[keycloak-user] export of realm json

Tue Oct 6 07:09:43 EDT 2015

On 06/10/15 13:04, Stan Silvert wrote:
> On 10/5/2015 3:18 PM, Marek Posolda wrote:
>> Btv. Stan, is your work going to be added into 1.6 or is it for next 
>> release? I am just asking because there is one pending PR, which is 
>> likely going to be merged for 1.6 - 
>> https://github.com/keycloak/keycloak/pull/1656/files . After merging 
>> this, we discussed with Stian some additional minor changes (namely 
>> removing "zip" export/import provider as nobody doesn't seem to be 
>> using it so far). I should also doublecheck that import still works 
>> after those changes.
>>
>> I am going to look at this likely next week and it's going to be 
>> included in 1.6. I am asking as I don't want to edit same code like 
>> you and break something you're working on ;-)
> It definitely won't make it for 1.6.  I'm just getting started, 
> figuring out the requirements, and figuring out how it will all work.
ah, ok. Thanks. No conflicts expected then :-)

Marek
>
>>
>> Marek
>>
>> On 05/10/15 20:33, Stan Silvert wrote:
>>> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>>>
>>>>
>>>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com> wrote:
>>>> >
>>>> > I'm still averse to allowing export from admin console of any
>>>> > credentials or private keys.
>>>>
>>>> Even if they are not directly downloadable but require access to 
>>>> the server just like now?
>>>>
>>> I think there should be no secrets ever downloadable from admin 
>>> console.  Admin console is, by definition, remote.
>>>
>>> If you have access to the server then you can use what is there now.
>>>
>>> It is possible, however, that when we do our CLI implementation we 
>>> can verify that the user is local and allow full access.  That way, 
>>> you could do full export on a running server.  WildFly CLI already 
>>> has logic to verify a user is local.
>>>
>>>>
>>>> >
>>>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>>>> > > I'm actually starting on the design and implementation of this 
>>>> right
>>>> > > now.  It's import/export from the admin console.  It will also 
>>>> have the
>>>> > > ability to import/export partial pieces of a realm such as just 
>>>> users.
>>>> > >
>>>> > > Thanks for the comments so far on this thread. They have been 
>>>> very helpful.
>>>> > >
>>>> > > We will keep the idea that no secrets should ever be exported 
>>>> from admin
>>>> > > console.  I'm not sure that having a flag for it in 
>>>> keycloak-server.json
>>>> > > helps.  To edit keycloak-server.json, you need access to the 
>>>> server, in
>>>> > > which case you might as well do the current import/export.
>>>> > >
>>>> > > So what do you do after you import a user with no credentials? 
>>>> Some ideas:
>>>> > > * The administrator can reset the password manually.
>>>> > > * The user can do password recovery (if enabled)
>>>> > >
>>>> > > An other ideas?
>>>> > >
>>>> > > Stan
>>>> > >
>>>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>>> > >> That's a good point. Having to stop/start the server to 
>>>> generate an
>>>> > >> export is not ideal.
>>>> > >>
>>>> > >> Tim
>>>> > >>
>>>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>> > >>>
>>>> > >>>
>>>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>>>> <mailto:bburke at redhat.com>
>>>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>> > >>>
>>>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>> > >>>
>>>> > >>>
>>>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
>>>> <mailto:bburke at redhat.com>
>>>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
>>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>>> > >>>          >
>>>> > >>>          > For security reasons we did not want to have a remote
>>>> > >>>         option to export.
>>>> > >>>
>>>> > >>>
>>>> > >>> How about just storing the export as a local file on the server?
>>>> > >>> You'd need access to the server in order to get the file 
>>>> (making the
>>>> > >>> system compromised anyways). The change to current behaviour 
>>>> is that
>>>> > >>> you would be able to trigger the export at will without 
>>>> server restart.
>>>> > >>>
>>>> > >>> Best regards,
>>>> > >>> Thomas
>>>> > >>>
>>>> > >>>
>>>> > >>> _______________________________________________
>>>> > >>> keycloak-user mailing list
>>>> > >>> keycloak-user at lists.jboss.org 
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> > >>
>>>> > >>
>>>> > >>
>>>> > >> _______________________________________________
>>>> > >> keycloak-user mailing list
>>>> > >> keycloak-user at lists.jboss.org 
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> > >
>>>> > >
>>>> > >
>>>> > > _______________________________________________
>>>> > > keycloak-user mailing list
>>>> > > keycloak-user at lists.jboss.org 
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> > >
>>>> >
>>>> > --
>>>> > Bill Burke
>>>> > JBoss, a division of Red Hat
>>>> > http://bill.burkecentral.com
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/7b6ee264/attachment-0001.html