[keycloak-user] Realm Export in Clustered Environment
Josh Cain
josh.cain at redhat.com
Mon Apr 11 12:30:37 EDT 2016
Hi Marek,
So to be clear - we're using this strictly for a configuration backup (no
user data will be exported). And if I'm understanding you correctly, is it
safe to assume that the exports will be clean as long as no administrators
are actively making configuration changes during the export process?
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
On Mon, Apr 11, 2016 at 10:46 AM, Marek Posolda <mposolda at redhat.com> wrote:
> On 11/04/16 15:35, Josh Cain wrote:
>
> Hi All,
>
> We're looking to take nightly realm backups of a clustered Keycloak
> deployment via the realm export feature. However, in reading through the
> docs
> <http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html>,
> I came across this statement:
>
> The fact it's done at server startup means that no-one can access Keycloak
> UI or REST endpoints and edit Keycloak database on the fly when export or
> import is in progress. Otherwise it could lead to inconsistent results.
>
> What are the implications for this in a clustered environment? We were
> planning to take a single server down and use it for realm export. Will
> this operation be reliable with other servers running?
>
> Depends on which level of consistency you want to achieve. In theory, it
> might not be so bad. But note that in your case, the node2 will be doing
> export when node1 will still receive requests from users. This can lead to
> possible inconsistencies.
>
> For example, some user decided that he don't trust facebook login, so he
> is going to set password instead of facebook link. So he will do these
> actions quickly in account management:
> - Set his password in account mgmt page
> - Remove link to facebook
>
> Assuming the export will be in progress, it can happen that user will be
> exported without password and also without federationLinks, so after
> reimport he won't be able to login anymore.
>
> Marek
>
>
> Josh Cain | Software Applications Engineer
> *Identity and Access Management*
> *Red Hat*
> +1 843-737-1735
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/1b4d68c8/attachment.html
More information about the keycloak-user
mailing list