2:19 a.m.
I propose we add an attribute 'kc_internal' to internal clients
(security-admin-console, master-realm, account, broker) and hide these from the clients
table.
We should also do this to internal roles 'admin' and 'create-realm' so
these roles are not displayed in realm roles list. They would only be hidden from this
page, but still be visible in user role mapping, scope mappings and default roles.
6:39 a.m.
Please keep at least 'account' client visible. I can imagine usecases
when KC admin wants to disable it.
Also it will be hard to find correct URL of the account management app
if it will be hidden.
Cheers
Vl.
On 10.6.2015 09:19, Stian Thorgersen wrote:
I propose we add an attribute 'kc_internal' to internal
clients (security-admin-console, master-realm, account, broker) and hide these from the
clients table.
We should also do this to internal roles 'admin' and 'create-realm' so
these roles are not displayed in realm roles list. They would only be hidden from this
page, but still be visible in user role mapping, scope mappings and default roles.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
8:46 a.m.
I am like 50/50 . I can imagine this has some advantages as people won't
be easily able to delete system clients/roles and break their keycloak
server.
On the other hand, when I am admin, I might be confused why some roles
are not in the roles list, but are in default roles list etc? Also if
someone really knows what he is doing, this might be unwanted
restriction - for example people may want to add more composite roles
into "admin" role or they want to disable account client as Vlasta
pointed etc.
Marek
On 10.6.2015 09:19, Stian Thorgersen wrote:
I propose we add an attribute 'kc_internal' to internal
clients (security-admin-console, master-realm, account, broker) and hide these from the
clients table.
We should also do this to internal roles 'admin' and 'create-realm' so
these roles are not displayed in realm roles list. They would only be hidden from this
page, but still be visible in user role mapping, scope mappings and default roles.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:48 a.m.
Maybe by default we hide them, but have an option to view?
Disabling account client is probably better done with a realm option than removing the
client though.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
Sent: Wednesday, 10 June, 2015 3:46:23 PM
Subject: Re: [keycloak-dev] Hide internal clients and roles
I am like 50/50 . I can imagine this has some advantages as people won't
be easily able to delete system clients/roles and break their keycloak
server.
On the other hand, when I am admin, I might be confused why some roles
are not in the roles list, but are in default roles list etc? Also if
someone really knows what he is doing, this might be unwanted
restriction - for example people may want to add more composite roles
into "admin" role or they want to disable account client as Vlasta
pointed etc.
Marek
On 10.6.2015 09:19, Stian Thorgersen wrote:
> I propose we add an attribute 'kc_internal' to internal clients
> (security-admin-console, master-realm, account, broker) and hide these
> from the clients table.
>
> We should also do this to internal roles 'admin' and 'create-realm'
so
> these roles are not displayed in realm roles list. They would only be
> hidden from this page, but still be visible in user role mapping, scope
> mappings and default roles.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:56 a.m.
On 10.6.2015 15:48, Stian Thorgersen wrote:
Maybe by default we hide them, but have an option to view?
yeah. Or display them in the list, but with some different color/flag
and when someone click on it, it will display some confirmation dialog
with "You are trying to access internal client. Are you sure you know
what are doing?" or something like that. But I am not sure about the
usability of this though...
Marek
Disabling account client is probably better done with a realm option than removing the
client though.
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
> Sent: Wednesday, 10 June, 2015 3:46:23 PM
> Subject: Re: [keycloak-dev] Hide internal clients and roles
>
> I am like 50/50 . I can imagine this has some advantages as people won't
> be easily able to delete system clients/roles and break their keycloak
> server.
>
> On the other hand, when I am admin, I might be confused why some roles
> are not in the roles list, but are in default roles list etc? Also if
> someone really knows what he is doing, this might be unwanted
> restriction - for example people may want to add more composite roles
> into "admin" role or they want to disable account client as Vlasta
> pointed etc.
>
> Marek
>
> On 10.6.2015 09:19, Stian Thorgersen wrote:
>> I propose we add an attribute 'kc_internal' to internal clients
>> (security-admin-console, master-realm, account, broker) and hide these
>> from the clients table.
>>
>> We should also do this to internal roles 'admin' and
'create-realm' so
>> these roles are not displayed in realm roles list. They would only be
>> hidden from this page, but still be visible in user role mapping, scope
>> mappings and default roles.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
9:02 a.m.
I think we should make the console easier to use for regular users so I reckon we should
not display them by default, then have an option to view them for advanced users.
This would also allow us to have a "Blank Slate" page when a user installs a new
server or creates a new realm. In this case instead of showing an empty table we can show
a piece of text that describes what clients are, etc. This was one of the recommendations
we got from UXC guys (see https://www.patternfly.org/patterns/blank-slate/)
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Wednesday, 10 June, 2015 3:56:36 PM
Subject: Re: [keycloak-dev] Hide internal clients and roles
On 10.6.2015 15:48, Stian Thorgersen wrote:
> Maybe by default we hide them, but have an option to view?
yeah. Or display them in the list, but with some different color/flag
and when someone click on it, it will display some confirmation dialog
with "You are trying to access internal client. Are you sure you know
what are doing?" or something like that. But I am not sure about the
usability of this though...
Marek
>
> Disabling account client is probably better done with a realm option than
> removing the client though.
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak
dev"
>> <keycloak-dev(a)lists.jboss.org>
>> Sent: Wednesday, 10 June, 2015 3:46:23 PM
>> Subject: Re: [keycloak-dev] Hide internal clients and roles
>>
>> I am like 50/50 . I can imagine this has some advantages as people won't
>> be easily able to delete system clients/roles and break their keycloak
>> server.
>>
>> On the other hand, when I am admin, I might be confused why some roles
>> are not in the roles list, but are in default roles list etc? Also if
>> someone really knows what he is doing, this might be unwanted
>> restriction - for example people may want to add more composite roles
>> into "admin" role or they want to disable account client as Vlasta
>> pointed etc.
>>
>> Marek
>>
>> On 10.6.2015 09:19, Stian Thorgersen wrote:
>>> I propose we add an attribute 'kc_internal' to internal clients
>>> (security-admin-console, master-realm, account, broker) and hide these
>>> from the clients table.
>>>
>>> We should also do this to internal roles 'admin' and
'create-realm' so
>>> these roles are not displayed in realm roles list. They would only be
>>> hidden from this page, but still be visible in user role mapping, scope
>>> mappings and default roles.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
9:07 a.m.
+1
On 10.6.2015 16:02, Stian Thorgersen wrote:
I think we should make the console easier to use for regular users so
I reckon we should not display them by default, then have an option to view them for
advanced users.
This would also allow us to have a "Blank Slate" page when a user installs a
new server or creates a new realm. In this case instead of showing an empty table we can
show a piece of text that describes what clients are, etc. This was one of the
recommendations we got from UXC guys (see
https://www.patternfly.org/patterns/blank-slate/)
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Wednesday, 10 June, 2015 3:56:36 PM
> Subject: Re: [keycloak-dev] Hide internal clients and roles
>
> On 10.6.2015 15:48, Stian Thorgersen wrote:
>> Maybe by default we hide them, but have an option to view?
> yeah. Or display them in the list, but with some different color/flag
> and when someone click on it, it will display some confirmation dialog
> with "You are trying to access internal client. Are you sure you know
> what are doing?" or something like that. But I am not sure about the
> usability of this though...
>
> Marek
>> Disabling account client is probably better done with a realm option than
>> removing the client though.
>>
>> ----- Original Message -----
>>> From: "Marek Posolda" <mposolda(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak
dev"
>>> <keycloak-dev(a)lists.jboss.org>
>>> Sent: Wednesday, 10 June, 2015 3:46:23 PM
>>> Subject: Re: [keycloak-dev] Hide internal clients and roles
>>>
>>> I am like 50/50 . I can imagine this has some advantages as people won't
>>> be easily able to delete system clients/roles and break their keycloak
>>> server.
>>>
>>> On the other hand, when I am admin, I might be confused why some roles
>>> are not in the roles list, but are in default roles list etc? Also if
>>> someone really knows what he is doing, this might be unwanted
>>> restriction - for example people may want to add more composite roles
>>> into "admin" role or they want to disable account client as Vlasta
>>> pointed etc.
>>>
>>> Marek
>>>
>>> On 10.6.2015 09:19, Stian Thorgersen wrote:
>>>> I propose we add an attribute 'kc_internal' to internal clients
>>>> (security-admin-console, master-realm, account, broker) and hide these
>>>> from the clients table.
>>>>
>>>> We should also do this to internal roles 'admin' and
'create-realm' so
>>>> these roles are not displayed in realm roles list. They would only be
>>>> hidden from this page, but still be visible in user role mapping, scope
>>>> mappings and default roles.
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
9:08 a.m.
I think security-admin-console and realm-management should be merged in
non-Master realms. In master realm, rename everything to
<realm>-security-admin-console. Finally, an internal role or client
would not be able to be deleted.
I don't think you should hide any roles ever. I don't see why you would
want to. I do think you should make internal clients and roles unremovable.
On 6/10/2015 9:46 AM, Marek Posolda wrote:
I am like 50/50 . I can imagine this has some advantages as people
won't
be easily able to delete system clients/roles and break their keycloak
server.
On the other hand, when I am admin, I might be confused why some roles
are not in the roles list, but are in default roles list etc? Also if
someone really knows what he is doing, this might be unwanted
restriction - for example people may want to add more composite roles
into "admin" role or they want to disable account client as Vlasta
pointed etc.
Marek
On 10.6.2015 09:19, Stian Thorgersen wrote:
> I propose we add an attribute 'kc_internal' to internal clients
(security-admin-console, master-realm, account, broker) and hide these from the clients
table.
>
> We should also do this to internal roles 'admin' and 'create-realm'
so these roles are not displayed in realm roles list. They would only be hidden from this
page, but still be visible in user role mapping, scope mappings and default roles.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:15 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 10 June, 2015 4:08:16 PM
Subject: Re: [keycloak-dev] Hide internal clients and roles
I think security-admin-console and realm-management should be merged in
non-Master realms. In master realm, rename everything to
<realm>-security-admin-console. Finally, an internal role or client
would not be able to be deleted.
I don't think you should hide any roles ever. I don't see why you would
want to. I do think you should make internal clients and roles unremovable.
Hiding the internal realm roles would enable a "blank slate" page on the realm
roles list. Alternatively, and I actually think this is a better idea, is to make the
admin and create-realm roles roles of the master-security-admin-console realm rather than
realm roles. In that case all we need is "internal" clients and an option to
view/hide them on the clients list.
Which one is it btw "an internal role or client would not be able to be deleted"
or "I do think you should make internal clients and roles unremovable"?
On 6/10/2015 9:46 AM, Marek Posolda wrote:
> I am like 50/50 . I can imagine this has some advantages as people won't
> be easily able to delete system clients/roles and break their keycloak
> server.
>
> On the other hand, when I am admin, I might be confused why some roles
> are not in the roles list, but are in default roles list etc? Also if
> someone really knows what he is doing, this might be unwanted
> restriction - for example people may want to add more composite roles
> into "admin" role or they want to disable account client as Vlasta
> pointed etc.
>
> Marek
>
> On 10.6.2015 09:19, Stian Thorgersen wrote:
>> I propose we add an attribute 'kc_internal' to internal clients
>> (security-admin-console, master-realm, account, broker) and hide these
>> from the clients table.
>>
>> We should also do this to internal roles 'admin' and
'create-realm' so
>> these roles are not displayed in realm roles list. They would only be
>> hidden from this page, but still be visible in user role mapping, scope
>> mappings and default roles.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:34 a.m.
On 6/10/2015 10:15 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, 10 June, 2015 4:08:16 PM
> Subject: Re: [keycloak-dev] Hide internal clients and roles
>
> I think security-admin-console and realm-management should be merged in
> non-Master realms. In master realm, rename everything to
> <realm>-security-admin-console. Finally, an internal role or client
> would not be able to be deleted.
>
> I don't think you should hide any roles ever. I don't see why you would
> want to. I do think you should make internal clients and roles unremovable.
Hiding the internal realm roles would enable a "blank slate" page on the realm
roles list. Alternatively, and I actually think this is a better idea, is to make the
admin and create-realm roles roles of the master-security-admin-console realm rather than
realm roles. In that case all we need is "internal" clients and an option to
view/hide them on the clients list.
Which one is it btw "an internal role or client would not be able to be
deleted" or "I do think you should make internal clients and roles
unremovable"?
I'm not sure I understand what you are saying here. I think
I agree
with Bill on this one.
First principle is that you should never be able to do something from
the UI that cripples the operation of the system. But what applies to
the UI also applies to the API. Operations like deleting the admin user
or deleting the admin role should be forbidden at both the UI and the
API level.
I don't understand how hiding things helps the user. Instead, keep them
visible and thus encourage the user to learn about them.
>
>
> On 6/10/2015 9:46 AM, Marek Posolda wrote:
>> I am like 50/50 . I can imagine this has some advantages as people won't
>> be easily able to delete system clients/roles and break their keycloak
>> server.
>>
>> On the other hand, when I am admin, I might be confused why some roles
>> are not in the roles list, but are in default roles list etc? Also if
>> someone really knows what he is doing, this might be unwanted
>> restriction - for example people may want to add more composite roles
>> into "admin" role or they want to disable account client as Vlasta
>> pointed etc.
>>
>> Marek
>>
>> On 10.6.2015 09:19, Stian Thorgersen wrote:
>>> I propose we add an attribute 'kc_internal' to internal clients
>>> (security-admin-console, master-realm, account, broker) and hide these
>>> from the clients table.
>>>
>>> We should also do this to internal roles 'admin' and
'create-realm' so
>>> these roles are not displayed in realm roles list. They would only be
>>> hidden from this page, but still be visible in user role mapping, scope
>>> mappings and default roles.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:39 a.m.
On 6/10/2015 10:15 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, 10 June, 2015 4:08:16 PM
> Subject: Re: [keycloak-dev] Hide internal clients and roles
>
> I think security-admin-console and realm-management should be merged in
> non-Master realms. In master realm, rename everything to
> <realm>-security-admin-console. Finally, an internal role or client
> would not be able to be deleted.
>
> I don't think you should hide any roles ever. I don't see why you would
> want to. I do think you should make internal clients and roles unremovable.
Hiding the internal realm roles would enable a "blank slate" page on the realm
roles list. Alternatively, and I actually think this is a better idea, is to make the
admin and create-realm roles roles of the master-security-admin-console realm rather than
realm roles. In that case all we need is "internal" clients and an option to
view/hide them on the clients list.
Do you like the idea of merging security-admin-console and realm-management?
+1 to moving "admin" and "create-realm" to
master-security-admin-console.
The "blank slate" page could be displayed if there is no *non*
internal-clients/roles. There could be a button or link on the Blank
Slate page "View built-in clients" along with "create client". I
don't
know if it is better to have a "hide built-in clients" checkbox on the
client list page, or to just show them by default.
Which one is it btw "an internal role or client would not be
able to be deleted" or "I do think you should make internal clients and roles
unremovable"?
Sorry, I repeated myself without realizing. internal things should not
be deletable or removable, right?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:25 p.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 10 June, 2015 4:39:11 PM
Subject: Re: [keycloak-dev] Hide internal clients and roles
On 6/10/2015 10:15 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Wednesday, 10 June, 2015 4:08:16 PM
>> Subject: Re: [keycloak-dev] Hide internal clients and roles
>>
>> I think security-admin-console and realm-management should be merged in
>> non-Master realms. In master realm, rename everything to
>> <realm>-security-admin-console. Finally, an internal role or client
>> would not be able to be deleted.
>>
>> I don't think you should hide any roles ever. I don't see why you
would
>> want to. I do think you should make internal clients and roles
>> unremovable.
>
> Hiding the internal realm roles would enable a "blank slate" page on the
> realm roles list. Alternatively, and I actually think this is a better
> idea, is to make the admin and create-realm roles roles of the
> master-security-admin-console realm rather than realm roles. In that case
> all we need is "internal" clients and an option to view/hide them on the
> clients list.
>
Do you like the idea of merging security-admin-console and realm-management?
+1 to moving "admin" and "create-realm" to
master-security-admin-console.
Yep, I think that's cleaner. Maybe just call it 'realm-admin-master'?
The "blank slate" page could be displayed if there is no *non*
internal-clients/roles. There could be a button or link on the Blank
Slate page "View built-in clients" along with "create client". I
don't
know if it is better to have a "hide built-in clients" checkbox on the
client list page, or to just show them by default.
> Which one is it btw "an internal role or client would not be able to be
> deleted" or "I do think you should make internal clients and roles
> unremovable"?
Sorry, I repeated myself without realizing. internal things should not
be deletable or removable, right?
Hehe, I read one wrongly so I thought you where saying they should not be able to delete
and at the same time they should be removable.
I agree - it should not be possible to delete internal stuff.
What about we add an attribute to internal clients so we can show that they are internal
in the client list. Also, we know when to display the clean slate if there's only
internal clients. We can also use the internal attribute to limit options that can be
changed for such clients.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3488
days inactive
3488
days old
11 comments
5 participants
participants (5)
-
Bill Burke -
Marek Posolda -
Stan Silvert -
Stian Thorgersen -
Vlastimil Elias