<div dir="ltr">I think it's possible to rename/delete master realm...<br></div><br><div class="gmail_quote">On Fri, May 22, 2015 at 12:25 PM Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 22.5.2015 14:56, Stian Thorgersen wrote:<br>
><br>
> ----- Original Message -----<br>
>> From: "Stan Silvert" <<a href="mailto:ssilvert@redhat.com" target="_blank">ssilvert@redhat.com</a>><br>
>> To: <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>> Sent: Friday, 22 May, 2015 2:46:59 PM<br>
>> Subject: [keycloak-dev] Reset admin password<br>
>><br>
>> We need a way to reset the admin password in case it is lost or<br>
>> hijacked. The proposal is to do that through an operation on the<br>
>> keycloak-server-subsystem that only runs in "offline CLI" mode.<br>
>><br>
>> First, we currently allow you to delete the admin user. Should we<br>
>> disallow that and make the master admin user permanent?<br>
> Interesting question - quick answer, not sure!<br>
><br>
> There are all sorts of things that can be deleted that'll currently screw things up royally! For example deleting admin related roles and clients. Created <a href="https://issues.jboss.org/browse/KEYCLOAK-1340" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1340</a> for this.<br>
Similar issue pointed some time ago by Petr Mensik from QA team: if you<br>
change SSO session max lifespan timeout for example to 1 second, you are<br>
immediately logged out from admin console and you're not able to login<br>
again (More accurately you are able to login, but you're logged out<br>
immediately due to session timeout).<br>
<br>
There are likely bunch of similar things and not sure if we can handle<br>
all of them. Question is if these are not just "theoretic" issues? I<br>
can't remember any user complain on ML that he accidentally broke his<br>
keycloak DB by delete/configure something strange in admin console.<br>
<br>
Marek<br>
><br>
> For admin user maybe rather than a reset admin password option, we should have a reset admin account option?<br>
><br>
>> Should the new operation only work on the master admin password or can<br>
>> it be applied to any user in any realm?<br>
> +1 To just admin<br>
><br>
>><br>
>> _______________________________________________<br>
>> keycloak-dev mailing list<br>
>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
>><br>
> _______________________________________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div>