[keycloak-dev] Export/import implementation

Bruno Oliveira bruno at abstractj.org
Mon Apr 28 09:13:50 EDT 2014 

On 2014-04-28, Bill Burke wrote:
> 
> 
> On 4/28/2014 3:27 AM, Marek Posolda wrote:
> > I am planning to start soon on export/import. If I recall correctly, one
> > of the requirements is to export the content of whole DB content
> > (including IDs and password hashes) to JSON file, which can then be
> > later imported into other DB. This will allow to migrate between
> > environments and various DB types (For example from Mongo to MySQL and
> > viceversa).
> >
> 
> IMO, a full export (of credentials) should require a secret given by the 
> admin that will be used to encrypt the export.  The export should only 
> be saved locally to disk and not available over the network.

Maybe we could make use of the KDF function already on Keycloak to
encrypt file? Currently as far as I recall we already use it to validate
passwords, so based on the admin's password we generate the private key
to encrypt/decrypt this file.

> 
> > I have some question though
> >
> > 1) I assume that DB should be cleared before full import from JSON file?
> > Or do we want to update existing data without deleting the previous
> > content? I assume that this is used for migration, so it's not about
> > updating but completely delete and recreate existing DB, correct?
> >
> > 2) How to implement it. I can see two approaches
> >
> > a) Use model API to retrieve content of the DB into JSON file during
> > export. Similarly during import use model API to sync objects back from
> > JSON into model DB.
> >
> > b) Add some methods to KeycloakSession interface like:
> >
> > ObjectNode export();
> >
> > void import(ObjectNode node);
> >
> > and implement export/import separately for each model.
> >
> > Approach (b) might be better for performance as it allows to directly
> > use low-level queries specific to JPA, Mongo or other model
> > implementations to export/import stuff more effectively in batch,
> > however it will require changes in model implementations and probably
> > adding more stuff into dependencies. So I am more convinced to use (a).
> > Thoughts?
> >
> 
> "a", IMO.  Easier to maintain.

+1

> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 

abstractj

More information about the keycloak-dev mailing list