<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 10/5/2015 3:18 PM, Marek Posolda
wrote:<br>
</div>
<blockquote cite="mid:5612CCE8.4070801@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Btv. Stan, is your work going to be
added into 1.6 or is it for next release? I am just asking
because there is one pending PR, which is likely going to be
merged for 1.6 - <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://github.com/keycloak/keycloak/pull/1656/files">https://github.com/keycloak/keycloak/pull/1656/files</a>
. After merging this, we discussed with Stian some additional
minor changes (namely removing "zip" export/import provider as
nobody doesn't seem to be using it so far). I should also
doublecheck that import still works after those changes.<br>
<br>
I am going to look at this likely next week and it's going to be
included in 1.6. I am asking as I don't want to edit same code
like you and break something you're working on <span
class="moz-smiley-s3"><span> ;-) </span></span><br>
</div>
</blockquote>
It definitely won't make it for 1.6. I'm just getting started,
figuring out the requirements, and figuring out how it will all
work.<br>
<br>
<blockquote cite="mid:5612CCE8.4070801@redhat.com" type="cite">
<div class="moz-cite-prefix"> <br>
Marek<br>
<br>
On 05/10/15 20:33, Stan Silvert wrote:<br>
</div>
<blockquote cite="mid:5612C27F.9080809@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 10/5/2015 2:26 PM, Thomas
Raehalme wrote:<br>
</div>
<blockquote
cite="mid:CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com"
type="cite">
<p dir="ltr"><br>
On Oct 5, 2015 21:24, "Bill Burke" <<a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:bburke@redhat.com">bburke@redhat.com</a>>
wrote:<br>
><br>
> I'm still averse to allowing export from admin console
of any<br>
> credentials or private keys.</p>
<p dir="ltr">Even if they are not directly downloadable but
require access to the server just like now?<br>
</p>
</blockquote>
I think there should be no secrets ever downloadable from admin
console. Admin console is, by definition, remote.<br>
<br>
If you have access to the server then you can use what is there
now.<br>
<br>
It is possible, however, that when we do our CLI implementation
we can verify that the user is local and allow full access.
That way, you could do full export on a running server. WildFly
CLI already has logic to verify a user is local.<br>
<br>
<blockquote
cite="mid:CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com"
type="cite">
<p dir="ltr"><br>
</p>
<p dir="ltr">><br>
> On 10/5/2015 2:02 PM, Stan Silvert wrote:<br>
> > I'm actually starting on the design and
implementation of this right<br>
> > now. It's import/export from the admin console.
It will also have the<br>
> > ability to import/export partial pieces of a realm
such as just users.<br>
> ><br>
> > Thanks for the comments so far on this thread.
They have been very helpful.<br>
> ><br>
> > We will keep the idea that no secrets should ever
be exported from admin<br>
> > console. I'm not sure that having a flag for it
in keycloak-server.json<br>
> > helps. To edit keycloak-server.json, you need
access to the server, in<br>
> > which case you might as well do the current
import/export.<br>
> ><br>
> > So what do you do after you import a user with no
credentials? Some ideas:<br>
> > * The administrator can reset the password
manually.<br>
> > * The user can do password recovery (if enabled)<br>
> ><br>
> > An other ideas?<br>
> ><br>
> > Stan<br>
> ><br>
> > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:<br>
> >> That's a good point. Having to stop/start the
server to generate an<br>
> >> export is not ideal.<br>
> >><br>
> >> Tim<br>
> >><br>
> >> On 05/10/2015 11:56, Thomas Raehalme wrote:<br>
> >>><br>
> >>><br>
> >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke
<<a moz-do-not-send="true"
href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
> >>> <mailto:<a moz-do-not-send="true"
href="mailto:bburke@redhat.com">bburke@redhat.com</a>>>
wrote:<br>
> >>><br>
> >>> On 10/4/2015 5:37 PM, Thomas Raehalme
wrote:<br>
> >>><br>
> >>><br>
> >>> On Oct 4, 2015 23:57, "Bill Burke"
<<a moz-do-not-send="true"
href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
> >>> <mailto:<a
moz-do-not-send="true" href="mailto:bburke@redhat.com">bburke@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:bburke@redhat.com">bburke@redhat.com</a>>>>
wrote:<br>
> >>> ><br>
> >>> > For security reasons we did
not want to have a remote<br>
> >>> option to export.<br>
> >>><br>
> >>><br>
> >>> How about just storing the export as a
local file on the server?<br>
> >>> You'd need access to the server in order
to get the file (making the<br>
> >>> system compromised anyways). The change to
current behaviour is that<br>
> >>> you would be able to trigger the export at
will without server restart.<br>
> >>><br>
> >>> Best regards,<br>
> >>> Thomas<br>
> >>><br>
> >>><br>
> >>>
_______________________________________________<br>
> >>> keycloak-user mailing list<br>
> >>> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> >>> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> >><br>
> >><br>
> >><br>
> >>
_______________________________________________<br>
> >> keycloak-user mailing list<br>
> >> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> >> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > keycloak-user mailing list<br>
> > <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a moz-do-not-send="true"
href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>