Re: [keycloak-dev] management problems

From: "Stan Silvert" <ssilvert(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Friday, 2 May, 2014 2:01:06 PM Subject: Re: [keycloak-dev] management problems You might not want the same administrator for all of your different realms. In other cases, you do want the same administrator for different realms. It seems to me that you would first want a Keycloak admin that can do anything. A Keycloak admin can create/manage a Realm administrator who can administer zero or more application realms. An ordinary user can only belong to one application realm. So, you have three types of users: * Keycloak administrator * Realm administrator * User within a single realm Stan On 5/2/2014 4:23 AM, Stian Thorgersen wrote: > My thoughts was that admins would log in to a single "admin realm", which > would let them manage any Keycloaks, AeroGears, EAPs and any other servers > they have. > > Then you'd have one or more application realms where end-users would login. > > If we don't have AeroGear admins in the same realm as Keycloak admins, > admins will have to login multiple times. > > So basically I think the AeroGear admin console should be in the Keycloak > admin realm, then there's one or more realms for AeroGear users. > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Thursday, 1 May, 2014 5:06:42 PM >> Subject: Re: [keycloak-dev] management problems >> >> Yes, as you would have to know to switch between realms. Defeats the >> idea of Aerogear looking like one product. >> >> On 5/1/2014 11:49 AM, Stian Thorgersen wrote: >>> Is that really an issue? >>> >>> Users would just be admin users, there would be a separate realm for >>> AeroGear users. >>> >>> And there'd probably be a single AeroGear console application, with a few >>> associated roles. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: keycloak-dev(a)lists.jboss.org >>>> Sent: Thursday, 1 May, 2014 4:47:24 PM >>>> Subject: Re: [keycloak-dev] management problems >>>> >>>> >>>> >>>> On 5/1/2014 11:41 AM, Stian Thorgersen wrote: >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>> Sent: Thursday, 1 May, 2014 4:37:39 PM >>>>>> Subject: Re: [keycloak-dev] management problems >>>>>> >>>>>> >>>>>> >>>>>> On 5/1/2014 11:24 AM, Stian Thorgersen wrote: >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>> Sent: Thursday, 1 May, 2014 4:19:26 PM >>>>>>>> Subject: Re: [keycloak-dev] management problems >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 5/1/2014 10:16 AM, Stian Thorgersen wrote: >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>>>> Sent: Thursday, 1 May, 2014 3:11:48 PM >>>>>>>>>> Subject: Re: [keycloak-dev] management problems >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 5/1/2014 9:30 AM, Stian Thorgersen wrote: >>>>>>>>>>> I'm wondering about what issues there are with having a single >>>>>>>>>>> shared >>>>>>>>>>> admin >>>>>>>>>>> realm though. That seems the optional solution to me. >>>>>>>>>>> >>>>>>>>>> Isn't the issue multi-tenancy? >>>>>>>>> We can grant admin users access to manage only specific realms >>>>>>>>> though? >>>>>>>>> >>>>>>>>> Or are you thinking multi-tenancy for AeroGear? >>>>>>>> What I mean is that you want to manage Aerogear in a realm on a >>>>>>>> server >>>>>>>> that is multi-tenant (1 server managing multiple realms). Can't >>>>>>>> really >>>>>>>> have a single shared admin realm in that case. >>>>>>> I'm still not following :/ >>>>>>> >>>>>>> Can you spoon-feed me an example? >>>>>>> >>>>>> Aerogear UPS admin needs to: >>>>>> >>>>>> * manage users >>>>>> * manage role mappings >>>>>> * manage oauth clients >>>>>> * Manage aerogear specific things >>>>>> >>>>>> You want to have one login to do all those things. This means there >>>>>> needs to be one realm to do all these things. You could re-use the >>>>>> "keycloak-admin" realm, but re-using the "keycloak-admin" realm >>>>>> doesn't >>>>>> work if you're dealing with a Keycloak deployment that is managing >>>>>> multiple realms. A.K.A. Multi-tenancy. >>>>> The part I'm not understanding is why it doesn't work with a Keycloak >>>>> deployment with multiple realms? >>>>> >>>> Because you're polluting the "keycloak-admin" realm with Aerogear >>>> specific things: users, roles, applications, etc. >>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev