[keycloak-dev] management problems

Tue May 6 07:36:45 EDT 2014

Just adding my latest thoughts:

I think we should allow login to admin console either through the "master" realm, or through any realm. If login to an individual realm we use an app in the realm itself to represents the admin of the realm, which would be the equivalent of the "realm app" in the master realm. Obviously to manage multiple realms you'd have to login to the "master" realm, or to login to each realm separately.

Shouldn't be to hard to do, I can sort this out in a day or two, and I think this would give us the most flexibility.

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 6 May, 2014 9:40:39 AM
> Subject: Re: [keycloak-dev] management problems
> 
> +1 To a Hangout - today would be good for me
> 
> There was a public holiday in the UK yesterday, hence I was out for a bike
> ride with the kids instead of thinking about realms ;)
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Marek Posolda" <mposolda at redhat.com>, "Stian Thorgersen"
> > <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Monday, 5 May, 2014 11:46:54 PM
> > Subject: Re: [keycloak-dev] management problems
> > 
> > 
> > 
> > On 5/5/2014 1:56 PM, Marek Posolda wrote:
> > > On 5.5.2014 18:22, Bill Burke wrote:
> > >>
> > >>
> > >> On 5/5/2014 3:33 AM, Marek Posolda wrote:
> > >>> The problem is that just admin realm (or "master realm" or whatever it
> > >>> will be called) is able to retrieve list of users, applications etc.
> > >>> with KC admin endpoints.
> > >>>
> > >>> Maybe it's possible to expose endpoints for some users of realm itself
> > >>> (So for example users with role "admin" of realm "myRealm" will be able
> > >>> to retrieve list of users of this realm). But this won't solve the
> > >>> problem with SSO login though. If I want my administrator to have SSO
> > >>> between Keycloak admin console, Liveoak admin console and Aerogear
> > >>> admin
> > >>> console, then all these admin consoles must use same realm actually...
> > >>>
> > >>
> > >> Yes.  LIveoak, Aerogear, keycloak admin console will have to e the
> > >> same realm.  The problem is that this realm has to be the "master"
> > >> realm, otherwise keycloak can't be part of SSO.  Which is unworkable
> > >> in a multi-tenant server that is managing different realms for
> > >> different organizations.
> > >>
> > >>>
> > >>> So it seems that the best is if all admin users will still use the
> > >>> "master realm" but there will be fine-grained authorization, which will
> > >>> allow to properly isolate various admin users.
> > >>>
> > >>> Example:
> > >>> - I want my "master realm" to manage Keycloak, Liveoak and Aerogear
> > >>> admin consoles.
> > >>>
> > >>> - So "admin" user, which can do anything, will create roles
> > >>> "aerogear-admin" and "liveoak-admin" and he will assign role
> > >>> "aerogear-admin" to user "joe".
> > >>>
> > >>> - Now "joe" is Aerogear administrator and he wants to grant admin
> > >>> rights
> > >>> to more users, so he is not alone for all administration tasks. So he
> > >>> must be able to create new users in "master realm" and grant them role
> > >>> "aerogear-admin" and also see all other "aerogear-admin" users, but he
> > >>> shouldn't be able to see any other users from "master realm" . He
> > >>> shouldn't be even able to see that "master realm" itself is also used
> > >>> for liveoak administration...
> > >>>
> > >>
> > >> Why not have a special "realm admin" role that can be assigned in each
> > >> realm to a realm user
> > > That's something what I was thinking about as well . So members of role
> > > "realm admin" will be able to perform various administration tasks on
> > > the realm, right? For example members of role "realm admin" in realm
> > > "myRealm" will be able to retrieve the list of users, roles or
> > > applications of realm "myRealm"etc .
> > >
> > > But is this the way to go? As you already mentioned, this won't solve
> > > the problem of SSO between various admin consoles if I understand
> > > correctly.
> > 
> > This would solve SSO problems.  You'd create your own realm.  Add
> > "ups-admin", "LiveOak admin" applications to this realm.  There would be
> > a built in "security admin" application for managing access to the
> > manage console solely for the realm.
> > 
> > > Also it seems to be a bit strange that KC admin console can
> > > be used by users from various realms. This will require quite big
> > > refactoring of existing admin console and admin endpoints.
> > >
> > 
> > Users will only be able to manage the realm they are within.  I don't
> > think this would be that big of a refactor.  The auth code is in one
> > place.  I just want to make sure it is the right solution which is why
> > I'm asking to have a hangout to discuss.
> > 
> > > It seems much easier to keep all admin tasks in "master realm" and have
> > > very fine-grained authorization as I mentioned earlier. So for example
> > > member of role "aerogear-admin" will be able to create new users in
> > > "master realm" and assign them role "aerogear-admin" or
> > > "aerogear-admin-with-lower-privileges-to-perform-just-subset-of-admin-tasks"
> > > but he won't be able to see other users in "master realm" (for example
> > > members of "eap-admins") .
> > >
> > 
> > Isn't this solution kind of hacky?  Seems to me it would be a more
> > disruptive change than what I suggested earlier.
> > 
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 