[keycloak-user] export of realm json

Marek Posolda mposolda at redhat.com
Mon Oct 5 15:18:00 EDT 2015 

Btv. Stan, is your work going to be added into 1.6 or is it for next 
release? I am just asking because there is one pending PR, which is 
likely going to be merged for 1.6 - 
https://github.com/keycloak/keycloak/pull/1656/files . After merging 
this, we discussed with Stian some additional minor changes (namely 
removing "zip" export/import provider as nobody doesn't seem to be using 
it so far). I should also doublecheck that import still works after 
those changes.

I am going to look at this likely next week and it's going to be 
included in 1.6. I am asking as I don't want to edit same code like you 
and break something you're working on ;-)

Marek

On 05/10/15 20:33, Stan Silvert wrote:
> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com 
>> <mailto:bburke at redhat.com>> wrote:
>> >
>> > I'm still averse to allowing export from admin console of any
>> > credentials or private keys.
>>
>> Even if they are not directly downloadable but require access to the 
>> server just like now?
>>
> I think there should be no secrets ever downloadable from admin 
> console.  Admin console is, by definition, remote.
>
> If you have access to the server then you can use what is there now.
>
> It is possible, however, that when we do our CLI implementation we can 
> verify that the user is local and allow full access.  That way, you 
> could do full export on a running server.  WildFly CLI already has 
> logic to verify a user is local.
>
>>
>> >
>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>> > > I'm actually starting on the design and implementation of this right
>> > > now.  It's import/export from the admin console.  It will also 
>> have the
>> > > ability to import/export partial pieces of a realm such as just 
>> users.
>> > >
>> > > Thanks for the comments so far on this thread.  They have been 
>> very helpful.
>> > >
>> > > We will keep the idea that no secrets should ever be exported 
>> from admin
>> > > console.  I'm not sure that having a flag for it in 
>> keycloak-server.json
>> > > helps.  To edit keycloak-server.json, you need access to the 
>> server, in
>> > > which case you might as well do the current import/export.
>> > >
>> > > So what do you do after you import a user with no credentials? 
>> Some ideas:
>> > > * The administrator can reset the password manually.
>> > > * The user can do password recovery (if enabled)
>> > >
>> > > An other ideas?
>> > >
>> > > Stan
>> > >
>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> > >> That's a good point. Having to stop/start the server to generate an
>> > >> export is not ideal.
>> > >>
>> > >> Tim
>> > >>
>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>> <mailto:bburke at redhat.com>
>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>> > >>>
>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
>> <mailto:bburke at redhat.com>
>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>> > >>>          >
>> > >>>          > For security reasons we did not want to have a remote
>> > >>>         option to export.
>> > >>>
>> > >>>
>> > >>> How about just storing the export as a local file on the server?
>> > >>> You'd need access to the server in order to get the file 
>> (making the
>> > >>> system compromised anyways). The change to current behaviour is 
>> that
>> > >>> you would be able to trigger the export at will without server 
>> restart.
>> > >>>
>> > >>> Best regards,
>> > >>> Thomas
>> > >>>
>> > >>>
>> > >>> _______________________________________________
>> > >>> keycloak-user mailing list
>> > >>> keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>
>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-user mailing list
>> > >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/36a4f104/attachment.html

More information about the keycloak-user mailing list