[keycloak-dev] Multi tenancy support - a proposal to discuss

Wed Oct 22 13:29:46 EDT 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/21/2014 11:26 PM, Bill Burke wrote:
> Would be cool if you added a unit test and documentation for this 
> feature.  If you need some help with that, let me know.

I've pushed some updates to a branch in my fork[1], which includes a
sample application (multi-tenants), documentation and some javadoc.
I'm planning on working on an integration test tomorrow.

This branch is also already integrated with Marek's clustering
feature, which caused some conflicts during the first rebase.

A question I've got when improving the sample application is regarding
some permissions.

On the sample application, the "registration" part contacts the server
as "registration" user, which has the "create-realm" permission. It
creates a new realm, say, "acme". Inside this new realm, there's an
application named "metrics", of which I want to retrieve the
keycloak.json and add to the response to the registration.

Unfortunately, I couldn't figure out which permission this user has to
have in order to retrieve this application's keycloak.json
installation file. Note that this is an user on the "master" realm,
trying to access a JSON from an application in another realm.

I've tried "view-realm" and "view-applications" from the
"master-realm" application, but I'm trying to access the application
from the new realm (not from master). As a result, I get a "forbidden"
error. I've tried several combinations, but I could only bypass it by
using the "admin" role, which is certainly *not* something I would
want to have on the registration application :-)

One more thing to note is that there seem to be a new "application" in
the roles combo, named "acme-realm". A possible solution would be to
add the original user to the "view-realm" on this new application, but
I guess only an admin can do that (chicken-egg problem).

So, would it make sense to clone the master-realm permissions from one
user when this user creates a new realm? I think it would make sense
to give "read" permissions to an user on the realm that it itself
created, no?

This is certainly not a blocker, but I'm afraid that users would just
copy/paste things and this might lead to a bigger problem in the future.

[1] http://git.io/GkVyyQ

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUR+mJAAoJEDnJtskdmzLM2IkIAKn/My0zyKTCe6aElFRXER83
T+vCsEHEgNUN+emPp7LigvOU3l/V1jInEbSVnQwQKDoDQm4R79SXGSQBiFa4DLFJ
1lHN/kIQI3DG+B0+CyUlq3pyHOTcpLc+FqFfV5RyBYuhH+JYH82v0FZia98wCMLF
XVBbw3jesMTOiQvHnWXq4qYCDh1zKVs+rv6BpKLp8s3ikC4hEtwjoPrm5/KYQoJI
LagFEhq/kQ1KQH/aQDn3qrVwPcvel4vSU1KbO2z/mE9+YdH80PY/nLwykZK4QX7J
wi76NjpZjB2+b3GhnxE3mfxRgeHwEpe04jUYxF8aPY3zsM4auGB958wQJ9W6Dus=
=s4Lp
-----END PGP SIGNATURE-----