[keycloak-user] Realm Export in Clustered Environment

[Marek Posolda]

On 11/04/16 15:35, Josh Cain wrote:
> Hi All,
>
> We're looking to take nightly realm backups of a clustered Keycloak 
> deployment via the realm export feature.  However, in reading through 
> the docs 
> <http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html>, 
> I came across this statement:
>
> The fact it's done at server startup means that no-one can access 
> Keycloak UI or REST endpoints and edit Keycloak database on the fly 
> when export or import is in progress. Otherwise it could lead to 
> inconsistent results.
>
> What are the implications for this in a clustered environment?  We 
> were planning to take a single server down and use it for realm 
> export.  Will this operation be reliable with other servers running?
Depends on which level of consistency you want to achieve. In theory, it 
might not be so bad. But note that in your case, the node2 will be doing 
export when node1 will still receive requests from users. This can lead 
to possible inconsistencies.

For example,  some user decided that he don't trust facebook login, so 
he is going to set password instead of facebook link. So he will do 
these actions quickly in account management:
- Set his password in account mgmt page
- Remove link to facebook

Assuming the export will be in progress, it can happen that user will be 
exported without password and also without federationLinks, so after 
reimport he won't be able to login anymore.

Marek
>
> Josh Cain | Software Applications Engineer
> /Identity and Access Management/
> *Red Hat*
> +1 843-737-1735
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/f4711589/attachment-0001.html