[keycloak-dev] management problems

Bill Burke bburke at redhat.com
Thu May 1 11:47:24 EDT 2014 


On 5/1/2014 11:41 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 1 May, 2014 4:37:39 PM
>> Subject: Re: [keycloak-dev] management problems
>>
>>
>>
>> On 5/1/2014 11:24 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, 1 May, 2014 4:19:26 PM
>>>> Subject: Re: [keycloak-dev] management problems
>>>>
>>>>
>>>>
>>>> On 5/1/2014 10:16 AM, Stian Thorgersen wrote:
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>> Sent: Thursday, 1 May, 2014 3:11:48 PM
>>>>>> Subject: Re: [keycloak-dev] management problems
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/1/2014 9:30 AM, Stian Thorgersen wrote:
>>>>>>> I'm wondering about what issues there are with having a single shared
>>>>>>> admin
>>>>>>> realm though. That seems the optional solution to me.
>>>>>>>
>>>>>>
>>>>>> Isn't the issue multi-tenancy?
>>>>>
>>>>> We can grant admin users access to manage only specific realms though?
>>>>>
>>>>> Or are you thinking multi-tenancy for AeroGear?
>>>>
>>>> What I mean is that you want to manage Aerogear in a realm on a server
>>>> that is multi-tenant (1 server managing multiple realms).  Can't really
>>>> have a single shared admin realm in that case.
>>>
>>> I'm still not following :/
>>>
>>> Can you spoon-feed me an example?
>>>
>>
>> Aerogear UPS admin needs to:
>>
>> * manage users
>> * manage role mappings
>> * manage oauth clients
>> * Manage aerogear specific things
>>
>> You want to have one login to do all those things.  This means there
>> needs to be one realm to do all these things.  You could re-use the
>> "keycloak-admin" realm, but re-using the "keycloak-admin" realm doesn't
>> work if you're dealing with a Keycloak deployment that is managing
>> multiple realms.  A.K.A.  Multi-tenancy.
>
> The part I'm not understanding is why it doesn't work with a Keycloak deployment with multiple realms?
>

Because you're polluting the "keycloak-admin" realm with Aerogear 
specific things: users, roles, applications, etc.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list