User Management
Overview
Renku uses Keycloak as its identity provider. When Renku is installed, the init-keycloak-realms Kubernetes job automatically initialises the Renku realm in Keycloak and sets up the necessary accounts, roles, and permissions.
Administrative Access
Accessing Keycloak Admin Console
- Navigate to your Keycloak instance (at
https://<your-domain>/auth) - Click on "Administration Console"
- Log in with your admin credentials
- Select the Renku realm to manage users and roles
Default Admin Credentials
The default Keycloak admin username and password are stored in the keycloak-password-secret Kubernetes secret when Renku is installed. To retrieve these credentials run the commands below:
For the username:
kubectl get secret keycloak-password-secret -n renku -o jsonpath='{.data.KEYCLOAK_ADMIN}' | base64 -d
For the password:
kubectl get secret keycloak-password-secret -n renku -o jsonpath='{.data.KEYCLOAK_ADMIN_PASSWORD}' | base64 -d
Admin Role Assignment
Users with the renku-admin role can perform administrative tasks in Renku, including:
- Creating and managing resource pools
- Configuring platform integrations
Managing Renku Admin Users
To grant administrative privileges to additional users:
- Access the Keycloak Admin Console
- Navigate to the Renku realm
- Go to Users and select the target user
- In the Role Mapping tab, assign the
renku-adminrole
Managing Keycloak Admin Users
In addition to Renku-specific admin user, you may want to create additional Keycloak admin accounts for managing the identity provider itself.
Assigning someone to be a Keycloak admin gives them full access to every realm in the Keycloak deployment and the ability to create, impersonate and delete any user in any realm, as well as make any user a Renku admin. Use this with caution.
Note that making someone a Keycloak admin does not automatically make them a Renku admin or vice versa. The two roles are completely independent. But a Keycloak admin can impersonate a user that has the Renku admin role. In addition, Keycloak admins have the permission to assign the Renku admin role to themselves or any other user.
Creating Additional Keycloak Admins
- Access the Keycloak Admin Console with existing admin credentials
- Switch to the master realm (use the realm dropdown in the top-left)
- Go to Users and click Add user
- Fill in the required user details
- Set a password in the Credentials tab
- Click Save
Assigning Keycloak Admin Roles
- After creating the user, go to the Role Mapping tab
- Assign the
adminrole to the user.
Basic User Management Tasks
Deleting Users
To fully remove a user from both Keycloak and Renku:
Step 1: Get the User's Keycloak ID
- Access the Keycloak Admin Console
- Navigate to the Renku realm
- Go to Users and search for the user
- Click on the username to open their profile
- Copy the user ID from the URL or the user details (this is the Keycloak ID)
Step 2: Delete from Renku Platform
- Navigate to the Renku Swagger page (at
https://<your-domain>/swagger) - Use the user deletion endpoint with the Keycloak ID obtained in Step 1
- Execute the API call to remove the user from Renku's database
Step 3: Delete from Keycloak
- Return to the user's profile in Keycloak Admin Console
- Click Delete at the top of the user details page
- Confirm the deletion when prompted
Deleting only from Keycloak will not remove the user's data from Renku. Use both steps to ensure complete removal.
Disabling Users
To temporarily disable a user account without deleting it:
- Open the user's profile in the Keycloak Admin Console
- Toggle Enabled to
OFF - Click Save
Disabling a user does not invalidate existing valid tokens. The user will still have access to Renku until their tokens expire. However, they will not be able to launch new Renku sessions.
Resetting User Passwords
To reset a user's password:
- Navigate to the user's profile
- Go to the Credentials tab
- Click Reset Password
- Set a new temporary password
- Ensure Temporary is
ONto force password change on next login - Click Set Password
Other Keycloak Operations and Configuration
Please refer to the official Keycloak documentation for more guidance on managing users and configuring Keycloak.