The goal of this document is to describe how the User Management (based on Keycloak) will be implemented in the UnifiedPush Server. Currently there is only one user (admin
) created by default when installing UPS. Having the possibility to create multiple (non-admin) users via the Keycloak Admin Console is a Must Have. Some roles should also be introduced.
There will be two different roles in this first version:
- admin : There is a single
admim
, which is like the +super user+. Theadmin
has read/write access to all Applications/Variants of the other users, including possiblity to send push messages. Besides accessing UPS features, theadmin
is the only user that is allowed to acces the Keycloak Admin UI (e.g. to create new users). - developer : It is possible to have multiple users that have the
developer
role. Each of them can create/read/update and delete only their own Applications/Variants. There is +NO+ option to access the Keycloak Admin UI.
Role / action | CRUD | Reset App/Variant secrets | send a push | Sees Apps/Variants of all sers | Keycloak Admin UI |
---|---|---|---|---|---|
Admin | X | X | X | X | X |
Developer | X | X | X |
The admin
can create new user using the Keycloak Admin UI:
http://aerogear.org/docs/unifiedpush/ups_userguide/server-administration/#_user_management
At creation, the user will have an initial password.
When logging in for this first, the new created user will be prompted to change his password. This is a feature of Keycloak.
If a user wants to reset his password, he can do that on the Account Management section of the UnifiedPush Server: http://aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/#_account_management
Currently the single user (admin
) sees only his Applications and Variants:
https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/jaxrs/src/main/java/org/jboss/aerogear/unifiedpush/rest/registry/applications/PushApplicationEndpoint.java#L88
This needs to be changed, as discussed in the Roles / Permissions section:
admin
sees all: The service should query all, if the role/username isadmin
developer
roles sees only his (like is today)
Currently the admin
user is the only user. It would be nice if, by default, there was already one developer
user created when installing the UPS. However this user should not be enabled by default. Would be nice if the admin
would have to explicitly enable it through the Keycloak Console.