9:33 a.m.
The problem is that just admin realm (or "master realm" or whatever it
will be called) is able to retrieve list of users, applications etc.
with KC admin endpoints.
Maybe it's possible to expose endpoints for some users of realm itself
(So for example users with role "admin" of realm "myRealm" will be
able
to retrieve list of users of this realm). But this won't solve the
problem with SSO login though. If I want my administrator to have SSO
between Keycloak admin console, Liveoak admin console and Aerogear admin
console, then all these admin consoles must use same realm actually...
So it seems that the best is if all admin users will still use the
"master realm" but there will be fine-grained authorization, which will
allow to properly isolate various admin users.
Example:
- I want my "master realm" to manage Keycloak, Liveoak and Aerogear
admin consoles.
- So "admin" user, which can do anything, will create roles
"aerogear-admin" and "liveoak-admin" and he will assign role
"aerogear-admin" to user "joe".
- Now "joe" is Aerogear administrator and he wants to grant admin rights
to more users, so he is not alone for all administration tasks. So he
must be able to create new users in "master realm" and grant them role
"aerogear-admin" and also see all other "aerogear-admin" users, but he
shouldn't be able to see any other users from "master realm" . He
shouldn't be even able to see that "master realm" itself is also used
for liveoak administration...
Marek
On 2.5.2014 21:01, Bill Burke wrote:
Can we have a hangout on this on Monday? I need some closure on this
as
I want to get Aerogear requirements out of the way.
Comments inline:
On 5/2/2014 4:23 AM, Stian Thorgersen wrote:
> My thoughts was that admins would log in to a single "admin realm", which
would let them manage any Keycloaks, AeroGears, EAPs and any other servers they have.
>
This is what I have been saying. Keycloak admin console, keycloak REST
API, and Aerogear UPS all need to be managed by one realm.
BTW, I don't know how we would get the EAP console managed under
Keycloak. Its all pretty much hard coded to JAAS/security domains.
Domain controller doesn't run under a servlet container.
> Then you'd have one or more application realms where end-users would login.
>
> If we don't have AeroGear admins in the same realm as Keycloak admins, admins
will have to login multiple times.
>
Exactly.
> So basically I think the AeroGear admin console should be in the Keycloak admin
realm, then there's one or more realms for AeroGear users.
>
We can't always use the master Keycloak admin realm as the keycloak
server might be multi-tenant. In other words, the keycloak server may
be managing multiple realms for completely isolated applications and
thus, you would not want to Aerogear UPS metadata in the "master" realm.
So, go back to Stan's summary. You need:
* Keycloak administrator. We have support for this already.
* Realm administrator.
* User within a single realm
We already have inquiries on how can an application interact with the
admin REST interface. Seems that with our current setup, the
"master-realm" would be polluted with users, roles, and applications
beyond what it was intended to be used for.
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 1 May, 2014 5:06:42 PM
>> Subject: Re: [keycloak-dev] management problems
>>
>> Yes, as you would have to know to switch between realms. Defeats the
>> idea of Aerogear looking like one product.
>>
>> On 5/1/2014 11:49 AM, Stian Thorgersen wrote:
>>> Is that really an issue?
>>>
>>> Users would just be admin users, there would be a separate realm for
>>> AeroGear users.
>>>
>>> And there'd probably be a single AeroGear console application, with a
few
>>> associated roles.
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>> Sent: Thursday, 1 May, 2014 4:47:24 PM
>>>> Subject: Re: [keycloak-dev] management problems
>>>>
>>>>
>>>>
>>>> On 5/1/2014 11:41 AM, Stian Thorgersen wrote:
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>>> Sent: Thursday, 1 May, 2014 4:37:39 PM
>>>>>> Subject: Re: [keycloak-dev] management problems
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/1/2014 11:24 AM, Stian Thorgersen wrote:
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>>>>> Sent: Thursday, 1 May, 2014 4:19:26 PM
>>>>>>>> Subject: Re: [keycloak-dev] management problems
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 5/1/2014 10:16 AM, Stian Thorgersen wrote:
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> From: "Bill Burke"
<bburke(a)redhat.com>
>>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>>>>>>> Sent: Thursday, 1 May, 2014 3:11:48 PM
>>>>>>>>>> Subject: Re: [keycloak-dev] management problems
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 5/1/2014 9:30 AM, Stian Thorgersen wrote:
>>>>>>>>>>> I'm wondering about what issues there are
with having a single
>>>>>>>>>>> shared
>>>>>>>>>>> admin
>>>>>>>>>>> realm though. That seems the optional
solution to me.
>>>>>>>>>>>
>>>>>>>>>> Isn't the issue multi-tenancy?
>>>>>>>>> We can grant admin users access to manage only
specific realms
>>>>>>>>> though?
>>>>>>>>>
>>>>>>>>> Or are you thinking multi-tenancy for AeroGear?
>>>>>>>> What I mean is that you want to manage Aerogear in a
realm on a server
>>>>>>>> that is multi-tenant (1 server managing multiple realms).
Can't
>>>>>>>> really
>>>>>>>> have a single shared admin realm in that case.
>>>>>>> I'm still not following :/
>>>>>>>
>>>>>>> Can you spoon-feed me an example?
>>>>>>>
>>>>>> Aerogear UPS admin needs to:
>>>>>>
>>>>>> * manage users
>>>>>> * manage role mappings
>>>>>> * manage oauth clients
>>>>>> * Manage aerogear specific things
>>>>>>
>>>>>> You want to have one login to do all those things. This means
there
>>>>>> needs to be one realm to do all these things. You could re-use
the
>>>>>> "keycloak-admin" realm, but re-using the
"keycloak-admin" realm doesn't
>>>>>> work if you're dealing with a Keycloak deployment that is
managing
>>>>>> multiple realms. A.K.A. Multi-tenancy.
>>>>> The part I'm not understanding is why it doesn't work with a
Keycloak
>>>>> deployment with multiple realms?
>>>>>
>>>> Because you're polluting the "keycloak-admin" realm with
Aerogear
>>>> specific things: users, roles, applications, etc.
>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>