11:54 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I mentioned on the previous email, one of the questions during the
demo was if it would be possible to have the Keycloak integration as
an optional part.
In the backend part, it's not hard to disable Keycloak as the
authentication mechanism, as it's just JAAS. That would require,
though, a second JAAS implementation to replace it.
In the frontend part, however, it's a bit more complicated. The setup
right now is that the web console is treated as an HTML5 single-page
app. This means that the web console is one application and the
backend is a different one, and they propagate the authentication by
using the tokens: the web console gets a token from the Keycloak
JavaScript adapter once the user logs in and sends it along with each
request to the backend. The backend (Keycloak Wildfly Adapter) reads
this token and retrieves the user data from the Keycloak server,
allowing the request to execute or not.
This means that either:
1) web console and REST API (and possibly other wars) become one, so
that the HTML5 single-page app can be served only after the user logs
in (classic Java EE application)
2) the backend JAAS adapter would need to support also some sort of
token exchange, with the frontend abstracting the Keycloak adapter to
work with one auth mechanism or another, possibly auto identifying
what is the backend's auth mechanism.
3) ??
I don't think that the first option is a real one. Having small wars,
each taking care of one concern, is a goal on the project.
So, would an effort in making Keycloak an optional part be worth it?
Should I pursue it?
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUworiAAoJECKM1e+fkPrX8oMH/jC6DSOzx5gJuQNVHsojO6jB
xHjAbhiF89mnlC9iHBKTmZnJ6O4sOs870tibxhhmNvJs+N5wvQVCWhv+5JdqONfe
ETP4O7iKYLHu317DuNW8gl3FRP9Mgj/FkpgGhanikOLZ7S1B9/86zv8qdQ1/C6Hm
EM1MOIlSqqwPk+QPj/51Uo6rMG42ObG6P+mJOu7IhuJK4LS0uZI3yCIyk42+ngit
+T05kOfYOL24nOcL4iCjb0+Qg9SjNPASklq79Kz1h9tMZkq3CAXwyPJ0ty0kKSwR
mejY48LahgwmGQF53zovQJbb7Lpek+Uu9+G/vbcaJGLgqs5qwQq+3qa3e81Q9I0=
=5KoB
-----END PGP SIGNATURE-----
12:25 p.m.
On Jan 23, 2015, at 12:54 PM, Juraci Paixão Kröhling
<jpkroehling(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I mentioned on the previous email, one of the questions during the
demo was if it would be possible to have the Keycloak integration as
an optional part.
In the backend part, it's not hard to disable Keycloak as the
authentication mechanism, as it's just JAAS. That would require,
though, a second JAAS implementation to replace it.
In the frontend part, however, it's a bit more complicated. The setup
right now is that the web console is treated as an HTML5 single-page
app. This means that the web console is one application and the
backend is a different one, and they propagate the authentication by
using the tokens: the web console gets a token from the Keycloak
JavaScript adapter once the user logs in and sends it along with each
request to the backend. The backend (Keycloak Wildfly Adapter) reads
this token and retrieves the user data from the Keycloak server,
allowing the request to execute or not.
This means that either:
1) web console and REST API (and possibly other wars) become one, so
that the HTML5 single-page app can be served only after the user logs
in (classic Java EE application)
2) the backend JAAS adapter would need to support also some sort of
token exchange, with the frontend abstracting the Keycloak adapter to
work with one auth mechanism or another, possibly auto identifying
what is the backend's auth mechanism.
3) ??
I don't think that the first option is a real one. Having small wars,
each taking care of one concern, is a goal on the project.
So, would an effort in making Keycloak an optional part be worth it?
Should I pursue it?
I am not sure about for production use, but for development I like the idea of being able
to flip a switch to turn it on/off. I also agree that option 1 is undesirable.
2:59 a.m.
In terms of priority, we should focus on Hawkular (not just metrics)
with Keycloak support and having it optional is not the priority.
Thomas
On 01/23/2015 06:54 PM, Juraci Paixão Kröhling wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I mentioned on the previous email, one of the questions during the
demo was if it would be possible to have the Keycloak integration as
an optional part.
In the backend part, it's not hard to disable Keycloak as the
authentication mechanism, as it's just JAAS. That would require,
though, a second JAAS implementation to replace it.
In the frontend part, however, it's a bit more complicated. The setup
right now is that the web console is treated as an HTML5 single-page
app. This means that the web console is one application and the
backend is a different one, and they propagate the authentication by
using the tokens: the web console gets a token from the Keycloak
JavaScript adapter once the user logs in and sends it along with each
request to the backend. The backend (Keycloak Wildfly Adapter) reads
this token and retrieves the user data from the Keycloak server,
allowing the request to execute or not.
This means that either:
1) web console and REST API (and possibly other wars) become one, so
that the HTML5 single-page app can be served only after the user logs
in (classic Java EE application)
2) the backend JAAS adapter would need to support also some sort of
token exchange, with the frontend abstracting the Keycloak adapter to
work with one auth mechanism or another, possibly auto identifying
what is the backend's auth mechanism.
3) ??
I don't think that the first option is a real one. Having small wars,
each taking care of one concern, is a goal on the project.
So, would an effort in making Keycloak an optional part be worth it?
Should I pursue it?
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUworiAAoJECKM1e+fkPrX8oMH/jC6DSOzx5gJuQNVHsojO6jB
xHjAbhiF89mnlC9iHBKTmZnJ6O4sOs870tibxhhmNvJs+N5wvQVCWhv+5JdqONfe
ETP4O7iKYLHu317DuNW8gl3FRP9Mgj/FkpgGhanikOLZ7S1B9/86zv8qdQ1/C6Hm
EM1MOIlSqqwPk+QPj/51Uo6rMG42ObG6P+mJOu7IhuJK4LS0uZI3yCIyk42+ngit
+T05kOfYOL24nOcL4iCjb0+Qg9SjNPASklq79Kz1h9tMZkq3CAXwyPJ0ty0kKSwR
mejY48LahgwmGQF53zovQJbb7Lpek+Uu9+G/vbcaJGLgqs5qwQq+3qa3e81Q9I0=
=5KoB
-----END PGP SIGNATURE-----
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
3:34 a.m.
Le 26/01/2015 09:59, Thomas Heute a écrit :
In terms of priority, we should focus on Hawkular (not just metrics)
Agreed
with Keycloak support and having it optional is not the priority.
Some more context maybe. I asked the question during the hangout and
here's why. The PR as-is makes it impossible:
* to start a development container without KC
* to run tests/integration tests without KC
* to install a metrics server without KC
From my perspective, that's important enough to consider making it or
optional or holding the merge to let us think more about the problem.
8:21 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2015 10:34 AM, Thomas Segismont wrote:
Le 26/01/2015 09:59, Thomas Heute a écrit :
> In terms of priority, we should focus on Hawkular (not just
> metrics)
Agreed
> with Keycloak support and having it optional is not the
> priority.
Some more context maybe. I asked the question during the hangout
and here's why. The PR as-is makes it impossible: * to start a
development container without KC * to run tests/integration tests
without KC * to install a metrics server without KC
While I agree that an optional KC would make the above points easier,
I'm failing to see the concrete advantages that it would bring,
specially considering that the main code will depend on features that
KC is today bringing (multi tenancy security, for one).
For instance, to start a development environment, one can run the
start.sh script that currently takes care of installing Wildfly and
Cassandra. With the PR, KC is added to this mix.
About the integration tests, I'd argue that the correct way to run the
integration tests is with the security framework enabled, whatever
this framework is. The reason being that this framework (plus the
container itself) would provide tenant information to the target code.
What we have on the PR is exactly this: the tests know nothing about
KC, the target code knows nothing about KC, but KC is installed on the
container and provides user information to the target code (or blocks
the request, if the wrong credentials are provided). For tests where
no tenant-specific logic is performed, a common credential can be used
for all tests, which would make more sense than disabling the security
framework for those tests.
I'm not sure what you mean in your last point, though.
From my perspective, that's important enough to consider making
it
or optional or holding the merge to let us think more about the
problem.
Indeed! I think discussing this at this phase is critical, so that we
can get into a consensus about the expectations :-)
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUx57PAAoJECKM1e+fkPrXAo4H+we+iMpdNIiYhUAEzkssFNGh
jE2BdLmyUaKbciswTrxY8nC5xruqz3h77n5bNZhF/oyeygePxgB+MmIt14Bnrxej
ht35GzAZBLRiLz7Ybt9dubkiOc8D5fUUM7CmZjpQ7ZNwdOg2r0XRyh8DGfWV+nlV
BoaEV5HvxBu9FLIPhrY9Bc6woTv8H4vJdf1/VPU7c6+D55LHX8IL7tbxrQsmLYq1
QWq8h892fpLCOrbri6kw/o3xUV9X80As5ovIQUOzlGrvsuyT/PwwbmVwCjZ8hwfC
QnaiqKHfzadz8Wl3cuDSFU7/P5cC3SAWiOvZPXFXJ0CHu4Dk7UMQAevrwguHEFE=
=Hh/n
-----END PGP SIGNATURE-----
5:20 a.m.
Hi Juca,
Le 27/01/2015 15:21, Juraci Paixão Kröhling a écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2015 10:34 AM, Thomas Segismont wrote:
> Le 26/01/2015 09:59, Thomas Heute a écrit :
>> In terms of priority, we should focus on Hawkular (not just
>> metrics)
>
> Agreed
>
>> with Keycloak support and having it optional is not the
>> priority.
>
> Some more context maybe. I asked the question during the hangout
> and here's why. The PR as-is makes it impossible: * to start a
> development container without KC * to run tests/integration tests
> without KC * to install a metrics server without KC
While I agree that an optional KC would make the above points easier,
I'm failing to see the concrete advantages that it would bring,
Here is a concrete advantage: not being dependent on KC to run a metrics
server. More below.
specially considering that the main code will depend on features
that
KC is today bringing (multi tenancy security, for one).
After your demo, my understanding was as follows.
1. In terms of APIs, the main code would depend on JAAS rather than KC
(/@RolesAllowed/ and inspection of a /Subject/ for custom interceptors).
So the good news is that we don't have to implement a pluggable
identity/authorization tool, it's already there, it's JAAS. And KC is a
possible backend.
2. With the exception of the console, the impact of making KC optional
is limited to:
* making the build process create two artifacts for the rest-servlet
module, one WAR with KC configured in the web.xml, another WAR with
"classic" security definitions
* creating a JAAS login module to lookup for tenants, users, roles, in a
simple properties file (or a couple of them).
* finding a way for running the REST integration tests with and without
KC enabled
As for the console project, I understood that it is considered a
facility for users of the sole metrics project, not a base for the
future Hawkular suite. I'd be fine if, for now, it only supported
basic/digest auth.
For instance, to start a development environment, one can run the
start.sh script that currently takes care of installing Wildfly and
Cassandra. With the PR, KC is added to this mix.
About the integration tests, I'd argue that the correct way to run the
integration tests is with the security framework enabled, whatever
this framework is. The reason being that this framework (plus the
container itself) would provide tenant information to the target code.
What we have on the PR is exactly this: the tests know nothing about
KC, the target code knows nothing about KC, but KC is installed on the
container and provides user information to the target code (or blocks
the request, if the wrong credentials are provided). For tests where
no tenant-specific logic is performed, a common credential can be used
for all tests, which would make more sense than disabling the security
framework for those tests.
See my answer above about integration tests impact.
I'm not sure what you mean in your last point, though.
My last point was "The PR makes it impossible to install a metrics
server without KC". I meant that if one needs to configure and run a KC
server in order to run a metrics server, then many potential users will
not even give it a try. Potential users here are admins and
production-focused developers who are working with combos like
Grafana/Graphite/collectd
Even if "metrics server alone" on its own is not the team's top
priority, I think it should remain *a* priority, for the reason I've
just given.
> From my perspective, that's important enough to consider making it
> or optional or holding the merge to let us think more about the
> problem.
>
Indeed! I think discussing this at this phase is critical, so that we
can get into a consensus about the expectations :-)
True, and thanks for having patiently awaited my reply ;)
- - Juca.
Thomas
10:08 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/29/2015 12:20 PM, Thomas Segismont wrote:
My last point was "The PR makes it impossible to install a
metrics
server without KC". I meant that if one needs to configure and run
a KC server in order to run a metrics server, then many potential
users will not even give it a try. Potential users here are admins
and production-focused developers who are working with combos like
Grafana/Graphite/collectd
Sorry for cutting the whole message to just this point, but before
talking about the other points, I just want to clarify one thing: the
admin does *not* need to deal with KC at all when trying things out.
To run a metrics server, one just runs the start.sh and Keycloak just
happens to be there as an implementation detail.
Once the admin is ready to bring things to production, then Keycloak
becomes a "concern", like any other backend would be (LDAP, SAML, ...).
Since the demo, I've been looking at how other projects are
integrating with Keycloak. The common scenario seems to be that their
Maven profiles build a "distribution" that is Wildfly + Keycloak +
WARs. So, the user just uncompresses this distribution package and has
everything ready (this is similar to what we had in GateIn).
Would this be a solution? I remember seeing somewhere that the goal is
not to be dependent on Wildfly[1], but not sure if this design goal is
still accurate.
[1] https://developer.jboss.org/wiki/HighLevelRequirements
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUylr9AAoJECKM1e+fkPrXi+IH/1yx0shsoKHMDTuCXK5daemJ
riAofGmvrYelzfW7udiIuZXKMo4EtDge/Vocw296Uq1HibNb30x99WifwegCcLmv
10j8DdDc9ljupaS2Ej1D8RAGEOg6KdCrFj9V1tlhDbeAR9fXAeWqADZqH+5kjYbU
in7ayb0XvYJGYio8eLGdcMXt1vjy2fxArt1Y2u6AOdA8O2wyVMDkJ/Xs5tEPdkP0
BfRn8NOZdrlSDKd4qeG8qVtRQI006f/b+2hT6UnOM7gnc6QetYbBvVTHn0ODBwUA
mSj+HXrQJ6RR6MCUxkIr0Woii3SdA3ZsIDdZugAY0sGo8bgRgLVJ+zrpsgn23a8=
=Rcql
-----END PGP SIGNATURE-----
3:58 a.m.
Le 29/01/2015 17:08, Juraci Paixão Kröhling a écrit :
On 01/29/2015 12:20 PM, Thomas Segismont wrote:
> >My last point was "The PR makes it impossible to install a metrics
> > server without KC". I meant that if one needs to configure and run
> >a KC server in order to run a metrics server, then many potential
> >users will not even give it a try. Potential users here are admins
> >and production-focused developers who are working with combos like
> > Grafana/Graphite/collectd
Sorry for cutting the whole message to just this point, but before
talking about the other points, I just want to clarify one thing: the
That's ok, as long as we do talk about the other points ;)
admin does*not* need to deal with KC at all when trying things
out.
To run a metrics server, one just runs the start.sh and Keycloak just
happens to be there as an implementation detail.
I know that start.sh does everything so that you get a metrics + KC
instance up and running. But that is not my point. My point is that many
admins will not even try the start.sh way if they realize they will
*have to* install an identity management server to use metrics in the
long run.
Once the admin is ready to bring things to production, then Keycloak
becomes a "concern", like any other backend would be (LDAP, SAML, ...).
When you install InfluxDB, carbon/whisper, opentsdb, you don't need to
install an identity management server, period.
And LDAP, RDBMS, properties file are identity management backends, KC is
identity management itself.
Since the demo, I've been looking at how other projects are
integrating with Keycloak. The common scenario seems to be that their
Maven profiles build a "distribution" that is Wildfly + Keycloak +
WARs. So, the user just uncompresses this distribution package and has
everything ready (this is similar to what we had in GateIn).
Would this be a solution? I remember seeing somewhere that the goal is
not to be dependent on Wildfly[1], but not sure if this design goal is
still accurate.
[1]https://developer.jboss.org/wiki/HighLevelRequirements
That would be nice for users who *want* KC.
I can understand that we make KC a runtime requirement for the full
Hawkular monty, but I can't for metrics alone.
Regards,
Thomas
5:22 a.m.
On 01/30/2015 10:58 AM, Thomas Segismont wrote:
Le 29/01/2015 17:08, Juraci Paixão Kröhling a écrit :
> On 01/29/2015 12:20 PM, Thomas Segismont wrote:
>>> My last point was "The PR makes it impossible to install a metrics
>>> server without KC". I meant that if one needs to configure and run
>>> a KC server in order to run a metrics server, then many potential
>>> users will not even give it a try. Potential users here are admins
>>> and production-focused developers who are working with combos like
>>> Grafana/Graphite/collectd
> Sorry for cutting the whole message to just this point, but before
> talking about the other points, I just want to clarify one thing: the
That's ok, as long as we do talk about the other points ;)
> admin does*not* need to deal with KC at all when trying things out.
> To run a metrics server, one just runs the start.sh and Keycloak just
> happens to be there as an implementation detail.
>
I know that start.sh does everything so that you get a metrics + KC
instance up and running. But that is not my point. My point is that many
admins will not even try the start.sh way if they realize they will
*have to* install an identity management server to use metrics in the
long run.
> Once the admin is ready to bring things to production, then Keycloak
> becomes a "concern", like any other backend would be (LDAP, SAML, ...).
>
When you install InfluxDB, carbon/whisper, opentsdb, you don't need to
install an identity management server, period.
They are also not multi-tenant solutions AFAIK. I don't see Metrics
competing with the solution mentioned, actually we looked into those to
use as underlying solution.
That said I am fine not providing security within Metrics and have it
part of Hawkular only if we can. I am much more hesitant providing
multiple stacks for multiple purposes as it makes testing much more
complicated.
Thomas
And LDAP, RDBMS, properties file are identity management backends, KC is
identity management itself.
> Since the demo, I've been looking at how other projects are
> integrating with Keycloak. The common scenario seems to be that their
> Maven profiles build a "distribution" that is Wildfly + Keycloak +
> WARs. So, the user just uncompresses this distribution package and has
> everything ready (this is similar to what we had in GateIn).
>
> Would this be a solution? I remember seeing somewhere that the goal is
> not to be dependent on Wildfly[1], but not sure if this design goal is
> still accurate.
>
> [1]https://developer.jboss.org/wiki/HighLevelRequirements
That would be nice for users who *want* KC.
I can understand that we make KC a runtime requirement for the full
Hawkular monty, but I can't for metrics alone.
Regards,
Thomas
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
4:11 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/30/2015 12:22 PM, Thomas Heute wrote:
That said I am fine not providing security within Metrics and have
it part of Hawkular only if we can. I am much more hesitant
providing multiple stacks for multiple purposes as it makes testing
much more complicated.
Not sure how it would work by not having security within metrics (or
any other component). Each component would have a security layer
around it, and the security is propagated from the outermost layer to
the inner layers. Example:
- - user
-- UI console
-- backend A
-- backend B
-- backend C
On this situation, UI console is protected via keycloak.js, which
sends a token to "backend A" representing the "user". If "backend
A"
needs to talk to "backend B" on behalf of the user, it sends the token
with the request. But each of those components (UI console, backend A,
B, C) are protected.
Of course, we could also have unprotected backends and only the UI
console being protected, but I think it's not really an option.
Note that each component is secured by a Keycloak *adapter*. The
server needs to be "somewhere", not necessarily on the same
application server instance that a specific component resides (if
that's what you meant above by not having it "within Metrics").
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUz01kAAoJECKM1e+fkPrXlz4H/2BHmd3FwVlOyJu/CBU5rrvW
PnhvI8ELWqKNzD7FRAbHaTKw5ULAOB2qYa6iKtAyqijQXqC1/ijGWVSfkavuH06V
SeA6eYUwmGGZo5O6DSs9rGFbDZJ+wXvQ3RdX4uOt9RLZQj/EMAwLefT39Rg+i+je
/FVSY/9Kd9LGNuuIcn0sh4oBzXmFKXMtXtC/39Wylb0eF0bM/phEXq/0E40S6V6S
to2MUXeYjdoAOedgE0kxpEgI+Lv86rFedpsyJ8cdo5Az8vZtErWcg8h8dti0RCkP
SFf+A+zwyVfX5/2aLPBC1k+rUSATCJtlVFAjcwZSsrlBIcIZtOu2FI68uqT5JXg=
=BDpA
-----END PGP SIGNATURE-----
7:10 a.m.
Le 30/01/2015 12:22, Thomas Heute a écrit :
> When you install InfluxDB, carbon/whisper, opentsdb, you
don't need to
> install an identity management server, period.
They are also not multi-tenant solutions AFAIK. I don't see Metrics
competing with the solution mentioned, actually we looked into those to
use as underlying solution.
To me, it doesn't matter if the team doesn't put all its efforts in
maintaining a standalone metrics distribution. But it does matter to
enable and help re-use outside of our principal use case (the hawkular
suite), because we'd miss important feedback/bug reports/contributions
from the community.
8:18 a.m.
On 02/04/2015 08:10 AM, Thomas Segismont wrote:
Le 30/01/2015 12:22, Thomas Heute a écrit :
>> When you install InfluxDB, carbon/whisper, opentsdb, you don't need to
>> install an identity management server, period.
>
> They are also not multi-tenant solutions AFAIK. I don't see Metrics
> competing with the solution mentioned, actually we looked into those to
> use as underlying solution.
>
To me, it doesn't matter if the team doesn't put all its efforts in
maintaining a standalone metrics distribution. But it does matter to
enable and help re-use outside of our principal use case (the hawkular
suite), because we'd miss important feedback/bug reports/contributions
from the community.
That doesn't mean we compete head to head with the solutions above :)
Having a multitenant solution is a differentiator and having too many
options is confusing (as you can take the full hawkular, or hawkular
metrics with and without secure multitenancy), we need to make choices
and we need to deliver ;)
8:23 a.m.
Several questions:
Does keycloak support other auth mechanisms that don't build on http?
Does keycloak limit the reuse of hawkular components?
Does keycloak have a desirable out-of-the-box experience? (Read addtional setup costs)
Am 04.02.2015 um 14:10 schrieb Thomas Segismont
<tsegismo(a)redhat.com>:
Le 30/01/2015 12:22, Thomas Heute a écrit :
>> When you install InfluxDB, carbon/whisper, opentsdb, you don't need to
>> install an identity management server, period.
>
> They are also not multi-tenant solutions AFAIK. I don't see Metrics
> competing with the solution mentioned, actually we looked into those to
> use as underlying solution.
>
To me, it doesn't matter if the team doesn't put all its efforts in
maintaining a standalone metrics distribution. But it does matter to
enable and help re-use outside of our principal use case (the hawkular
suite), because we'd miss important feedback/bug reports/contributions
from the community.
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
8:28 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/2015 03:23 PM, Heiko Braun wrote:
Does keycloak support other auth mechanisms that don't build on
http?
No. Keycloak is a "super OAuth" solution, and that's on top of HTTP.
What kind of other authentication mechanisms are you thinking about?
Does keycloak limit the reuse of hawkular components?
Not that I'm aware of. All it does is to put a layer between the
incoming request and the business method on the backend, like JAAS.
Does keycloak have a desirable out-of-the-box experience? (Read
addtional setup costs)
Depends on the definition of "desirable". Right now, the common
practice for projects consuming Keycloak seems to build an "appliance"
distribution, which builds on top of Wildfly and delivers Keycloak
pre-installed/configured + the target application (hawkular, in our
case).
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU0iyOAAoJECKM1e+fkPrXj+AH/2hF7EBlQ2n7VVSbkjGLODgo
C33cMgBpsonGUFZcd8LXAOdl2ZpklpRzjdcOpVB6OJUasV5Ek/pONyTn8LMStJzV
nJrHTBKtR71+V9+A2g/cSbv4x7vynhNqSAHEq3a+OwEhzZ8DT+sQnxFRr+QdMMWh
e+QiVUBCgx/4IBL1gsw40OBy/I1d7NULwS7fzMvunnacHYEibZc4ACgQwy/LPCih
xbAmYn8SP5IgLT+TqLSnNUMJps44phkdYsSkku3wotH9YkOI55PNlYU9iTbYa9kr
SCe1aIeIeA5hooCVJ92FMeRF5Pyf9OOgn1flKdurC0nvdWBe3mIlza32KOWLY9U=
=ZYJJ
-----END PGP SIGNATURE-----
3:55 a.m.
I think major question is what do you need - and then please let us know
on keycloak-dev ;) We'll either try to convince you that you are wrong
or put your usecase on our roadmap.
If question is between somehow "embedding" keycloak or just have it
locally installed there is also second part of the story. As it is Auth
server (Identity Provider) with SSO capabilities for true production
deployment you would rather want to have this separately deployed.
You'll likely need to be able to switch to using external instance anyway.
W dniu 2015-02-04 o 15:28, Juraci Paixão Kröhling pisze:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/2015 03:23 PM, Heiko Braun wrote:
> Does keycloak support other auth mechanisms that don't build on
> http?
No. Keycloak is a "super OAuth" solution, and that's on top of HTTP.
What kind of other authentication mechanisms are you thinking about?
> Does keycloak limit the reuse of hawkular components?
Not that I'm aware of. All it does is to put a layer between the
incoming request and the business method on the backend, like JAAS.
> Does keycloak have a desirable out-of-the-box experience? (Read
> addtional setup costs)
Depends on the definition of "desirable". Right now, the common
practice for projects consuming Keycloak seems to build an "appliance"
distribution, which builds on top of Wildfly and delivers Keycloak
pre-installed/configured + the target application (hawkular, in our
case).
- - Juca.
--
Bolesław Dawidowicz
Supervisor, Software Engineering | Red Hat Middleware Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU0iyOAAoJECKM1e+fkPrXj+AH/2hF7EBlQ2n7VVSbkjGLODgo
C33cMgBpsonGUFZcd8LXAOdl2ZpklpRzjdcOpVB6OJUasV5Ek/pONyTn8LMStJzV
nJrHTBKtR71+V9+A2g/cSbv4x7vynhNqSAHEq3a+OwEhzZ8DT+sQnxFRr+QdMMWh
e+QiVUBCgx/4IBL1gsw40OBy/I1d7NULwS7fzMvunnacHYEibZc4ACgQwy/LPCih
xbAmYn8SP5IgLT+TqLSnNUMJps44phkdYsSkku3wotH9YkOI55PNlYU9iTbYa9kr
SCe1aIeIeA5hooCVJ92FMeRF5Pyf9OOgn1flKdurC0nvdWBe3mIlza32KOWLY9U=
=ZYJJ
-----END PGP SIGNATURE-----
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
1:17 a.m.
I did assume that the communication between hawkular components is not limited to HTTP.
How would you secure the communication when another protocol is used?
Maybe this question helps to look at security requirements within hawkular on an abstract
level.
What security requirements exist? What communication channels need to be secured?
Maybe you'll find that keycloak only addresses part of the requirements. This will
impact the question wether or not to make it a technological constraint.
/HeikoB
Am 04.02.2015 um 15:28 schrieb Juraci Paixão Kröhling
<jpkroehling(a)redhat.com>:
No. Keycloak is a "super OAuth" solution, and that's on top of HTTP.
What kind of other authentication mechanisms are you thinking about?
2:06 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/08/2015 08:17 AM, Heiko Braun wrote:
Maybe you'll find that keycloak only addresses part of the
requirements. This will impact the question wether or not to make
it a technological constraint.
Right, hence the question about the concrete use case you have in mind
:-) What kind of non-HTTP communication do you anticipate?
Note that even if Keycloak itself doesn't provides an adapter for
non-HTTP authentication, we could build one ourselves that takes the
authentication data from the "request" (or client) and does the HTTP
request to Keycloak server on its behalf.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU2GqaAAoJECKM1e+fkPrXLmgH/jQwlnF1J2CZHOsFuE1FvjZS
NhWFNldNLa91pgbMuvncEKgKmRpKynRlfMsWQBD1RqrrSAivl3XUrNBR9m/W6EIL
SRnKSevISKXscJg90VVJnzD/tJsMVXDBS22HSOP7u6ENqZfdOCgUv3C6j5fgsLVS
cRfxG/yj6dZ66ueYmtBZ/wcrIzhSjKPXW/FW/1woR+i8pp2Q4yOX6TFcQ27/uO5q
IelQrjJqYaSnZtKEgVSF7QtUlrz+Cu4m4GnYr41OxuY2LQlX59PutJvS5UGipHJN
BY1G8EuAoZNWm1wirOhwl9N43+F8xW/gUqVluinwh7Ax0WMYAgiX5shcn/YO2Pc=
=5fau
-----END PGP SIGNATURE-----
3608
days inactive
3625
days old
16 comments
6 participants
participants (6)
-
Boleslaw Dawidowicz -
Heiko Braun -
John Sanda -
Juraci Paixão Kröhling -
Thomas Heute -
Thomas Segismont