8:32 a.m.
On 7/31/2014 7:33 AM, Marek Posolda wrote:
Hi,
at this moment I have Sync with LDAP working (one way sync for importing
LDAP users into Keycloak). I tested with ActiveDirectory and OpenDS. On
both I have paginated and also full/partial periodic sync working. Also
UserFederationProvider seems to be working with Active Directory now!
What is the different between a partial and full sync? Wouldn't there
just be one background periodic sync job?
Pedro mentioned that he will do timestamped picketlink release once
we
need it. So far all the LDAP related issues should be fixed, so I've
asked him for doing one. Let me know if you are aware of more issues.
The question is how to properly incorporate sync with current federation
stuff? It looks that both should work together (for example if customer
is going to write his FederationProvider to retrieve data from his DB,
he will also likely want to sync users from same DB). Also sync process
would likely need access to the federation configuration in
UserFederationProviderModel, but some configuration of Sync will be
common for all FederationProviders (For example pagination, periodic for
full/partial sync etc). So I wonder if we can add properties like this
directly into UserFederationProviderModel:
boolean enablePagination;
int pageSize;
Why would these ever need to be configured. Either the provider
supports pagination or it doesn't.
long fullSyncPeriod; // -1 if periodic fullSync should be
disabled
long partialSyncPeriod; // -1 if perodic partialSync should be disabled
Another option is to let the UserFederationProviderFactory handle
synchronization and be configured through keycloak-server.json. Then
there is no UI to do and no changes to the SPIs.
Keycloak would have a generic Job scheduler (does it already?) and in
the UserFederationProviderFactory.init() method it would just schedule
the appropriate jobs.
And for Admin console UI, we can have some common template, which can
be
added into page of particular Federation Provider. For example on
federated-ldap.html or federated-generic.html there can be checkbox on
the bottom of the page like "enable synchronization of users" and when
people check it, it will display other settings (pagination, period for
full/partial sync, button for trigger sync directly from admin console etc).
Also not sure how to properly incorporate it into UserFederationProvider
API... Actually UserFederationProvider is supposed to be per-session
component whenever Sync process may actually use more
session/transaction lifecycles. So adding methods for sync directly into
UserFederationProvider may not work though... I wonder if we can have
method on UserFederationProviderFactory:
UserSyncProvider getInstance(KeycloakSessionFactory sessionFactory,
UserFederationProviderModel model);
And UserSyncProvider being something like this:
public interface UserSyncProvider {
void syncAllUsers(KeycloakSessionFactory sessionFactory,
UserFederationProviderFactory fedFactory, String realmId,
UserFederationProviderModel fedModel)
void syncChangedUsers(KeycloakSessionFactory sessionFactory,
UserFederationProviderFactory fedFactory, String realmId,
UserFederationProviderModel fedModel, Date lastSync);
}
What is the difference between syncAllUsers() and syncChangedUsers()?
Is syncAllUsers() an import/sync from LDAP to Keycloak of all users in
LDAP store? Is synchChangedUsers() only a synchronization from LDAP to
Keycloak of only users that are currently imported into Keycloak?
Depending on the answers to above questions, maybe
UserFederationProviderFactory would have the appropriate sync methods
instead? Then there would be one less interface that needs to be
implemented.
UserFederationProviderFactory {
void sync(KeycloakSessionFactory sessionFactory, String realmId,
UserFederationProviderModel model);
}
Depending on the above answer to questions, the UI should have a manual
sync button(s) so that the admin can trigger the sync if desired.
Period synchronization should be OFF be default.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com