[keycloak-user] Realm Export in Clustered Environment

Marek Posolda mposolda at redhat.com
Mon Apr 11 17:38:37 EDT 2016


On 11/04/16 18:30, Josh Cain wrote:
> Hi Marek,
>
> So to be clear - we're using this strictly for a configuration backup 
> (no user data will be exported).  And if I'm understanding you 
> correctly, is it safe to assume that the exports will be clean as long 
> as no administrators are actively making configuration changes during 
> the export process?
Hi Josh,

Yes, then I think it should be safe to assume. Despite some corner cases 
(For example if you have LDAP, the roles or groups from LDAP might be 
synced to the realm database during first login of any user, who is 
member of particular role/group. So if this login happen during export, 
the new role/groups would be added during export progress too).

Marek
>
> Josh Cain | Software Applications Engineer
> /Identity and Access Management/
> *Red Hat*
> +1 843-737-1735
>
> On Mon, Apr 11, 2016 at 10:46 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 11/04/16 15:35, Josh Cain wrote:
>>     Hi All,
>>
>>     We're looking to take nightly realm backups of a clustered
>>     Keycloak deployment via the realm export feature.  However, in
>>     reading through the docs
>>     <http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html>,
>>     I came across this statement:
>>
>>     The fact it's done at server startup means that no-one can access
>>     Keycloak UI or REST endpoints and edit Keycloak database on the
>>     fly when export or import is in progress. Otherwise it could lead
>>     to inconsistent results.
>>
>>     What are the implications for this in a clustered environment? 
>>     We were planning to take a single server down and use it for
>>     realm export.  Will this operation be reliable with other servers
>>     running?
>     Depends on which level of consistency you want to achieve. In
>     theory, it might not be so bad. But note that in your case, the
>     node2 will be doing export when node1 will still receive requests
>     from users. This can lead to possible inconsistencies.
>
>     For example,  some user decided that he don't trust facebook
>     login, so he is going to set password instead of facebook link. So
>     he will do these actions quickly in account management:
>     - Set his password in account mgmt page
>     - Remove link to facebook
>
>     Assuming the export will be in progress, it can happen that user
>     will be exported without password and also without
>     federationLinks, so after reimport he won't be able to login anymore.
>
>     Marek
>>
>>     Josh Cain | Software Applications Engineer
>>     /Identity and Access Management/
>>     *Red Hat*
>>     +1 843-737-1735 <tel:%2B1%20843-737-1735>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/066959f7/attachment.html 


More information about the keycloak-user mailing list