On 11/04/16 18:30, Josh Cain wrote:
Hi Marek,
So to be clear - we're using this strictly for a configuration backup
(no user data will be exported). And if I'm understanding you
correctly, is it safe to assume that the exports will be clean as long
as no administrators are actively making configuration changes during
the export process?
Hi Josh,
Yes, then I think it should be safe to assume. Despite some corner cases
(For example if you have LDAP, the roles or groups from LDAP might be
synced to the realm database during first login of any user, who is
member of particular role/group. So if this login happen during export,
the new role/groups would be added during export progress too).
Marek
Josh Cain | Software Applications Engineer
/Identity and Access Management/
*Red Hat*
+1 843-737-1735
On Mon, Apr 11, 2016 at 10:46 AM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 11/04/16 15:35, Josh Cain wrote:
> Hi All,
>
> We're looking to take nightly realm backups of a clustered
> Keycloak deployment via the realm export feature. However, in
> reading through the docs
>
<
http://keycloak.github.io/docs/userguide/keycloak-server/html/export-impo...;,
> I came across this statement:
>
> The fact it's done at server startup means that no-one can access
> Keycloak UI or REST endpoints and edit Keycloak database on the
> fly when export or import is in progress. Otherwise it could lead
> to inconsistent results.
>
> What are the implications for this in a clustered environment?
> We were planning to take a single server down and use it for
> realm export. Will this operation be reliable with other servers
> running?
Depends on which level of consistency you want to achieve. In
theory, it might not be so bad. But note that in your case, the
node2 will be doing export when node1 will still receive requests
from users. This can lead to possible inconsistencies.
For example, some user decided that he don't trust facebook
login, so he is going to set password instead of facebook link. So
he will do these actions quickly in account management:
- Set his password in account mgmt page
- Remove link to facebook
Assuming the export will be in progress, it can happen that user
will be exported without password and also without
federationLinks, so after reimport he won't be able to login anymore.
Marek
>
> Josh Cain | Software Applications Engineer
> /Identity and Access Management/
> *Red Hat*
> +1 843-737-1735 <tel:%2B1%20843-737-1735>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user