<div dir="ltr">Unless someone has very strong arguments against it we're going to rename the script to "add-user-keycloak". Main reason is that WildFly documentation refer to the "add-user" script throughout their documentation, so the simplest is to have our own rather than override what they have. We'll also remove the '--container' argument. If anyone was wondering 'add-user-keycloak' is confirmed as ok for product.</div><div class="gmail_extra"><br><div class="gmail_quote">On 25 April 2016 at 14:30, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>+1<div><div class="h5"><br>
<br>
On 25/04/16 13:59, Stan Silvert wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div>+1. That's the "prettier" UI option
I was talking about.<br>
<br>
On 4/25/2016 4:56 AM, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">+1 To what Marek is proposing
<div><br>
</div>
<div>I'd suggest a slightly more mellow tone though. Rather
than the current message (which is a bit rubbish):<br>
</div>
<div><br>
</div>
<div> Added 'k' to
'/home/st/tmp/keycloak-1.9.2.Final/standalone/configuration/keycloak-add-user.json',
restart server to load user</div>
<div><br>
</div>
<div>We could do:</div>
<div><br>
</div>
<div> Keycloak admin user added, please restart server to
make the user available. To add user for jboss-cli please
run "add-user" with "--container" option.</div>
<div><br>
</div>
<div>Other improvements we could do are:</div>
<div><br>
</div>
<div>* "--container" description should be "Add user to
jboss-cli. For usage use '--container --help'"</div>
<div>* When add-user is run without options it currently says
'Option: -u.. is required' it should instead display help
text (--help) and the help text should have a paragraph on
the bottom stating how the user is added, that the server
needs to be reloaded and also how to add a user to
jboss-cli.</div>
<div><br>
</div>
<div>I'm happy to incorporate the above changes if that's what
we agree on.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 25 April 2016 at 10:45, Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 25/04/16 09:35, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Seems like the majority (that being
everyone besides me) would like to have the script
renamed. So let's go for it, but first I have two
questions:</div>
</blockquote>
</span> Btv. I didn't suggest to rename, but keep as is.
But always when people run "add-user.sh" without
"--container", there will be be a big warning similar
to:<br>
<br>
"You are adding Keycloak admin, but not Wildfly admin!!!
If you want to add Wildfly admin use the option
--container"<br>
<br>
This should solve both your (a) and (b) and remove most
of confusions IMO. And in the future version, when
keycloak and wildfly admin will be same thing, we can
still use same "add-user.sh" script without need to
rename, remove or add any new script. We will just
remove the warning and possibly support for
"--container" option.<span><font color="#888888"><br>
<br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>a) What should it be called (it can't be
add-user-keycloak.sh as then it wouldn't make
sense in product)? add-user-sso.sh is an idea,
but is it clear that's adding "Keycloak admin
console" users</div>
<div>b) Will we not get a bunch of people asking
"I added a user with add-user, but still can't
login to Keycloak admin console"? Do we have a
solution for that?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 25 April 2016 at
03:41, Stan Silvert <span dir="ltr"><<a href="mailto:ssilvert@redhat.com" target="_blank"></a><a href="mailto:ssilvert@redhat.com" target="_blank">ssilvert@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><br>
On 4/24/2016 2:58 PM, Bill Burke wrote:<br>
> Completely different. standalone.sh
and domain.sh are completely new<br>
> run.sh variants and run.sh
disappeared.<br>
</span>Nope. If there was no domain.sh we
would have kept run.sh.<br>
standalone.sh does exactly the same thing
run.sh used to do.<br>
Furthermore, run.sh didn't disappear. It
just prints a helpful message.<br>
<br>
The situation here is exactly the same. If
there was no "keycloak"<br>
add-user we would have kept the old one.<br>
<br>
Bill, I agree that the current situation is
confusing. Stian, I agree<br>
that having both "add-user.sh" and
"add-user-keycloak.sh" is also confusing.<br>
<br>
The WildFly solution isn't pretty, but at
least it isn't confusing.<br>
<br>
I suppose you could make the whole thing
prettier by slapping some extra<br>
UI into the unified version. Let it prompt
the user for what he really<br>
wants to do, etc., etc.<br>
<span>><br>
> add-user.sh is the same script as the
old. and you've already had two<br>
> Red Hat people scratching their heads
wondering what happened to<br>
> add-user.sh.<br>
</span>Were you including me? I complained
about this several weeks ago, so<br>
perhaps you can make that three Red Hat
people. I agree that it's a<br>
problem.<br>
<div>
<div>><br>
> On 4/23/2016 3:04 PM, Stan Silvert
wrote:<br>
>> We had the same kind of problem
in WildFly a few years ago. Everyone<br>
>> was used to starting the server
with run.sh. But we needed to change<br>
>> that to differentiate between
standalone.sh and domain.sh. So we made<br>
>> run.bat just print out a "This
is deprecated. Here is what you need to<br>
>> do...." message.<br>
>><br>
>> It's not a perfect solution,
but we could do the same thing with<br>
>> add-user.sh and tell them to
use either add-user-keycloak.sh or<br>
>> add-user-eap.sh. At least you
wouldn't get any support questions.<br>
>><br>
>> On 4/23/2016 9:06 AM, Ilya Rum
wrote:<br>
>>> Hello!<br>
>>><br>
>>> As a new member of keycloak
QA team I recently had to set up some<br>
>>> clustering with domain
mode.<br>
>>> I was really confused when
add-user.sh did not add user to jboss
but<br>
>>> rather created the
keycloak-add-user.json.<br>
>>> The worst thing was that I
couldn't find any docs on adding user to<br>
>>> underlying eap at all.<br>
>>> Had to read the add-user.sh
itself to find out what was happening.<br>
>>> Even if it remains as it
is, it really should be at least
mentioned in<br>
>>> the docs :)<br>
>>><br>
>>> Have a nice day!<br>
>>> Ilya Rum.<br>
>>><br>
>>> On Sat, Apr 23, 2016 at
08:48:15AM -0400, Bill Burke wrote:<br>
>>>> Do you care about
usability at all? Not everything can
fit into nice little<br>
>>>> boxes all the time.
This is going to be extremely confusing
for users. I<br>
>>>> ran into it myself as I
thought the jboss add-user.sh script was
overwritten<br>
>>>> by our distribution
script by mistake. *OF COURSE* we
should have a<br>
>>>> separate add-user.sh
script. Even when, hopefully, JBoss can
delegate to<br>
>>>> Keycloak in maybe 7.1.
If we are going to leverage the JBoss
platform, and<br>
>>>> this means the JBoss
documentation too, every management
function that<br>
>>>> exists in JBoss should
be available in Keycloak and *WORK THE
SAME WAY*. If<br>
>>>> we don't change this,
we're going to get a ton of support
questions that<br>
>>>> say: "Why doesn't
add-user.sh work?"<br>
>>>><br>
>>>><br>
>>>><br>
>>>> On 4/23/2016 1:29 AM,
Stian Thorgersen wrote:<br>
>>>>> In the future we
need to secure the underlying WildFly
with rhsso. In<br>
>>>>> which case our
add-user will add users for both
Keycloak and WildFly/EAP.<br>
>>>>><br>
>>>>> IMO there's going
to be confusion until the above is
solved no matter what<br>
>>>>> we do. We'll need
to document this whichever way we do it.
Options are<br>
>>>>> stay with what we
have or rename our script. My vote goes
to keep as is<br>
>>>>> and document it.
Then hopefully by 7.1 we can secure the
WildFly bits so<br>
>>>>> the problem goes
away. With the other option (rename
ours) there will be a<br>
>>>>> problem once
WildFly bits are secured by Keycloak as
now the wf add-user<br>
>>>>> script should no
longer be used and completely removed at
which point we<br>
>>>>> should then rename
it back. So in the long run sticking
with how it is<br>
>>>>> today is ideal.
It's also way to late making changes
now. BTW this has<br>
>>>>> been around for
months.<br>
>>>>><br>
>>>>> On 22 Apr 2016
22:14, "Bill Burke" <<a href="mailto:bburke@redhat.com" target="_blank"></a><a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br>
>>>>> <mailto:<a href="mailto:bburke@redhat.com" target="_blank"></a><a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>
wrote:<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> On 4/22/2016
3:57 PM, Marek Posolda wrote:<br>
>>>>> > That's
the question...<br>
>>>>> ><br>
>>>>> > For
server distribution, we also have our
stuff ( keycloak<br>
>>>>> subsystem,<br>
>>>>> >
datasource, infinispan etc) directly
declared in<br>
>>>>>
"standalone.xml". On<br>
>>>>> > the
other hand, for overlay distribution, we
don't want to directly<br>
>>>>> > update
default "standalone.xml", so we are
adding our own<br>
>>>>> >
"standalone-keycloak.xml". Isn't it
quite similar thing?<br>
>>>>> ><br>
>>>>><br>
>>>>> Product will
not have the overlay distribution.<br>
>>>>><br>
>>>>> > We can
do the same for overlay and server
distribution, so never<br>
>>>>> edit<br>
>>>>> > default
wildfly files ( standalone.xml ,
add-user.sh), but<br>
>>>>> always use<br>
>>>>> > our own
versions with "-keycloak" suffix.
Advantage is more<br>
>>>>> >
consistent. However people will need to
always start keycloak server<br>
>>>>> > with
"./standalone.sh -c
standalone-keycloak.xml" then. Doesn't
it<br>
>>>>> > sucks
from the usability perspective?<br>
>>>>> ><br>
>>>>><br>
>>>>> The overlay
exists because we can't distribute EAP
within community.<br>
>>>>> Keycloak
should be run as a separate server, so,
IMO, -keycloak.xml<br>
>>>>> files should
go away and overwrite standalone.xml,<br>
>>>>>
standalone-ha.xml and<br>
>>>>> domain.xml<br>
>>>>><br>
>>>>> > I
honestly don't know what's the best way
regarding usability. AFAIK<br>
>>>>> > this was
decided on mailing lists couple of
months ago, but don't<br>
>>>>> > remember
the exact threads...:/<br>
>>>>> ><br>
>>>>><br>
>>>>> I'm pretty
adamant about this. There will be a
huge amount of<br>
>>>>> confusion<br>
>>>>> if we don't
make this separation. Wildfly/JBoss and
Keycloak are hard<br>
>>>>> enough to
configure as it is.<br>
>>>>><br>
>>>>><br>
>>>>> --<br>
>>>>> Bill Burke<br>
>>>>> JBoss, a
division of Red Hat<br>
>>>>> <a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank"></a><a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
>>>>><br>
>>>>>
_______________________________________________<br>
>>>>> keycloak-dev
mailing list<br>
>>>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<mailto:<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>><br>
>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
>>>>><br>
>>>> --<br>
>>>> Bill Burke<br>
>>>> JBoss, a division of
Red Hat<br>
>>>> <a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank"></a><a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
>>>><br>
>>>>
_______________________________________________<br>
>>>> keycloak-dev mailing
list<br>
>>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
>>>
_______________________________________________<br>
>>> keycloak-dev mailing list<br>
>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
>>
_______________________________________________<br>
>> keycloak-dev mailing list<br>
>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>