[keycloak-dev] management problems

Marek Posolda mposolda at redhat.com
Mon May 5 13:56:24 EDT 2014 

On 5.5.2014 18:22, Bill Burke wrote:
>
>
> On 5/5/2014 3:33 AM, Marek Posolda wrote:
>> The problem is that just admin realm (or "master realm" or whatever it
>> will be called) is able to retrieve list of users, applications etc.
>> with KC admin endpoints.
>>
>> Maybe it's possible to expose endpoints for some users of realm itself
>> (So for example users with role "admin" of realm "myRealm" will be able
>> to retrieve list of users of this realm). But this won't solve the
>> problem with SSO login though. If I want my administrator to have SSO
>> between Keycloak admin console, Liveoak admin console and Aerogear admin
>> console, then all these admin consoles must use same realm actually...
>>
>
> Yes.  LIveoak, Aerogear, keycloak admin console will have to e the 
> same realm.  The problem is that this realm has to be the "master" 
> realm, otherwise keycloak can't be part of SSO.  Which is unworkable 
> in a multi-tenant server that is managing different realms for 
> different organizations.
>
>>
>> So it seems that the best is if all admin users will still use the
>> "master realm" but there will be fine-grained authorization, which will
>> allow to properly isolate various admin users.
>>
>> Example:
>> - I want my "master realm" to manage Keycloak, Liveoak and Aerogear
>> admin consoles.
>>
>> - So "admin" user, which can do anything, will create roles
>> "aerogear-admin" and "liveoak-admin" and he will assign role
>> "aerogear-admin" to user "joe".
>>
>> - Now "joe" is Aerogear administrator and he wants to grant admin rights
>> to more users, so he is not alone for all administration tasks. So he
>> must be able to create new users in "master realm" and grant them role
>> "aerogear-admin" and also see all other "aerogear-admin" users, but he
>> shouldn't be able to see any other users from "master realm" . He
>> shouldn't be even able to see that "master realm" itself is also used
>> for liveoak administration...
>>
>
> Why not have a special "realm admin" role that can be assigned in each 
> realm to a realm user
That's something what I was thinking about as well . So members of role 
"realm admin" will be able to perform various administration tasks on 
the realm, right? For example members of role "realm admin" in realm 
"myRealm" will be able to retrieve the list of users, roles or 
applications of realm "myRealm"etc .

But is this the way to go? As you already mentioned, this won't solve 
the problem of SSO between various admin consoles if I understand 
correctly. Also it seems to be a bit strange that KC admin console can 
be used by users from various realms. This will require quite big 
refactoring of existing admin console and admin endpoints.

It seems much easier to keep all admin tasks in "master realm" and have 
very fine-grained authorization as I mentioned earlier. So for example 
member of role "aerogear-admin" will be able to create new users in 
"master realm" and assign them role "aerogear-admin" or 
"aerogear-admin-with-lower-privileges-to-perform-just-subset-of-admin-tasks" 
but he won't be able to see other users in "master realm" (for example 
members of "eap-admins") .

However it's possible that I am missing all the requirements though...

Marek

More information about the keycloak-dev mailing list