<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 06/10/15 13:04, Stan Silvert wrote:<br>
    </div>
    <blockquote cite="mid:5613AACE.7090603@redhat.com" type="cite">
      <meta content="text/html; charset=windows-1252"
        http-equiv="Content-Type">
      <div class="moz-cite-prefix">On 10/5/2015 3:18 PM, Marek Posolda
        wrote:<br>
      </div>
      <blockquote cite="mid:5612CCE8.4070801@redhat.com" type="cite">
        <meta content="text/html; charset=windows-1252"
          http-equiv="Content-Type">
        <div class="moz-cite-prefix">Btv. Stan, is your work going to be
          added into 1.6 or is it for next release? I am just asking
          because there is one pending PR, which is likely going to be
          merged for 1.6 - <a moz-do-not-send="true"
            class="moz-txt-link-freetext"
            href="https://github.com/keycloak/keycloak/pull/1656/files">https://github.com/keycloak/keycloak/pull/1656/files</a>
          . After merging this, we discussed with Stian some additional
          minor changes (namely removing "zip" export/import provider as
          nobody doesn't seem to be using it so far). I should also
          doublecheck that import still works after those changes.<br>
          <br>
          I am going to look at this likely next week and it's going to
          be included in 1.6. I am asking as I don't want to edit same
          code like you and break something you're working on <span
            class="moz-smiley-s3"><span> ;-) </span></span><br>
        </div>
      </blockquote>
      It definitely won't make it for 1.6.  I'm just getting started,
      figuring out the requirements, and figuring out how it will all
      work.<br>
    </blockquote>
    ah, ok. Thanks. No conflicts expected then <span
      class="moz-smiley-s1"><span> :-) </span></span><br>
    <br>
    Marek<br>
    <blockquote cite="mid:5613AACE.7090603@redhat.com" type="cite"> <br>
      <blockquote cite="mid:5612CCE8.4070801@redhat.com" type="cite">
        <div class="moz-cite-prefix"> <br>
          Marek<br>
          <br>
          On 05/10/15 20:33, Stan Silvert wrote:<br>
        </div>
        <blockquote cite="mid:5612C27F.9080809@redhat.com" type="cite">
          <meta content="text/html; charset=windows-1252"
            http-equiv="Content-Type">
          <div class="moz-cite-prefix">On 10/5/2015 2:26 PM, Thomas
            Raehalme wrote:<br>
          </div>
          <blockquote
cite="mid:CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com"
            type="cite">
            <p dir="ltr"><br>
              On Oct 5, 2015 21:24, "Bill Burke" &lt;<a
                moz-do-not-send="true" class="moz-txt-link-abbreviated"
                href="mailto:bburke@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a>&gt;

              wrote:<br>
              &gt;<br>
              &gt; I'm still averse to allowing export from admin
              console of any<br>
              &gt; credentials or private keys.</p>
            <p dir="ltr">Even if they are not directly downloadable but
              require access to the server just like now?<br>
            </p>
          </blockquote>
          I think there should be no secrets ever downloadable from
          admin console.  Admin console is, by definition, remote.<br>
          <br>
          If you have access to the server then you can use what is
          there now.<br>
          <br>
          It is possible, however, that when we do our CLI
          implementation we can verify that the user is local and allow
          full access.  That way, you could do full export on a running
          server.  WildFly CLI already has logic to verify a user is
          local.<br>
          <br>
          <blockquote
cite="mid:CAPyAMobeFGVWgVhyWaE+dxtwr-v89T=Nx993w6whjYrTNKpu5g@mail.gmail.com"
            type="cite">
            <p dir="ltr"><br>
            </p>
            <p dir="ltr">&gt;<br>
              &gt; On 10/5/2015 2:02 PM, Stan Silvert wrote:<br>
              &gt; &gt; I'm actually starting on the design and
              implementation of this right<br>
              &gt; &gt; now.  It's import/export from the admin
              console.  It will also have the<br>
              &gt; &gt; ability to import/export partial pieces of a
              realm such as just users.<br>
              &gt; &gt;<br>
              &gt; &gt; Thanks for the comments so far on this thread. 
              They have been very helpful.<br>
              &gt; &gt;<br>
              &gt; &gt; We will keep the idea that no secrets should
              ever be exported from admin<br>
              &gt; &gt; console.  I'm not sure that having a flag for it
              in keycloak-server.json<br>
              &gt; &gt; helps.  To edit keycloak-server.json, you need
              access to the server, in<br>
              &gt; &gt; which case you might as well do the current
              import/export.<br>
              &gt; &gt;<br>
              &gt; &gt; So what do you do after you import a user with
              no credentials? Some ideas:<br>
              &gt; &gt; * The administrator can reset the password
              manually.<br>
              &gt; &gt; * The user can do password recovery (if enabled)<br>
              &gt; &gt;<br>
              &gt; &gt; An other ideas?<br>
              &gt; &gt;<br>
              &gt; &gt; Stan<br>
              &gt; &gt;<br>
              &gt; &gt; On 10/5/2015 12:34 PM, Tim Dudgeon wrote:<br>
              &gt; &gt;&gt; That's a good point. Having to stop/start
              the server to generate an<br>
              &gt; &gt;&gt; export is not ideal.<br>
              &gt; &gt;&gt;<br>
              &gt; &gt;&gt; Tim<br>
              &gt; &gt;&gt;<br>
              &gt; &gt;&gt; On 05/10/2015 11:56, Thomas Raehalme wrote:<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt; On Mon, Oct 5, 2015 at 2:47 AM, Bill
              Burke &lt;<a moz-do-not-send="true"
                href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
              &gt; &gt;&gt;&gt; &lt;mailto:<a moz-do-not-send="true"
                href="mailto:bburke@redhat.com">bburke@redhat.com</a>&gt;&gt;



              wrote:<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt;     On 10/4/2015 5:37 PM, Thomas
              Raehalme wrote:<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt;         On Oct 4, 2015 23:57, "Bill
              Burke" &lt;<a moz-do-not-send="true"
                href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
              &gt; &gt;&gt;&gt;         &lt;mailto:<a
                moz-do-not-send="true" href="mailto:bburke@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a>
              &lt;mailto:<a moz-do-not-send="true"
                href="mailto:bburke@redhat.com">bburke@redhat.com</a>&gt;&gt;&gt;



              wrote:<br>
              &gt; &gt;&gt;&gt;          &gt;<br>
              &gt; &gt;&gt;&gt;          &gt; For security reasons we
              did not want to have a remote<br>
              &gt; &gt;&gt;&gt;         option to export.<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt; How about just storing the export as a
              local file on the server?<br>
              &gt; &gt;&gt;&gt; You'd need access to the server in order
              to get the file (making the<br>
              &gt; &gt;&gt;&gt; system compromised anyways). The change
              to current behaviour is that<br>
              &gt; &gt;&gt;&gt; you would be able to trigger the export
              at will without server restart.<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt; Best regards,<br>
              &gt; &gt;&gt;&gt; Thomas<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt;<br>
              &gt; &gt;&gt;&gt;
              _______________________________________________<br>
              &gt; &gt;&gt;&gt; keycloak-user mailing list<br>
              &gt; &gt;&gt;&gt; <a moz-do-not-send="true"
                href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
              &gt; &gt;&gt;&gt; <a moz-do-not-send="true"
                href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
              &gt; &gt;&gt;<br>
              &gt; &gt;&gt;<br>
              &gt; &gt;&gt;<br>
              &gt; &gt;&gt;
              _______________________________________________<br>
              &gt; &gt;&gt; keycloak-user mailing list<br>
              &gt; &gt;&gt; <a moz-do-not-send="true"
                href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
              &gt; &gt;&gt; <a moz-do-not-send="true"
                href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
              &gt; &gt;<br>
              &gt; &gt;<br>
              &gt; &gt;<br>
              &gt; &gt; _______________________________________________<br>
              &gt; &gt; keycloak-user mailing list<br>
              &gt; &gt; <a moz-do-not-send="true"
                href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
              &gt; &gt; <a moz-do-not-send="true"
                href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
              &gt; &gt;<br>
              &gt;<br>
              &gt; --<br>
              &gt; Bill Burke<br>
              &gt; JBoss, a division of Red Hat<br>
              &gt; <a moz-do-not-send="true"
                href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
              &gt; _______________________________________________<br>
              &gt; keycloak-user mailing list<br>
              &gt; <a moz-do-not-send="true"
                href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
              &gt; <a moz-do-not-send="true"
                href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
            </p>
            <br>
            <fieldset class="mimeAttachmentHeader"></fieldset>
            <br>
            <pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
          </blockquote>
          <br>
          <br>
          <fieldset class="mimeAttachmentHeader"></fieldset>
          <br>
          <pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
        </blockquote>
        <br>
      </blockquote>
      <br>
    </blockquote>
    <br>
  </body>
</html>