On 2014-04-28, Bill Burke wrote:
On 4/28/2014 3:27 AM, Marek Posolda wrote:
> I am planning to start soon on export/import. If I recall correctly, one
> of the requirements is to export the content of whole DB content
> (including IDs and password hashes) to JSON file, which can then be
> later imported into other DB. This will allow to migrate between
> environments and various DB types (For example from Mongo to MySQL and
IMO, a full export (of credentials) should require a secret given by the
admin that will be used to encrypt the export. The export should only
be saved locally to disk and not available over the network.
Maybe we could make use of the KDF function already on Keycloak to
encrypt file? Currently as far as I recall we already use it to validate
passwords, so based on the admin's password we generate the private key
to encrypt/decrypt this file.
> I have some question though
> 1) I assume that DB should be cleared before full import from JSON file?
> Or do we want to update existing data without deleting the previous
> content? I assume that this is used for migration, so it's not about
> updating but completely delete and recreate existing DB, correct?
> 2) How to implement it. I can see two approaches
> a) Use model API to retrieve content of the DB into JSON file during
> export. Similarly during import use model API to sync objects back from
> JSON into model DB.
> b) Add some methods to KeycloakSession interface like:
> ObjectNode export();
> void import(ObjectNode node);
> and implement export/import separately for each model.
> Approach (b) might be better for performance as it allows to directly
> use low-level queries specific to JPA, Mongo or other model
> implementations to export/import stuff more effectively in batch,
> however it will require changes in model implementations and probably
> adding more stuff into dependencies. So I am more convinced to use (a).
"a", IMO. Easier to maintain.
JBoss, a division of Red Hat
keycloak-dev mailing list