It definitely won't make it for 1.6. I'm just getting started, figuring out the requirements, and figuring out how it will all work.Btv. Stan, is your work going to be added into 1.6 or is it for next release? I am just asking because there is one pending PR, which is likely going to be merged for 1.6 - https://github.com/keycloak/keycloak/pull/1656/files . After merging this, we discussed with Stian some additional minor changes (namely removing "zip" export/import provider as nobody doesn't seem to be using it so far). I should also doublecheck that import still works after those changes.
I am going to look at this likely next week and it's going to be included in 1.6. I am asking as I don't want to edit same code like you and break something you're working on ;-)
Marek
On 05/10/15 20:33, Stan Silvert wrote:
On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
I think there should be no secrets ever downloadable from admin console. Admin console is, by definition, remote.
On Oct 5, 2015 21:24, "Bill Burke" <bburke@redhat.com> wrote:
>
> I'm still averse to allowing export from admin console of any
> credentials or private keys.Even if they are not directly downloadable but require access to the server just like now?
If you have access to the server then you can use what is there now.
It is possible, however, that when we do our CLI implementation we can verify that the user is local and allow full access. That way, you could do full export on a running server. WildFly CLI already has logic to verify a user is local.
>
> On 10/5/2015 2:02 PM, Stan Silvert wrote:
> > I'm actually starting on the design and implementation of this right
> > now. It's import/export from the admin console. It will also have the
> > ability to import/export partial pieces of a realm such as just users.
> >
> > Thanks for the comments so far on this thread. They have been very helpful.
> >
> > We will keep the idea that no secrets should ever be exported from admin
> > console. I'm not sure that having a flag for it in keycloak-server.json
> > helps. To edit keycloak-server.json, you need access to the server, in
> > which case you might as well do the current import/export.
> >
> > So what do you do after you import a user with no credentials? Some ideas:
> > * The administrator can reset the password manually.
> > * The user can do password recovery (if enabled)
> >
> > An other ideas?
> >
> > Stan
> >
> > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> >> That's a good point. Having to stop/start the server to generate an
> >> export is not ideal.
> >>
> >> Tim
> >>
> >> On 05/10/2015 11:56, Thomas Raehalme wrote:
> >>>
> >>>
> >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke@redhat.com
> >>> <mailto:bburke@redhat.com>> wrote:
> >>>
> >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> >>>
> >>>
> >>> On Oct 4, 2015 23:57, "Bill Burke" <bburke@redhat.com
> >>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
> >>> >
> >>> > For security reasons we did not want to have a remote
> >>> option to export.
> >>>
> >>>
> >>> How about just storing the export as a local file on the server?
> >>> You'd need access to the server in order to get the file (making the
> >>> system compromised anyways). The change to current behaviour is that
> >>> you would be able to trigger the export at will without server restart.
> >>>
> >>> Best regards,
> >>> Thomas
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user@lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user@lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user@lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user