On 22.5.2015 17:39, Stan Silvert wrote:
On 5/22/2015 11:25 AM, Marek Posolda wrote:
> On 22.5.2015 14:56, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>> To: keycloak-dev(a)lists.jboss.org
>>> Sent: Friday, 22 May, 2015 2:46:59 PM
>>> Subject: [keycloak-dev] Reset admin password
>>>
>>> We need a way to reset the admin password in case it is lost or
>>> hijacked. The proposal is to do that through an operation on the
>>> keycloak-server-subsystem that only runs in "offline CLI" mode.
>>>
>>> First, we currently allow you to delete the admin user. Should we
>>> disallow that and make the master admin user permanent?
>> Interesting question - quick answer, not sure!
>>
>> There are all sorts of things that can be deleted that'll currently
>> screw things up royally! For example deleting admin related roles
>> and clients. Created
https://issues.jboss.org/browse/KEYCLOAK-1340
>> for this.
> Similar issue pointed some time ago by Petr Mensik from QA team: if
> you change SSO session max lifespan timeout for example to 1 second,
> you are immediately logged out from admin console and you're not able
> to login again (More accurately you are able to login, but you're
> logged out immediately due to session timeout).
>
> There are likely bunch of similar things and not sure if we can
> handle all of them. Question is if these are not just "theoretic"
> issues? I can't remember any user complain on ML that he accidentally
> broke his keycloak DB by delete/configure something strange in admin
> console.
>
> Marek
I think we need to clean these up. You should never be able to do
anything from the UI that renders your system inoperable. It's only
a matter of time before some big customer has a disaster because we
let him do something really stupid.
Probably yes. However people can possibly fix
it by edit DB directly or
recover their DB (assuming big customer will do DB backup).
But I agree, we can always be a bit resistent against those issues. And
hopefully CLI could help as well to recover from those. I've created
https://issues.jboss.org/browse/KEYCLOAK-1341 for 1-second timeout issue.
Marek
>>
>> For admin user maybe rather than a reset admin password option, we
>> should have a reset admin account option?
>>
>>> Should the new operation only work on the master admin password or can
>>> it be applied to any user in any realm?
>> +1 To just admin
>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>