9:50 a.m.
I've sent PR https://github.com/keycloak/keycloak/pull/523 for
export/import with same representation as admin realm.
- It's still possible to export into encrypted ZIP file (default
possibility), into directory or all realms into single JSON file.
- With export to directory, data of each realm are exported into
separate file and users are also exported into separate file. It's
configurable how many users will be in single file (By default it's 5000
users per file) and it's using separate transaction per each file (set
of users). So for example if you have realm with 20.000 users the realm
will be exported into 5 separate files (1 file like "demo-realm.json"
for realm data and 4 files like "demo-users-0.json",
"demo-users-1.json"
etc for users).
- Export to encrypted ZIP is quite similar like export to directory
(realms and users in separate files inside ZIP), but all data are
canonicalized. This is default possibility and is intended for
production use
- Export into single JSON file allows to export all realms including
users into single JSON file (array of RealmRepresentations). This is
intended to be used mainly for development
- I've moved some code from "services" module as from there it's not
available to export/import. I've moved class ModelToRepresentation to
model/api and I've also extracted some code from managers (RealmManager,
ApplicationManager, OAuthClientManager, RolesManager) to
RepresentationToModel class.
- I've moved tests to testsuite/integration . Right now there is
ExportImportTest, which tests all 3 providers (zip, dir, singleFile).
- Question: Is it plan to move some manager classes like RealmManager,
ApplicationManager, OAuthClientManager and RolesManager to model/api as
well? These don't have dependencies on other stuff in "services" and it
will be useful for stuff like export/import to have them available. For
example export/import may need the code for setup masterAdmin
application (as if I import realm, I've need to check if particular
master application like "demo-realm" exists in master realm and create
it if doesn't, so I've needed to move some related code from
RealmManager for setup this too).
- Export/import is still checked at server startup with system properties.
Question: How big priority it is to support export from admin console?
TBH it shouldn't be hard to add it but it seems to me that this option
is useful more for development than production as during export from
admin console could be realm data edited in the meantime (For example if
some other user registers himself in the meantime when admin triggered
export). The solution might be JAX-RS or Http Filter, which will refuse
request to realm when export is in progress. Do we want to go that way?
Maybe just possibility to export current realm to single JSON file is
sufficient in admin console?
Let me know if you have some other ideas/proposals
Thanks,
Marek
10:13 a.m.
Great stuff Marek
Some comments inline
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 15 July, 2014 3:50:32 PM
Subject: [keycloak-dev] Export/import into representations
I've sent PR https://github.com/keycloak/keycloak/pull/523 for
export/import with same representation as admin realm.
- It's still possible to export into encrypted ZIP file (default
possibility), into directory or all realms into single JSON file.
- With export to directory, data of each realm are exported into
separate file and users are also exported into separate file. It's
configurable how many users will be in single file (By default it's 5000
users per file) and it's using separate transaction per each file (set
of users). So for example if you have realm with 20.000 users the realm
will be exported into 5 separate files (1 file like "demo-realm.json"
for realm data and 4 files like "demo-users-0.json",
"demo-users-1.json"
etc for users).
- Export to encrypted ZIP is quite similar like export to directory
(realms and users in separate files inside ZIP), but all data are
canonicalized. This is default possibility and is intended for
production use
- Export into single JSON file allows to export all realms including
users into single JSON file (array of RealmRepresentations). This is
intended to be used mainly for development
- I've moved some code from "services" module as from there it's not
available to export/import. I've moved class ModelToRepresentation to
model/api and I've also extracted some code from managers (RealmManager,
ApplicationManager, OAuthClientManager, RolesManager) to
RepresentationToModel class.
- I've moved tests to testsuite/integration . Right now there is
ExportImportTest, which tests all 3 providers (zip, dir, singleFile).
- Question: Is it plan to move some manager classes like RealmManager,
ApplicationManager, OAuthClientManager and RolesManager to model/api as
well? These don't have dependencies on other stuff in "services" and it
will be useful for stuff like export/import to have them available. For
example export/import may need the code for setup masterAdmin
application (as if I import realm, I've need to check if particular
master application like "demo-realm" exists in master realm and create
it if doesn't, so I've needed to move some related code from
RealmManager for setup this too).
+1
- Export/import is still checked at server startup with system properties.
Question: How big priority it is to support export from admin console?
TBH it shouldn't be hard to add it but it seems to me that this option
is useful more for development than production as during export from
admin console could be realm data edited in the meantime (For example if
some other user registers himself in the meantime when admin triggered
export). The solution might be JAX-RS or Http Filter, which will refuse
request to realm when export is in progress. Do we want to go that way?
Maybe just possibility to export current realm to single JSON file is
sufficient in admin console?
It could be nice to be able to export realms through the console. For exporting realm we
could disable any calls to admin console to make sure realms don't change. For users
we could disable account mngmt, required actions, registrations, and other things
that'll do writes, while still allowing users to login etc.
LDAP/Sync is much higher priority IMO though. Probably best to post-pone this to later, or
even wait until/if we get requests for it.
Let me know if you have some other ideas/proposals
Thanks,
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:20 a.m.
On 7/15/2014 11:13 AM, Stian Thorgersen wrote:
> - Question: Is it plan to move some manager classes like
RealmManager,
> ApplicationManager, OAuthClientManager and RolesManager to model/api as
> well? These don't have dependencies on other stuff in "services" and
it
> will be useful for stuff like export/import to have them available. For
> example export/import may need the code for setup masterAdmin
> application (as if I import realm, I've need to check if particular
> master application like "demo-realm" exists in master realm and create
> it if doesn't, so I've needed to move some related code from
> RealmManager for setup this too).
+1
Can we wait on moving managers? Please? :) BTW, I think there is
JAX-RS code in some managers.
LDAP/Sync is much higher priority IMO though. Probably best to
post-pone this to later, or even wait until/if we get requests for it.
I'd really like to implement the ideas I talked about before about
LDAP/Sync. I was going to tackle that after UserProvider split (which
should be today or tomorrow).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:59 a.m.
On 15.7.2014 17:20, Bill Burke wrote:
On 7/15/2014 11:13 AM, Stian Thorgersen wrote:
>> - Question: Is it plan to move some manager classes like RealmManager,
>> ApplicationManager, OAuthClientManager and RolesManager to model/api as
>> well? These don't have dependencies on other stuff in "services"
and it
>> will be useful for stuff like export/import to have them available. For
>> example export/import may need the code for setup masterAdmin
>> application (as if I import realm, I've need to check if particular
>> master application like "demo-realm" exists in master realm and create
>> it if doesn't, so I've needed to move some related code from
>> RealmManager for setup this too).
> +1
>
Can we wait on moving managers? Please? :) BTW, I think there is
JAX-RS code in some managers.
yeah, I meant just RealmManager, ApplicationManager,
OAuthClientManager
and UserManager, which doesn't have dependency on JAX-RS and they deal
mainly with model api.
Marek
> LDAP/Sync is much higher priority IMO though. Probably best to post-pone this to
later, or even wait until/if we get requests for it.
>
I'd really like to implement the ideas I talked about before about
LDAP/Sync. I was going to tackle that after UserProvider split (which
should be today or tomorrow).
3:34 a.m.
I've sent PR https://github.com/keycloak/keycloak/pull/533 which
improves a bit existing export/import to use users pagination as it's
available now in master.
I've also added method UserProvider.getUsersCount() to count total
number of users. I am using that for export/import and I believe it
might be useful for admin console too to see total number of
users/pages? Not sure if we need "count" methods for
UserProvider.searchFor*** ?
Marek
On 16.7.2014 11:59, Marek Posolda wrote:
On 15.7.2014 17:20, Bill Burke wrote:
> On 7/15/2014 11:13 AM, Stian Thorgersen wrote:
>>> - Question: Is it plan to move some manager classes like RealmManager,
>>> ApplicationManager, OAuthClientManager and RolesManager to model/api as
>>> well? These don't have dependencies on other stuff in
"services" and it
>>> will be useful for stuff like export/import to have them available. For
>>> example export/import may need the code for setup masterAdmin
>>> application (as if I import realm, I've need to check if particular
>>> master application like "demo-realm" exists in master realm and
create
>>> it if doesn't, so I've needed to move some related code from
>>> RealmManager for setup this too).
>> +1
>>
> Can we wait on moving managers? Please? :) BTW, I think there is
> JAX-RS code in some managers.
yeah, I meant just RealmManager, ApplicationManager, OAuthClientManager
and UserManager, which doesn't have dependency on JAX-RS and they deal
mainly with model api.
Marek
>> LDAP/Sync is much higher priority IMO though. Probably best to post-pone this to
later, or even wait until/if we get requests for it.
>>
> I'd really like to implement the ideas I talked about before about
> LDAP/Sync. I was going to tackle that after UserProvider split (which
> should be today or tomorrow).
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:56 a.m.
On 15.7.2014 17:13, Stian Thorgersen wrote:
It could be nice to be able to export realms through the console. For
exporting realm we could disable any calls to admin console to make sure realms don't
change. For users we could disable account mngmt, required actions, registrations, and
other things that'll do writes, while still allowing users to login etc.
I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-561 without
fix version for now.
Marek
3763
days inactive
3765
days old
5 comments
3 participants
participants (3)
-
Bill Burke -
Marek Posolda -
Stian Thorgersen