User Authentication and Authorization

The page outlines how kdb Insights Enterprise uses Keycloak to authenticate users and service accounts across its interfaces.

Keycloak is an open-source identity and access management platform.

kdb Insights Enterprise uses Keycloak to provide features such as:

User authentication and authorization
Service account authentication and authorization
Role management
Single sign on (SSO) and identity brokering

This page relates to the information provided in this page.

Administration console

Keycloak is configured through the administration console.

You can access the Keycloak administration console at https://{INSIGHTS_HOSTNAME}/auth with the Keycloak administrator username and password.

The administrator username is defined in the Keycloak environment variables ConfigMap.

bash

Copy

kubectl get configmap -l app.kubernetes.io/name=keycloak

The administrator password is defined in the kxi-keycloak secret.

bash

Copy

kubectl get secret kxi-keycloak

Administration passwords

There are four passwords that are used to administer Keycloak, set during installation

Password	Description
admin-password	This is the password for the Keycloak administrator
management-password	This is the password for the WildFly management user
postgres-password	This is the password for the database superuser
password	This is the password for the database user that Keycloak uses

These are stored in two secrets called kxi-keycloak and kxi-postgresql.

Terminology

Here are some core terms to help you understand how kdb Insights Enterprise uses Keycloak.

Term	Details
authentication	Authentication is the act of verifying that a user is who they say they are.
authorization	Authorization determines what operations a user is allowed to perform.
clients	Clients are entities that can request Keycloak to authenticate a user or can authenticate themselves with Keycloak. kdb Insights Enterprise is a client of Keycloak.
groups	Groups manage groups of users and service accounts. Click here to see how to manage groups.
identity provider	An identity provider is a service that can authenticate a user. Keycloak is an identity provider.
identity brokering	Identity brokering is the process of using a different identity provider to authenticate users instead of Keycloak.
realm	A realm manages a set of users, roles and clients. Users and clients belong to a realm. When a user logs in, they log into a realm. Realms are isolated from each other, allowing Keycloak to manage distinct groups of users and clients.
roles	Roles define a type of user. kdb Insights Enterprise assigns permissions to specific roles that can then be assigned to users.
service accounts	Service accounts are associated with clients and allow roles and permissions to be assigned to clients for authorization. Click here to see how to manage service accounts.
users	Users are individuals that can log into kdb Insights Enterprise. Click here to see how to manage users.

For additional definitions see Keycloak core concepts and terms.

Realms

Keycloak is deployed as a dependency of kdb Insights Enterprise by default and the realm name is insights.

This realm contains all of the users, clients and roles.

To save resources, if you are deploying kdb Insights Enterprise multiple times in a cluster, you can use one shared Keycloak instance for all of the Insights deployments. In this case the realm name isinsights-<NAMESPACE>, where <NAMESPACE> is the Kubernetes namespace where kdb Insights Enterprise is deployed.

Read the shared Keycloak documentation for more information.

Set this variable to allow you to easily copy and paste any commands that reference it.

shell

Copy

export REALM_NAME=insights

Users and service accounts

Details on how to manage the users and service accounts are listed below:

Service accounts
Users
Groups of users and service accounts

Roles

kdb Insights Enterprise comes with a selection of preconfigured high level roles, these are:

Name	Role	Details
Views-only	`insights.role.viewer-dashboard`	This role allows a user read-only access to Views they're entitled to. They cannot see/access any other artifacts (databases, tables, pipelines, packages, queries.)
Viewer	`insights.role.viewer`	This role allows a user to view existing reports, pipelines and queries but not deploy, update or delete them. This role can view logs but cannot modify the logging level of the platform. This role also cannot export any contents from the system other than diagnostics.
Reporter	`insights.role.reporter`	This role extends the viewer role with the ability to modify log levels and export configuration from the platform. This role can also perform custom queries on the kdb Insights database.
Developer	`insights.role.developer`	This role extends the reporter role with the ability to deploy and teardown resources. This role can also create new pipelines, databases and views. This role can develop streaming applications but is unable to delete any persisted data within the system.
Maintainer	`insights.role.maintainer`	This role extends the developer role with the ability to delete any persisted data within the system.
Administrator	`insights.role.administrator`	This role includes all permissions, can view and edit all entitlements and is not subject to package entitlement enforcement.

Warning

To prevent an Administrator from being subject to data entitlement enforcement, make sure the insights.entitlements.admin role is explicitly assigned to them.

Configuring the realm

Configuring email

Keycloak sends emails to users to verify their email addresses and when they forget their passwords. To enable Keycloak to send emails, you need to provide Keycloak with your SMTP server settings.

In the administration console:

Click Realm settings in the menu.
Click the Email tab.
Enter the appropriate details.
Click Save.

To configure email at installation time use the values detailed in the Keycloak configuration section.

Configuring authentication

Password policies

kdb Insights Enterprise supports a wide range of password policies.

Read the configuration documentation for information on the default password policy and how to adjust it at installation time.

To change the password policy in the administration console:

Click Authentication in the menu.
Click the Policies tab.
Select the policy to add in the Add policy dropdown.
Enter a value that applies to the chosen policy.
Click Save.