menu refactor, removed breadcrumbs
by Bill Burke
Stian mentioned months and months ago that he thought breadcrumbs were
redundant. So...I removed them.
Also, I added a top=level menu item "roles". This made the settings
submenu a bit smaller.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 5 months
tooltips started
by Bill Burke
I did it for "Settings, Users, Roles" and their submenus. Let me know
if you like them. Going to finish them up tomorrow.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 6 months
Sync commited
by Marek Posolda
Hi,
I've pushed support for bulk sync of users from external store (like
LDAP) to local store. Some summary of changes:
- Added 2 new methods to UserFederationProviderFactory. Method
syncAllUsers (For sync all users from external store to local store) and
syncChangedUsers (sync just users, which were changed. Needs that
external store has support for changelogs)
- Implementation for LDAP which allows both "full" and "changed" sync.
It's possible to track users, which were created or updated on LDAP
server since some specified time. Unfortunately not easily possible to
track removed LDAP users
- Support for periodic sync. You can specify period for each
FederationProvider how often it should do syncAllUsers and how often
syncChangedUsers. It's possible to specify different period for each
UserFederationProviderModel so for example realm1 can sync from Active
Directory once per day where realm2 can sync from OpenDS LDAP just one
per week etc. Also if you update or delete UserFederationProviderModel,
sync task will be updated/cancelled as well (I've added to BasicTimer
support for cancelling of previously scheduled tasks)
Remaining work:
* Support in admin console. I plan to add buttons, which will allow
admin to trigger either syncAllUsers or syncChangedUsers from admin
console. Also new options to specify periods for fullSync and
"changedSync" . For LDAP, I will need to add option for batch size
(Number of LDAP users to be downloaded per each batch (page). Each batch
is processed in separate transaction) .
* For now, I've added just sync from external store to Keycloak. Do we
need 2 ways sync? For example if people have WRITABLE mode for their
Federation Provider, then changes to particular user done by Keycloak
are immediatelly written to 3rd party store anyway?
* As I mentioned the syncChangedUsers for LDAP is able to track created
and updated LDAP users but not removed. I wonder if it's good idea that
during full sync, Keycloak will check if all local users with LDAP links
are still valid and delete those, which are not? Or is it ok to just
rely on FederationProvider to handle this?
* Sync/Federation of roles? Right now both FederationProvider and Sync
is doing just syncing of users, but not roles or role mappings. I wonder
that maybe people probably also want to sync their LDAP roles into
Keycloak and also role mappings too. This might be quite tricky though
as Federation just deals with UserProvider, but syncing roles from LDAP
will require some updates to RealmProvider too. Probably not doable for
1.0.Final though...
Marek
10 years, 6 months
security headers/realm attributes
by Bill Burke
I'm going to add realm attributes to JPA model and move some stuff there
(brute force settings for example)
Also, I'm going to add a new menu item "Attack Prevention" (if you can
think of a better name, let me know). Under this I'll move "Brute Force
Protection". Eventually we'll probably put IP Filtering there. Also,
will add a "Security Headers". Under this will allow you to manually
set these headers:
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
By default, iframe will use a same origin policy.
Some of these headers are quite complex (Content-Security-Policy), so it
might be easiest to just allow the user to set the header manually.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 6 months
full scope allowed
by Bill Burke
Applications, by default, have a full scope of all realm and all
applications' roles. This is a flag stored in "fullScopeAllowed" in the
Client model.
It is a switch called "Full Scope Allowed". I don't know if there is a
better name for it or not.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 6 months
Transaction active
by Marek Posolda
I believe that when tx.commit() or tx.rollback() is called, then
transaction shouldn't be in the active state anymore, right? Actually
JPA works this way, but our other transaction implementations
(TransactionManager, cache, mongo) are not. Should we change that?
Marek
10 years, 6 months
Keycloak Admin Console UI - a little guide
by Matthias Wessendorf
Hello,
as part of the UPS release we are improving our own 'user guide' for the
UPS. Current status is visible here:
http://staging.aerogear.org/docs/unifiedpush/ups_userguide/
In this guide, there is a section that is called "Administration of the
UnifiedPush Server", which should be explaining the Keycloak's Admin
Console UI features (see [1]). The doc would contain a bunch of screenshots
and little sentences to explain the reason of these different screens,
similar to:
http://staging.aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/
However, before starting too early on this document, I was wondering about
a few things :-)
* there is no such 'Console UI guide' from the Keycloak team, atm - right ?
If so, that's totally fine and I am happy to create one for UPS. Hopefully
some of its conent can be reused by the KC team. Would be cool if we can
work on improving that document together
* are you guys planning significant changes to the Admin Console UI, after
the beta4 has been released? I've seen some PRs around "UI federation" (I
am not familiar w/ the details around that), but that seems to be done once
we have the beta4 release available.
Thanks,
Matthias
[1] https://issues.jboss.org/browse/AGPUSH-877
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
10 years, 6 months