<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/04/16 18:30, Josh Cain wrote:<br>
</div>
<blockquote
cite="mid:CA+z0A8BWxmpVU_Chau_mTkvRRS+tGM98eLUX4u7GYx3XnFMQrg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi Marek,<br>
<br>
</div>
So to be clear - we're using this strictly for a configuration
backup (no user data will be exported). And if I'm
understanding you correctly, is it safe to assume that the
exports will be clean as long as no administrators are actively
making configuration changes during the export process?<br>
</div>
</blockquote>
Hi Josh,<br>
<br>
Yes, then I think it should be safe to assume. Despite some corner
cases (For example if you have LDAP, the roles or groups from LDAP
might be synced to the realm database during first login of any
user, who is member of particular role/group. So if this login
happen during export, the new role/groups would be added during
export progress too).<br>
<br>
Marek<br>
<blockquote
cite="mid:CA+z0A8BWxmpVU_Chau_mTkvRRS+tGM98eLUX4u7GYx3XnFMQrg@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
+1 843-737-1735<br>
</span></div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Apr 11, 2016 at 10:46 AM, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 11/04/16 15:35, Josh Cain wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi All,<br>
<br>
</div>
We're looking to take nightly realm backups of a
clustered Keycloak deployment via the realm export
feature. However, in reading through <a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html"
target="_blank">the docs</a>, I came across this
statement:<br>
<br>
<a moz-do-not-send="true">The fact it's done at
server startup means that no-one can access
Keycloak UI or REST endpoints and edit Keycloak
database on the fly when export or import is in
progress. Otherwise it could lead to inconsistent
results.</a><br>
<div>
<div><br>
</div>
<div>What are the implications for this in a
clustered environment? We were planning to take
a single server down and use it for realm
export. Will this operation be reliable with
other servers running?<br>
</div>
</div>
</div>
</blockquote>
</span> Depends on which level of consistency you want to
achieve. In theory, it might not be so bad. But note that
in your case, the node2 will be doing export when node1
will still receive requests from users. This can lead to
possible inconsistencies.<br>
<br>
For example, some user decided that he don't trust
facebook login, so he is going to set password instead of
facebook link. So he will do these actions quickly in
account management:<br>
- Set his password in account mgmt page<br>
- Remove link to facebook<br>
<br>
Assuming the export will be in progress, it can happen
that user will be exported without password and also
without federationLinks, so after reimport he won't be
able to login anymore.<br>
<br>
Marek<br>
<blockquote type="cite"><span class="">
<div dir="ltr">
<div>
<div><br clear="all">
<div>
<div>
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications
Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a moz-do-not-send="true"
href="tel:%2B1%20843-737-1735"
value="+18437371735" target="_blank">+1
843-737-1735</a><br>
</span></div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>