<div dir="ltr"><div>Hi Marek,<br><br></div>So to be clear - we're using this strictly for a configuration backup (no user data will be exported). And if I'm understanding you correctly, is it safe to assume that the exports will be clean as long as no administrators are actively making configuration changes during the export process?<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br>+1 843-737-1735<br></span></div></div></div>
<br><div class="gmail_quote">On Mon, Apr 11, 2016 at 10:46 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 11/04/16 15:35, Josh Cain wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi All,<br>
<br>
</div>
We're looking to take nightly realm backups of a clustered
Keycloak deployment via the realm export feature. However, in
reading through <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html" target="_blank">the
docs</a>, I came across this statement:<br>
<br>
<a>The fact it's done at
server startup means that no-one can access Keycloak UI or
REST endpoints and edit Keycloak database on the fly when
export or import is in progress. Otherwise it could lead to
inconsistent results.</a><br>
<div>
<div><br>
</div>
<div>What are the implications for this in a clustered
environment? We were planning to take a single server down
and use it for realm export. Will this operation be
reliable with other servers running?<br>
</div>
</div>
</div>
</blockquote></span>
Depends on which level of consistency you want to achieve. In
theory, it might not be so bad. But note that in your case, the
node2 will be doing export when node1 will still receive requests
from users. This can lead to possible inconsistencies.<br>
<br>
For example, some user decided that he don't trust facebook login,
so he is going to set password instead of facebook link. So he will
do these actions quickly in account management:<br>
- Set his password in account mgmt page<br>
- Remove link to facebook<br>
<br>
Assuming the export will be in progress, it can happen that user
will be exported without password and also without federationLinks,
so after reimport he won't be able to login anymore.<br>
<br>
Marek<br>
<blockquote type="cite"><span class="">
<div dir="ltr">
<div>
<div><br clear="all">
<div>
<div>
<div dir="ltr"><span>
<div>
<div>Josh Cain | Software Applications Engineer<br>
</div>
<i>Identity and Access Management</i><br>
</div>
<b>Red Hat</b><br>
<a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1 843-737-1735</a><br>
</span></div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>