[keycloak-user] out of box experiences and automation

Stian Thorgersen sthorger at redhat.com
Fri Dec 18 03:33:57 EST 2015


On 18 December 2015 at 09:27, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> Hi, Stian
>
> Didn't know that, sorry. What I meant is people have different use-cases,
> you guys provide a base image. Keycloak users are free to extend the base
> image. For example, I was forced to create my own docker image, because the
> base image doesn't provide external database support, nor SSL.
>

We do have images for MySQL and PostgreSQL, but you're right they are still
base images and I'd expect people to extend it for real use.

SSL support would be nice to add though. As suggested it could be done with
env variables and container volumes.


>
> Regards,
> Pavel Maslov, MS
>
> On Fri, Dec 18, 2015 at 8:34 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Why do you say Keycloak and Keycloak Docker image are two different
>> projects? Keycloak Docker image is provided and maintained by the Keycloak
>> team and is such part of the Keycloak project itself.
>>
>> On 17 December 2015 at 18:01, Pavel Maslov <pavel.masloff at gmail.com>
>> wrote:
>>
>>> Dong, note that Keycloak and  Keycloak Docker image are two different
>>> projects. You can, however, customize the official docker image depending
>>> on your requirements.
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Thu, Dec 17, 2015 at 5:48 PM, Dong Xie <xied75 at gmail.com> wrote:
>>>
>>>> That is great news, when is 1.8 release time?
>>>>
>>>>
>>>>
>>>> Also is that possible to take ENV var to enable SSL and take the
>>>> configuration of certs files via a container volume? Hope those has been in
>>>> the plan, if not I’m happy to raise the issue in JIRA and see if I can
>>>> contribute towards it.
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *Stian Thorgersen
>>>> *Sent: *17 December 2015 16:43
>>>>
>>>> *To: *Dong Xie
>>>> *Cc: *keycloak-user at lists.jboss.org
>>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> We will soon remove the built-in admin/admin user account. For the
>>>> Docker image you will either have to:
>>>>
>>>>
>>>>
>>>> 1. Pass the admin username and password with environment variables
>>>>
>>>> 2. Access via localhost (port forwarding) to create an initial user
>>>> account
>>>>
>>>>
>>>>
>>>> That'll be added in 1.8.
>>>>
>>>>
>>>>
>>>> On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:
>>>>
>>>> Keycloak is deployed as docker container into cloud, once the container
>>>> starts, the keycloak server starts, I can’t stop it being called or call
>>>> the script before the container starts, unless I bother to make a
>>>> customised docker image, which is not ideal. Since there is no human action
>>>> involved, no one will reset the admin password via browser, unless you mean
>>>> I can call REST API to fully setup admin user. Also when I add new user if
>>>> I add it into master realm it will be as powerful as admin, at least that’s
>>>> what I observed? Therefore leaving the admin there is only going to be a
>>>> security hole, and the best practice is to get rid of as fast as I can.
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *Stian Thorgersen
>>>> *Sent: *17 December 2015 15:57
>>>>
>>>>
>>>> *To: *Dong Xie
>>>> *Cc: *keycloak-user at lists.jboss.org
>>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> You don't need to restart the server, you can call the script before
>>>> starting the server in the first place.
>>>>
>>>>
>>>>
>>>> Why do you need to remove the admin? Do you not need to have at least
>>>> one admin account on the server.
>>>>
>>>>
>>>>
>>>> What do you mean about init access token?
>>>>
>>>>
>>>>
>>>> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>>>>
>>>> That’s exactly what I used, so before I can expose the keycloak to the
>>>> world, I need to get into the node, call the script, restart server, login
>>>> with the new admin, calling REST api to remove the admin, sounds like a lot
>>>> of work?
>>>>
>>>>
>>>>
>>>> Can we not config an init access token or something similar to smooth
>>>> the thing, for our poor DevOps life?
>>>>
>>>>
>>>>
>>>> Any help would be great!
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *Stian Thorgersen
>>>> *Sent: *17 December 2015 15:41
>>>> *To: *Dong Xie
>>>> *Cc: *keycloak-user at lists.jboss.org
>>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> >From 1.7 you can add a admin user using the add-user script. See
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>>>
>>>>
>>>>
>>>> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>>>>
>>>> Dear all,
>>>>
>>>>
>>>>
>>>> I wonder how do I work around needing to browse the web page and login
>>>> with admin + admin to change the password? We are deploying keycloak in an
>>>> automated flow thus no human interaction is expected.
>>>>
>>>>
>>>>
>>>> Thanks very much for your help!
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/795dd15f/attachment-0001.html 


More information about the keycloak-user mailing list