’ field is updated, please add a valid email address in the ‘Email’ field.
NOTE: Although not required, users may not be able to log in to Grafana if this field isn’t properly set.
Lastly, associate the user with one or more of the ‘Groups’. Out of the box, QHub is deployed with the following groups: ‘admin’, ‘analyst’, and ‘developer’ (see the Groups section below for more details).
Once the user is created, you can set a password.
NOTE: Not needed for GitHub/Auth0 based authentication.
It’s best to put the ‘Temporary’ toggle in the ‘OFF’ position. Otherwise the user will be forced to change the password on first login.
Add user from the command line#
To make adding users easier for new QHub deployments, there is a QHub command that can help.
NOTE: If you changed the initial_root_password for Keycloak this method will not work.
NOTE: This method is primarily used by developers as a quick workaround.
qhub keycloak -c qhub-config.yaml adduser <username> <password>
This will create a user
<username> with the initial password provided. Omit the password completely if you are using
GitHub or Auth0.
NOTE: This will also add the user to the ‘analyst’ group.
Login to QHub#
Your new user can now log in to the main QHub dashboard (not Keycloak’s admin console).
Visit https://myqhubsite.com/ (or whatever domain you have chosen for your QHub).
Click ‘Sign in with Keycloak’. This will take you to the login form:
If you chose GitHub or Auth0 login, click the ‘GitHub’ button to be taken to a GitHub login page and single-sign-on from there (as shown in the screenshot above). Otherwise, if you chose ‘Password’ based authentication, enter the username and password you chose when you added a user to QHub above.
Groups represent a collection of users that perform similar actions and therefore require similar permissions. By default, QHub is deployed with the following groups: ‘admin’, ‘developer’, ‘analyst’ and ‘viewer’ (in roughly descending order of power).
Access to QHub Resources
To create new groups or modify (or delete) existing groups, log in as
root and click ‘Groups’ on the left-hand side.
As an example, we create a new group named
conda-store-manager. This group will have administrator access to the
To create a new group, click ‘New’ in the upper-right hand corner. First, give the new group an appropriate name.
Then under ‘Role Mapping’, add the appropriate ‘Client Roles’ as needed; there should be no need to update the ‘Realm Roles’. In this example, the new group only has one mapped role however it’s possible to attached multiple ‘Client Roles’ to a single group.
In this example, the new group only has one mapped role (
conda_store_admin); however it’s possible to attached
multiple ‘Client Roles’ to a single group.
Once complete, return to the ‘Users’ section in the dashboard and add the relevant users to this newly created group.