[keycloak-dev] management problems

Stian Thorgersen stian at redhat.com
Fri May 2 10:01:34 EDT 2014 

If I understand correctly this is something we already have. A user in the Keycloak admin realm can have full control (Keycloak administrator) or can be given one or more permissions to individual realms.

----- Original Message -----
> From: "Stan Silvert" <ssilvert at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 2 May, 2014 2:01:06 PM
> Subject: Re: [keycloak-dev] management problems
> 
> You might not want the same administrator for all of your different
> realms.  In other cases, you do want the same administrator for
> different realms.
> 
> It seems to me that you would first want a Keycloak admin that can do
> anything.   A Keycloak admin can create/manage a Realm administrator who
> can administer zero or more application realms. An ordinary user can
> only belong to one application realm.
> 
> So, you have three types of users:
> * Keycloak administrator
> * Realm administrator
> * User within a single realm
> 
> Stan
> 
> On 5/2/2014 4:23 AM, Stian Thorgersen wrote:
> > My thoughts was that admins would log in to a single "admin realm", which
> > would let them manage any Keycloaks, AeroGears, EAPs and any other servers
> > they have.
> >
> > Then you'd have one or more application realms where end-users would login.
> >
> > If we don't have AeroGear admins in the same realm as Keycloak admins,
> > admins will have to login multiple times.
> >
> > So basically I think the AeroGear admin console should be in the Keycloak
> > admin realm, then there's one or more realms for AeroGear users.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 1 May, 2014 5:06:42 PM
> >> Subject: Re: [keycloak-dev] management problems
> >>
> >> Yes, as you would have to know to switch between realms.  Defeats the
> >> idea of Aerogear looking like one product.
> >>
> >> On 5/1/2014 11:49 AM, Stian Thorgersen wrote:
> >>> Is that really an issue?
> >>>
> >>> Users would just be admin users, there would be a separate realm for
> >>> AeroGear users.
> >>>
> >>> And there'd probably be a single AeroGear console application, with a few
> >>> associated roles.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-dev at lists.jboss.org
> >>>> Sent: Thursday, 1 May, 2014 4:47:24 PM
> >>>> Subject: Re: [keycloak-dev] management problems
> >>>>
> >>>>
> >>>>
> >>>> On 5/1/2014 11:41 AM, Stian Thorgersen wrote:
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>> Sent: Thursday, 1 May, 2014 4:37:39 PM
> >>>>>> Subject: Re: [keycloak-dev] management problems
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 5/1/2014 11:24 AM, Stian Thorgersen wrote:
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>>>> Sent: Thursday, 1 May, 2014 4:19:26 PM
> >>>>>>>> Subject: Re: [keycloak-dev] management problems
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 5/1/2014 10:16 AM, Stian Thorgersen wrote:
> >>>>>>>>>
> >>>>>>>>> ----- Original Message -----
> >>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>>>>>> Sent: Thursday, 1 May, 2014 3:11:48 PM
> >>>>>>>>>> Subject: Re: [keycloak-dev] management problems
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On 5/1/2014 9:30 AM, Stian Thorgersen wrote:
> >>>>>>>>>>> I'm wondering about what issues there are with having a single
> >>>>>>>>>>> shared
> >>>>>>>>>>> admin
> >>>>>>>>>>> realm though. That seems the optional solution to me.
> >>>>>>>>>>>
> >>>>>>>>>> Isn't the issue multi-tenancy?
> >>>>>>>>> We can grant admin users access to manage only specific realms
> >>>>>>>>> though?
> >>>>>>>>>
> >>>>>>>>> Or are you thinking multi-tenancy for AeroGear?
> >>>>>>>> What I mean is that you want to manage Aerogear in a realm on a
> >>>>>>>> server
> >>>>>>>> that is multi-tenant (1 server managing multiple realms).  Can't
> >>>>>>>> really
> >>>>>>>> have a single shared admin realm in that case.
> >>>>>>> I'm still not following :/
> >>>>>>>
> >>>>>>> Can you spoon-feed me an example?
> >>>>>>>
> >>>>>> Aerogear UPS admin needs to:
> >>>>>>
> >>>>>> * manage users
> >>>>>> * manage role mappings
> >>>>>> * manage oauth clients
> >>>>>> * Manage aerogear specific things
> >>>>>>
> >>>>>> You want to have one login to do all those things.  This means there
> >>>>>> needs to be one realm to do all these things.  You could re-use the
> >>>>>> "keycloak-admin" realm, but re-using the "keycloak-admin" realm
> >>>>>> doesn't
> >>>>>> work if you're dealing with a Keycloak deployment that is managing
> >>>>>> multiple realms.  A.K.A.  Multi-tenancy.
> >>>>> The part I'm not understanding is why it doesn't work with a Keycloak
> >>>>> deployment with multiple realms?
> >>>>>
> >>>> Because you're polluting the "keycloak-admin" realm with Aerogear
> >>>> specific things: users, roles, applications, etc.
> >>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list