Creating users and add roles for them
How to create users and add roles for them
Creating users and add roles for them
Overview
When a tenant is created in Cozy (starting with version 1.6.0), roles, RoleBindings and keycloak groups will automatically be created in the Kubernetes cluster.
To create a user, refer to the following documentation: Keycloak Admin Console Documentation
Assigning a Role to a User for a Tenant
Access Keycloak: To retrieve login credentials, check the secret by running the following command:
kubectl get secret keycloak-credentials -n cozy-keycloak -o yamlKeycloak Address: The Keycloak address will match the
publishing.hostvalue specified in your Platform Package. For example, if your Package includes:spec: components: platform: values: publishing: host: "infra.example.org"Then Keycloak will be available at:
keycloak.infra.example.org
If you are planning to integrate with external services either as clients or as IdPs, your Keycloak address needs to be publicly accessible and reachable by these services.
Configure Roles for Each Tenant in Cozy:
Cluster wide
cozystack-cluster-admin- Allow all.
cozystack-cluster-admin- Allow all in "" api group
- Allow all for helmreleases in helm.toolkit.fluxcd.io and apps.cozystack.io
Tenant wide
tenant-abc-view- Read-only access to resources from our API.
- Ability to view logs.
tenant-abc-use- All previous permissions
- VNC access for virtual machines.
tenant-abc-admin- All previous permissions
- Ability to delete pods, along with all permissions from
tenant-abc-use. - Ability to create, update, and delete resources from our API (excluding
tenant,monitoring,etcd,ingress).
tenant-abc-super-admin- All previous permissions
- Ability to create, update, and delete
tenant,monitoring,etcd, andingress.