Re: [keycloak-user] Realm Export in Clustered Environment
On 11/04/16 15:35, Josh Cain wrote:
Hi All,
We're looking to take nightly realm backups of a clustered Keycloak
deployment via the realm export feature. However, in reading through
the docs
<http://keycloak.github.io/docs/userguide/keycloak-server/html/export-impo...;,
I came across this statement:
The fact it's done at server startup means that no-one can access
Keycloak UI or REST endpoints and edit Keycloak database on the fly
when export or import is in progress. Otherwise it could lead to
inconsistent results.
What are the implications for this in a clustered environment? We
were planning to take a single server down and use it for realm
export. Will this operation be reliable with other servers running?
Depends on
which level of consistency you want to achieve. In theory, it
might not be so bad. But note that in your case, the node2 will be doing
export when node1 will still receive requests from users. This can lead
to possible inconsistencies.
For example, some user decided that he don't trust facebook login, so
he is going to set password instead of facebook link. So he will do
these actions quickly in account management:
- Set his password in account mgmt page
- Remove link to facebook
Assuming the export will be in progress, it can happen that user will be
exported without password and also without federationLinks, so after
reimport he won't be able to login anymore.
Marek
Josh Cain | Software Applications Engineer
/Identity and Access Management/
*Red Hat*
+1 843-737-1735
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Attachments:
- attachment.html (text/html — 3.4 KB)