How to assign new client default roles to existing users?
by Vlastimil Elias
Hi,
we just found one admin use case which is not covered by existing
Keycloak and its Admin GUI.
When you create new Client later and define some default role/s for it,
then there is not any way how to assign these roles to existing users.
Problem is that default roles are assigned to users in DB when they are
created. Then admin GUI allows to assign roles for one user only, not
too useful when you have hundreds or thousands of users ;-)
Only workaround for now is to write script which uses REST API to assign
new default roles to all existing users.
I see these possible solutions:
* do not assign default roles in DB when user is created, but assign
them dynamically when user roles are asked - possible cons of this
solution is that it does not allow to remove default role from
concrete/selected users
* keep default roles assignment into DB on user create, but
automatically assign new default role to all existing users once it
is defined for client
* keep default roles assignment into DB on user create, but add some
manual bulk role assignment action into Admin GUI, which allows
admin to assign role to existing users.
WDYT, which solution should be better?
Cheers
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
10 years, 10 months
question about RDBMS
by Horia Mocioi
Hello,
I have configured KC to use MySQL schema and when starting KC it created 48
tables.
But in one mail sent on this list (the one about Couchbase DB) I found out
that there a 2 dbs. Can you tell where i can find the second one? I mean in
the tables created in MySQL I can see both realm and users tables.
Is there any other db? Where is it?
Thank you,
Horia
--
<http://bookreader.ro>
10 years, 10 months
Couchbase DB support ?
by George Leon
Hi Keycloak Team ,
We need to add security to our Wildfly 8.2 and we found keycloak. First
big question is it production ready ?
Second I need to explore options to add Users DB in Couchbase as we use
Couchbase for our back-end storage I see Mongo DB is supported .
My question is what would it involve to create a Couchbase DB
integration we would be happy to and contribute back once we got it
working .
Any pointers would be nice .
Keep up the great work with Keycloak. I see all the videos and
documentation very good and helpful.
Regards
G.Leon,
Betiator
Athens Greece
10 years, 10 months
DefaultCacheUserProvider problem
by Vlastimil Elias
Hi,
I just created https://issues.jboss.org/browse/KEYCLOAK-1411 to cover
problem with DefaultCacheUserProvider.addUser methods which return
UserModel instance which is not cached/managed by the cache.
These problems forced us to disable UserCache in our KC instances for
now, which is not very good.
I believe this problem is a bit serious as it may cause distinct random
operational problems when using KC. Can anybody from core KC team look
at it, or should I try to patch the problem myself and provide PR?
Cheers
Vl.
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
10 years, 10 months
Admin recovery update
by Stian Thorgersen
The hope was to use the new offline CLI mode to add reset admin password and import/export operations. However, it turns out to be a bit of a pain in the ass to do so.
For now we'll just have a system property that is used to reset admin pass, similar to how import/export works.
Hopefully soon we can improve on this and use the offline CLI mode, or alternatively create a custom script that does this. The main issue with these is datasources are not available.
10 years, 10 months
Question: Loading list of role members via hibernate
by Andrew Zenk
I am working on providing a read only ldap interface to the keycloak
database via a custom partition for apache directory server . In order to
properly populate part of the tree, I will need to be able to pull a list
of role members from the database.
At present I'm using the keycloak/hibernate libraries to access our mysql
database directly. This seems to work well for most things. Though, I
can't seem to find a way to get from a role id to a list of the roles
members. Based on poking around in the code, it seems like there's an easy
way to get the roles that a given user is a member of, but not the
reverse. Is there a path that I'm missing? If not, I'd be happy to take a
stab at implementing it myself. I'm relatively new to hibernate though so
it would likely take me a while to get it right.
I'd also be open to accessing the keycloak database using a different
interface. This just seemed like the best choice for my use case.
--
Andrew Zenk, EIT
Polar Geospatial Center
University of Minnesota
Office: (612) 625-0872
Cell: (612) 414-9617
10 years, 10 months
Admin REST API create new user
by Horia Mocioi
Hello,
I would like to create a user via Admin REST API using HttpPost.
Unfortunately, I was not able to find any example on how to create a user
or role.
I successfully managed to list roles and user using the example from
admin-access-api, but now I would like to create a new user.
Can anyone provide an example using HttpPost on how to create a new user?
Thank you,
Horia
--
<http://bookreader.ro>
10 years, 10 months
"Windows Security" pop up problem
by Matthew Casperson
We authenticate against a Windows domain using LDAP (and not using
Kerberos).
In KeyCloak 1.2.0, this prompt now appears when users are asked to log in.
The problem is that this prompt automatically appends the domain to the
username, and I can't see any LDAP property that accepts the domain name.
We use the sAMAccountName property, which does not include the domain, and
looking at
https://msdn.microsoft.com/en-us/library/windows/desktop/ms677605(v=vs.85...
I don't see any other property that will work with this prompt.
We might be able to use userPrincipalName, but none of our users have any
experience logging in with an email address, and I'd like to avoid the
training overhead of this if possible.
So my questions are:
1. Can I disable this prompt and use the standard keycloak form based login?
2. Is there an LDAP field that I can define in the keycloak LDAP federation
config that will accept a domain as part of the username?
--
*Matthew Casperson*
*Senior Front End Developer*
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751)
F: 07) 3377 8833
--
This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright.
It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised.
If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.
10 years, 10 months
Re: [keycloak-dev] sticky sessions, clustering, and authentication
by mike cirioli
So sticky sessions would be needed only during the authentication phase, and once complete an underlying clustered session would be created?
On Jun 3, 2015 7:00 PM, Bill Burke <bburke(a)redhat.com> wrote:
>
> I was thinking a bit about performance in a cluster. Right now a client
> session is created whenever login is initiated. This ends up requiring
> the client session to be propagated to the cluster, either through a
> database insert/update or an infinispan replication. Then, with each
> authentication/required action step, another insert/update/replication.
>
> I was thinking we should have an AuthenticationSession that was in
> memory only. Then, once all authentication and required actions are
> finished, then create the usersession and client session. This would
> require sticky sessions though with a load balancer.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
10 years, 10 months
really need logging
by Bill Burke
I can't stand that we only use events for error declaration. I'm trying
to debug a problem and all I get is an event message. I have no idea
where the problem happening and I have to guess. Its going to be a real
issue for us to debug user problems.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 10 months
