[keycloak-dev] implement JPA model

Bill Burke bburke at redhat.com
Tue Nov 5 12:06:09 EST 2013 


On 11/5/2013 11:30 AM, Anil Saldhana wrote:
> On 11/05/2013 07:06 AM, Bill Burke wrote:
>> Pedro, with all due respect, we already use Picketlink.  What we're
>> doing is swapping it out until there is an advantage to use it again.
>> Right now there are only disadvantages and the fact it can't run in
>> Wildfly is a blocker.  I'll be committing the JPA model later today.
> We are updating WildFly with the PicketLink subsystem that contains IDM
> configuration, this week. Can you please provide a list of disadvantages
> of using PicketLink? A lot of people/teams collaborated on the subsystem
> design. It will be beneficial if KeyCloak can wait a bit on the PL. Give
> us a chance. :)

Disadvantages:
* Performance.  can tweak more performance with a back-end that is 
specific to our metamodel.
* Bolek seems to think importing and syncing with LDAP/AD is a better 
approach than federating LDAP/AD directly.  An approach you just don't 
support and probably won't support for a long time.
* PL IDM API requires upfront declaration of federation model.

But its more of lack of advantages:
* With PL-JPA, I have to define JPA entities *ANYWAYS*.  So, instead, 
avoid the complexity (and bugs) of PL and just implement our own 
datamodel in JPA.  Simpler, easier to maintain.  Something that is more 
proven and reliable.
* PL-File plugin isn't very useful (or usable considering it doesn't 
suport transactions).  Only reason we'd want a file-based storage would 
be to have a human-readable readonly-file specific to our data model so 
admins could edit it directly.

Honestly, the PL_IDM_API vision and architecture scares me a bit.  its 
not a security solution, its a persistence mapping solution.  An 
immature persistence mapping solution.  If I wanted a federated 
persistence solution, why wouldn't I just use Teiid?  And work with 
Teiid to make it more consumable?  Combine this doubt with random 
blocker bugs that pop up makes me want to retire our PL backend until it 
makes sense to bring in back in.
-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list