8:23 a.m.
On 2/5/2014 8:35 AM, Karel Piwko wrote:
On Tue, 04 Feb 2014 13:51:37 -0500
Bill Burke <bburke(a)redhat.com> wrote:
>
>
> On 2/4/2014 12:13 PM, Karel Piwko wrote:
>> Hey,
>>
>> I've combined Aerogear UPS and Keycloak cartridges together. You can check
>> the results at:
>>
>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>>
>> For keycloak, I have used original cart [1]:
>>
>> $ rhc app create -g small --no-git keycloak
>>
https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
>>
>> For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
>> [3]:
Given your comments, I'll modify setup to have (primarily) single cart option.
Should I keep two carts setup? It at least seems as a good QE test case ;-)
Note, I will either have to wait for WF8 Final (due to Hibernate bug in CR1) or
base cart on AS7.
>>
>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>>
'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
>>
>> There are some gotchas though:
>>
>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
>> We still need a way how to pass keycloak.json to UPS cartridge, which is AS7
>> and we can't ask user to modify standalone.xml anyway. However, we could
>> make a hook on OpenShift - user will add keycloak.json to git repo and it
>> will automagically put at right location. Could we have a hook in Keycloak
>> to load keycloak.json from external location? Or should we rather do some
>> war exploding magic?
>
> I need to go through Stan's work. I want to be able to configure the
> subsystem from the keycloak admin console without having to create a
> keycloak.json file. I just don't know yet if the subsystem will work on
> AS7.
This will work for app and Keycloak being deployed on a single server. It does
not solve SaaS scenario - keycloak admin console can configure subsystem of
current WF(AS) only. Keycloak would need to manage subsystem of a remote WF - I
doubt this would ever be possible with AS7 on OpenShift and I think security
concerns of such setup are not even allowing this on WF8.
You can make authenticated HTTP requests to the WF/AS7 admin interface.
Maybe Openshift is disallowing this, but its certainly not the case
with WF. My understanding is that the new WF admin console will be a
pure HTML 5 application making CORS requests to the admin REST interface
of WF.
What I'm saying is, this will work in the SaaS scenario if Openshift has
not turned off the AS7/WF admin interface.
>
>
>> * AS7-3227 I worked this around by doing parameter injection for
>> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
>> Keycloak package for AS7? Any better option?
>
> This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
> excludes built in one.
Well, it is either keycloak packaging issue or documentation issue (or problem
here in Brno in between chair and keyboard). I've added
keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
Keycloak WAR. IIRC this was setup pre alpha-1.
There are two things:
* The keycloak auth-server.war which is the authentication server
* The adapter zip which installs "client" modules and used only for
WF/AS7 instances that want to interact with a Keycloak auth server.
The adapter does not have a dependency on Resteasy, only on Apache HTTP
Client 4.1.x (or higher). The auth-server does have a dependency on
Resteasy.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com