update readme for v1.2

README.md

@@ -98,28 +98,34 @@ The installation can be done with the following steps:
 	```
 	_Note: you can review the deployment configurations in [genai-studio.yml](./setup-scripts/setup-genai-studio/genai-studio.yml)_
 
+3. **Configure admin console**
+
+	Refer to the [Admin Console Configuration Guide](./assets/keycloak/README.md) to learn how to configure and customize the admin console, as well as manage user permissions.
+
 
 ## Getting Started with GenAIStudio
 
-You can access the the Studio UI in a web browser at `http://<studio_server_ip>:30007`.
+You can access the the Studio UI in a web browser at `https://<studio_server_ip>:30007`, which will take you to the login page. 
 
-### Import a Sample Workflow
+You might see a `net::ERR_CERT_AUTHORITY_INVALID` warning in your browser, as shown in the screenshot below. This warning occurs because a self-signed SSL/TLS certificate is being used. If you are accessing the Studio setup on an internal private network, you can safely ignore this warning by clicking the Proceed button.
 
-Get started quickly with the Studio UI by downloading and importing this [sample workflow](./sample-workflows/sample_workflow_chatqna.json), which deploys a ChatQnA application.
+<img src="./assets/screenshots/login_unsafe_warning.png" alt="Alt Text" width="470" height="420">
 
-1. 	On the `Main Page`, click **Create New Workflow**. This will open a blank `Canvas Page` where you can import a sample workflow or start building your new workflow.
+If you are a first-time user, you will need to register as a new user, and request approval from your admin before gaining access to the `Main Page`. Once your registration is approved, simply refresh the page to proceed.
 
-	![start_new_project_1](./assets/screenshots/start_new_project_1.png)
+### Run a Sample Workflow
 
-2. Then, click on the ⚙️ button in the header bar to import a workflow.
+Get started quickly by running a built-in sample workflow:
 
-	![import-sample-project](./assets/screenshots/import-sample-project.png)
+1. 	On the `Main Page`, click on **Import Sample Workflow** and you will be able to see a list of sample workflows.
 
-3. Rename the workflow to "ChatQnA" and review the settings in each node. Enter your Hugging Face token in the relevant nodes, then save the workflow.
+	![run_sample_workflow_1](./assets/screenshots/run_sample_workflow_1.png)
 
-	![sample-project](./assets/screenshots/sample-project.png)
+2. Click on `sample_workflow_chatqna` to open the workflow in the canvas. Review the nodes and their configurations. You can modify the models to your preference and enter the Hugging Face token if needed.
 
-4. Return to the main page and click the run button to [launch the sandbox](#launch-a-sandbox).
+	![run_sample_workflow_2](./assets/screenshots/run_sample_workflow_2.png)
+
+3. Once everything is in place, you can return to the main page and click the run button to [launch the sandbox](#launch-a-sandbox).
 
 ### Start a New Workflow
 1. **Create a new workflow:**
@@ -140,6 +146,8 @@ Get started quickly with the Studio UI by downloading and importing this [sample
 
 	![start_new_project_3](./assets/screenshots/start_new_project_3.png)
 
+	_*The saved workflow can be imported by selecting `Import Workflow` button from the dropdown of the_ ⚙️ _icon located at the top right of workflow canvas._
+
 4. Return to the main page and click the run button to [launch the sandbox](#launch-a-sandbox).
 
 ### Launch a Sandbox

assets/keycloak/README.md

@@ -0,0 +1,80 @@
+# Admin Console Configuration Guide
+
+In OPEA v1.2 release, [Keycloak](https://github.com/keycloak)-based access management is integrated into GenAI Studio to enable multi-user tenancy. This allows admins to perform access control actions effieciently over Studio users, while users can manage their own workflows securely. 
+
+Overall, admins can perform the following actions in the admin console:
+
+- Manage Studio users with Create, Read, Update, and Delete (CRUD) operations.
+- Configure URLs for redirections.
+- Apply an OPEA-based theme to the admin console and login pages.
+
+The Keycloak microservice is included as part of the GenAI Studio setup. You can review its configurations in the [Studio deployment manifest](../../setup-scripts/setup-genai-studio/manifests/studio-manifest.yaml) and customize values such as the admin name and admin password. These credentials will be used for the first-time login to the admin console.
+
+## Admin Console Login
+
+To access the admin console, navigate to:
+`https://<studio_server_ip>:30007/auth/admin/master/console/#/genaistudio`
+
+Log in using the first-time credentials set in the Studio deployment manifest (default username: admin, password: admin)
+After logging in, you will see the following page:
+
+![account_login](../screenshots/account_login.png)
+
+To reset the admin login credentials, navigate to the Account Console from the admin dropdown located in the top-right corner of the page, as higlighted.
+
+
+## Admin Console Navigation
+
+### Realms and Clients
+
+1. In the Keycloak Admin Console, you will find a pre-created realm named `genaistudio`. Navigate to the `Clients` tab in the left panel, where you will see a client named `genaistudio` within this realm. Click on the `genaistudio` client to review its configurations.
+
+    ![realm-client](../screenshots/realm_client.png)
+
+2. Under the Settings tab of the `genaistudio` client, you can review the preconfigured URL redirection settings. These settings are configured to work by default and generally do not require modification unless necessary.
+
+    ![keycloak-client](../screenshots/keycloak-client.png)
+
+### Users and Groups
+
+1. Navigate to the `Users` tab to view the list of registered users. Here, you can modify user information and credentials or click the `Add user` button to create a new user.
+_(Note: New users can also register themselves via the OPEA GenAI Studio login page.)_
+
+    ![realm-users](../screenshots/realm-users.png)
+
+2. Enter the basic information for the new user, then click the `Create` button to create a new user.
+
+    ![create-user](../screenshots/create-user.png)
+
+3. After creating the user, you will be redirected to the `User Details` page. Go to the `Credentials` tab to set a password for the new user.
+
+    ![set-password](../screenshots/set-password.png)
+
+4. To approve the new user for GenAI Studio access, navigate to the `Groups` tab. By default, all newly registered users are assigned to the `unauthorized_user` group. Click the `Leave` button to remove the user from this group.
+
+    ![change-gruop](../screenshots/change-group.png)
+
+5. Next, click the `Join Group` button, select the appropriate group for the user, and click `Join` to confirm.
+
+    ![join-group](../screenshots/join-group.png)
+
+6. __Group Definitions__:
+    - __admin__: Admin users can view and modify workflows for all users in the studio.
+    - __unauthorized_user__: Newly registered users are assigned to this group by default. Unauthorized users cannot access the GenAI Studio.
+    - __user__: Regular studio users who have access to all features of the studio but cannot view workflows created by other users.
+
+### Admin Console and Login Theme
+
+We have prepared OPEA-based login theme for admin console. To enable it, switch to `Keycloak master` realm and navigate to `Themes` tab under `Realm settings`. Choose `opea` from the `Login theme` and `Admin theme` dropdowns. Click on `Save` button to apply the changes.
+
+ ![admin-theme](../screenshots/admin-theme.png)
+
+After reloading the page, the new theme will be applied to the `genaistudio` realm.
+
+ ![new-theme-realm](../screenshots/new-theme-realm.png)
+
+ The OPEA theme will also replace Keycloak's default theme on the admin console login page.
+
+  ![new-theme-login](../screenshots/new-theme-login.png)
+
+

setup-scripts/setup-genai-studio/readme.md

@@ -4,11 +4,11 @@
 
 The genai-studio playbook script will:
 
-1. Install and configure a MySQL server in localhost machine.
-
+1. Install MySQL server on the local machine and configure the studio db user to be secured with SSL encryption.
+ 
 2. Deploy a customized monitoring stack based on prometheus-community/kube-prometheus-stack (which contains both Prometheus and Grafana) in the monitoring namespace with a local-path-provisioner in local-path-storage namespace, for dynamic Persistent Volumes (PVs) provisioning.
-
-3. Deploy the keycloak, studio-backend, studio-frontend and also a studio-nginx in the studio namespace.
+ 
+3. Deploy Keycloak, studio-backend, studio-frontend, and studio-nginx within the studio namespace. A self-signed certificate will be generated for Keycloak usage and stored as secrets within the studio namespace. Additionally, the client SSL certificates generated during the MySQL server installation process will also be stored as secrets in the studio namespace to ensure encrypted communication to the MySQL database.
 
 ## Pre-requisite