Users

Stretchy Orchestrators distinguishes between two types of users: local and external users. Local users are managed by Stretchy Orchestrator. External users are managed by an external identity provider (IdP) like Keycloak. You can connect any IdP to Stretchy Orchestrator that supports OpenID Connect. See the chapter about configuring external identity providers for how to enable them.

Initial Login

When starting for the first time, Orchestrator creates an initial login for a user named admin with administrator privileges. Its password is randomly generated and printed to Orchestrator’s log. The message looks as follows:

A user admin with the password 654d8db0-6631-455b-9e80-d953e7552080 has been created. Please change the password after the next login.

If you miss the log message and cannot recover it, either wipe the database or remove the respective row from the database table user. Stretchy Orchestrator will automatically recreate the user admin during the next restart if it does not exist.

Managing Local Users

Local users can be created and edited by any user with the role ADMIN using Orchestrator’s web interface (System Settings ➤ Users).

Local users that are disabled or have no role cannot log in.

Managing External Users

External users that are managed by an external IdP cannot be created using Orchestrator’s web interface. Instead, they have to log into the web interface first using their IdP. Stretchy Orchestrator will then automatically create a user record that can be changed by an administrator (System Settings ➤ Users).

Upon their first login, external users can only edit their profile and sign out. They do not have access to any other parts of the system. To enable them to do more, an administrator has to assign them a role.

External users that are disabled cannot log in. Contrary to local users, external users without any role can log in, but they cannot access any functionality of the system except the page that allows them to change their profile.

Roles

All users can have one or more of the roles listed in Table 1.

Table 1. User Roles
ID	Description
ADMIN	Can access and manage all aspects of the system.
USER	A `USER` can only access the organizations and projects they have explicitly been given access to. They do not have access to system settings or monitoring information.
MONITOR	Has read-only access to system health and monitoring information including endpoints.

Authentication Methods

Stretchy Orchestrator supports form-based login for all users. HTTP basic authentication is supported for local users, only.

All parts of Orchestrator can be accessed with either login method.