I was considering the hot solution regarding the cloud environment
(Openshift) where customer require zero downtime while making a backup for
disaster recovery purpose.
In that case, there will be no data integrity issue and they would be able
to export without stopping their cluster. Actually te only solution we can
to it is to scale down the nodes to 0 which mean stopping all RHSSO pods.
This is way I think that Doswald solution would need the requirement.
Le ven. 7 déc. 2018 à 15:37, Marek Posolda <mposolda(a)redhat.com> a écrit :
On 07/12/2018 14:38, Doswald Alistair wrote:
I’m a bit surprised about a question for Keycloak-export, as I thought
that it was mostly Keycloak-authorization which was of interest.
That being said, I haven’t created a pull request for this feature, no,
though it is available still as an extension on the cloudtrust project
github (the latest release here
works on keycloak 4.6.0.FInal).
When I discussed the matter on the dev mailing list there were concerns
about the following aspects: data integrity, size of transfer and security.
Our position was that security is OK (data transferred over https), but
that size and data integrity could be a concern depending on the use case.
However, from what I understood, there wasn’t really any interest of
bringing the feature to Keycloak.
Yes, the size and data integrity can be a concern and that's the reason
why it's not officially supported to run full export/import in "online"
I know there is a workaround, which defacto allows "hot" export/import in
case that you have cluster environment. When you have 2 Keycloak nodes, you
can stop one of the node and then trigger export/import on that node. But
it's not something to recommend in production due the issues with the
integrity (Data can be changed in the meantime on node1 when export/import
is in progress on node2, which can result in broken data and tricky errors).
If that has changed, I’ll gladly submit a pull request for the code.
*From:* Meissa M'baye Sakho <msakho(a)redhat.com> <msakho(a)redhat.com>
*Sent:* jeudi 6 décembre 2018 16:59
*To:* Doswald Alistair <alistair.doswald(a)elca.ch>
*Cc:* Pedro Igor Silva <psilva(a)redhat.com> <psilva(a)redhat.com>; Marek
Posolda <mposolda(a)redhat.com> <mposolda(a)redhat.com>; keycloak-user
<keycloak-user(a)lists.jboss.org> <keycloak-user(a)lists.jboss.org>; Issa
Gueye - Red Hat <igueye(a)redhat.com> <igueye(a)redhat.com>
*Subject:* Re: [keycloak-user] Keycloak Modules developed for the
Have you created the pull request for the keycloak-export module?
It's a very useful one and I think it could be nice if it becomes fully a
part of keycloak.
Le ven. 17 août 2018 à 14:40, Doswald Alistair <alistair.doswald(a)elca.ch>
a écrit :
I’ve done the PR for the extension page (keycloak-authorization and
keycloak-export), and it’s been accepted. For the client-mapper I’ll see
what’s necessary to be done to have it merged directly into Keycloak.
For the mechanism of keycloak-authorization, I for one would like having
this functionality supported OOTB, whether through our (admittedly not very
sophisticated) system, or another. I received a message from Stian
Thorgersen on the dev mailing (here:
list asking more details about the module, so I’ll at least be discussing
the matter with him.
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: vendredi 10 août 2018 18:52
To: Marek Posolda <mposolda(a)redhat.com>
Cc: Doswald Alistair <alistair.doswald(a)elca.ch>;
Subject: Re: [keycloak-user] Keycloak Modules developed for the Cloudtrust
Cool stuff ! Thanks for sharing.
I've looked keycloak-authorization very quickly and changes look really
simple, I'm glad to start a discussion about supporting this OOTB. Maybe
this can be part of the review of admin fine-grained permissions we are
On Fri, Aug 10, 2018 at 9:43 AM, Marek Posolda <mposolda(a)redhat.com
Thanks for the heads up!
Keycloak, however we may need automated test and also docs (separate PR
needs to be sent for the docs).
For the keycloak-authorization and keycloak-export (and maybe for
keycloak-client-mappers too if you don't have time for the PR to
upstream), it may be good to send PR to update the extensions page
maybe? It's here: https://www.keycloak.org/extensions.html
. Assuming that those things are generally useful for the other users
from the community (I am not 100% sure about the keycloak-authorization.
Rather leaving to you to decide if it's generally useful or not). The
keycloak-wsfed is already on the extensions page.
On 10/08/18 11:44, Doswald Alistair wrote:
> I just wanted to let this mailing list know that for the Cloudtrust
), we have developed a certain
number modules for Keycloak. These are currently compatible with the
version 3.4.3.Final of Keycloak, but we will make them compatible with
Keycloak 4.X (where X will be the latest sub-version of Keycloak when we
start working on this) as soon as we can. These modules are:
> * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed
implementation of the WS-Federation protocol for keycloak. This allows to
select the WS-Federation protocol for Keycloak clients and for identity
> * keycloak-authorization (
): this module allows
the use of the client authorization system to prevent a user which is
authenticated in a Keycloak realm to access a given client. It works no
matter which protocol is used, and without the client having to support any
extra protocol. Note: this solution is a bit hacky, but necessary for one
of our use-cases.
> * keycloak-client-mappers (
): a module for
adding any mappers that we might need that are not yet part of Keycloak.
script mapper. I've noticed that there's an open issue for this feature (
). If desirable I could
submit this code not as a module but a solution to the issue.
> * keycloak-export (https://github.com/cloudtrust/keycloak-export
module adding an endpoint to fully export a realm while Keycloak is still
running (no need for restarts!).
> PS: I'm mailing this both dev and user mailing lists as I believe it may
interest members of both mailing lists
> keycloak-user mailing list
keycloak-user mailing list
keycloak-user mailing list