[keycloak-dev] management problems

Bill Burke bburke at redhat.com
Mon May 5 12:22:08 EDT 2014



On 5/5/2014 3:33 AM, Marek Posolda wrote:
> The problem is that just admin realm (or "master realm" or whatever it
> will be called) is able to retrieve list of users, applications etc.
> with KC admin endpoints.
>
> Maybe it's possible to expose endpoints for some users of realm itself
> (So for example users with role "admin" of realm "myRealm" will be able
> to retrieve list of users of this realm). But this won't solve the
> problem with SSO login though. If I want my administrator to have SSO
> between Keycloak admin console, Liveoak admin console and Aerogear admin
> console, then all these admin consoles must use same realm actually...
>

Yes.  LIveoak, Aerogear, keycloak admin console will have to e the same 
realm.  The problem is that this realm has to be the "master" realm, 
otherwise keycloak can't be part of SSO.  Which is unworkable in a 
multi-tenant server that is managing different realms for different 
organizations.

>
> So it seems that the best is if all admin users will still use the
> "master realm" but there will be fine-grained authorization, which will
> allow to properly isolate various admin users.
>
> Example:
> - I want my "master realm" to manage Keycloak, Liveoak and Aerogear
> admin consoles.
>
> - So "admin" user, which can do anything, will create roles
> "aerogear-admin" and "liveoak-admin" and he will assign role
> "aerogear-admin" to user "joe".
>
> - Now "joe" is Aerogear administrator and he wants to grant admin rights
> to more users, so he is not alone for all administration tasks. So he
> must be able to create new users in "master realm" and grant them role
> "aerogear-admin" and also see all other "aerogear-admin" users, but he
> shouldn't be able to see any other users from "master realm" . He
> shouldn't be even able to see that "master realm" itself is also used
> for liveoak administration...
>

Why not have a special "realm admin" role that can be assigned in each 
realm to a realm user?



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list