5:55 a.m.
keycloak provides a way to import the definition of a realm as json, but
I can't see any way in the UI to export the definition in the first place.
Am I missing something obvious?
Tim
7:39 a.m.
Hi Tim,
Please have a look a keycloak docs
<http://keycloak.github.io/docs/userguide/html/export-import.html>[1]. I am
not sure if it can be achieved via admin console too but I don't think so.
To export into single JSON file you can use:
bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO EXPORT TO>
Here's an example of importing:
bin/standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO IMPORT>
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
[1]http://keycloak.github.io/docs/userguide/html/export-import.html
On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml(a)gmail.com> wrote:
keycloak provides a way to import the definition of a realm as json,
but
I can't see any way in the UI to export the definition in the first place.
Am I missing something obvious?
Tim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
4:27 a.m.
Thanks. That looks like what I need.
Tim
On 03/10/2015 13:39, Giriraj Sharma wrote:
Hi Tim,
Please have a look a keycloak docs
<http://keycloak.github.io/docs/userguide/html/export-import.html>[1].
I am not sure if it can be achieved via admin console too but I don't
think so.
To export into single JSON file you can use:
bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT
TO>
Here's an example of importing:
bin/standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO
IMPORT>
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
[1]http://keycloak.github.io/docs/userguide/html/export-import.html
On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml(a)gmail.com
<mailto:tdudgeon.ml@gmail.com>> wrote:
keycloak provides a way to import the definition of a realm as
json, but
I can't see any way in the UI to export the definition in the
first place.
Am I missing something obvious?
Tim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
3:57 p.m.
For security reasons we did not want to have a remote option to export.
On 10/4/2015 5:27 AM, Tim Dudgeon wrote:
Thanks. That looks like what I need.
Tim
On 03/10/2015 13:39, Giriraj Sharma wrote:
> Hi Tim,
>
>
> Please have a look a keycloak docs
> <http://keycloak.github.io/docs/userguide/html/export-import.html>[1].
> I am not sure if it can be achieved via admin console too but I don't
> think so.
>
> To export into single JSON file you can use:
>
>
> bin/standalone.sh -Dkeycloak.migration.action=export
> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT
TO>
>
> Here's an example of importing:
>
> bin/standalone.sh -Dkeycloak.migration.action=import
> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO
IMPORT>
> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
> [1]http://keycloak.github.io/docs/userguide/html/export-import.html
>
> On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml(a)gmail.com
> <mailto:tdudgeon.ml@gmail.com>> wrote:
>
> keycloak provides a way to import the definition of a realm as
> json, but
> I can't see any way in the UI to export the definition in the
> first place.
> Am I missing something obvious?
> Tim
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
> Giriraj Sharma
> about.me/girirajsharma
>
> <http://about.me/girirajsharma?promo=email_sig>
>
> Giriraj Sharma,
> Department of Computer Science
> National Institute of Technology Hamirpur
> Himachal Pradesh, India 177005
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:37 p.m.
On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com> wrote:
For security reasons we did not want to have a remote option to export.
You can still access all the same information via the admin application,
no? So I wonder if it really improves security...
From admin point of view it would be much easier if it was possible to
export realms.
Best regards,
Thomas
On 10/4/2015 5:27 AM, Tim Dudgeon wrote:
> Thanks. That looks like what I need.
> Tim
>
> On 03/10/2015 13:39, Giriraj Sharma wrote:
>> Hi Tim,
>>
>>
>> Please have a look a keycloak docs
>> <http://keycloak.github.io/docs/userguide/html/export-import.html>[1].
>> I am not sure if it can be achieved via admin console too but I don't
>> think so.
>>
>> To export into single JSON file you can use:
>>
>>
>> bin/standalone.sh -Dkeycloak.migration.action=export
>> -Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO EXPORT TO>
>>
>> Here's an example of importing:
>>
>> bin/standalone.sh -Dkeycloak.migration.action=import
>> -Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=<FILE TO IMPORT>
>> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>> [1]http://keycloak.github.io/docs/userguide/html/export-import.html
>>
>> On Sat, Oct 3, 2015 at 4:25 PM, Tim Dudgeon <tdudgeon.ml(a)gmail.com
>> <mailto:tdudgeon.ml@gmail.com>> wrote:
>>
>> keycloak provides a way to import the definition of a realm as
>> json, but
>> I can't see any way in the UI to export the definition in the
>> first place.
>> Am I missing something obvious?
>> Tim
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> --
>> Giriraj Sharma
>> about.me/girirajsharma
>>
>> <http://about.me/girirajsharma?promo=email_sig>
>>
>> Giriraj Sharma,
>> Department of Computer Science
>> National Institute of Technology Hamirpur
>> Himachal Pradesh, India 177005
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:47 p.m.
On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
>
> For security reasons we did not want to have a remote option to export.
You can still access all the same information via the admin application,
no? So I wonder if it really improves security...
You can't view user credentials from admin console. Nor can you view
realm's private keys or secrets.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:30 p.m.
On Oct 5, 2015 2:47 AM, "Bill Burke" <bburke(a)redhat.com> wrote:
On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>
>
> On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
> >
> > For security reasons we did not want to have a remote option to
export.
>
> You can still access all the same information via the admin application,
> no? So I wonder if it really improves security...
>
You can't view user credentials from admin console. Nor can you view
realm's private keys or secrets.
Ah, that's true, it's only the public key for the realm. You're right,
I'm
sorry for the confusion.
Best regards,
Thomas
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:56 a.m.
On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com> wrote:
On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>
> On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
> >
> > For security reasons we did not want to have a remote option to export.
>
>
How about just storing the export as a local file on the server? You'd
need
access to the server in order to get the file (making the system
compromised anyways). The change to current behaviour is that you would be
able to trigger the export at will without server restart.
Best regards,
Thomas
10:36 a.m.
It would be helpful to be able to export the realm from the admin console, but I
understand the security risk and I wouldn’t want this enabled in production.
I’d say if you do end up adding a remote export option, it should be enabled in
keycloak-server.json with the value set to disabled by default.
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
<http://www.sigstr.com/>
On Oct 5, 2015, at 6:56 AM, Thomas Raehalme
<thomas.raehalme(a)aitiofinland.com> wrote:
On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
>
> For security reasons we did not want to have a remote option to export.
How about just storing the export as a local file on the server? You'd need access to
the server in order to get the file (making the system compromised anyways). The change to
current behaviour is that you would be able to trigger the export at will without server
restart.
Best regards,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:34 a.m.
That's a good point. Having to stop/start the server to generate an
export is not ideal.
Tim
On 05/10/2015 11:56, Thomas Raehalme wrote:
On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
>
> For security reasons we did not want to have a remote
option to export.
How about just storing the export as a local file on the server? You'd
need access to the server in order to get the file (making the system
compromised anyways). The change to current behaviour is that you
would be able to trigger the export at will without server restart.
Best regards,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:02 p.m.
I'm actually starting on the design and implementation of this right
now. It's import/export from the admin console. It will also have the
ability to import/export partial pieces of a realm such as just users.
Thanks for the comments so far on this thread. They have been very helpful.
We will keep the idea that no secrets should ever be exported from admin
console. I'm not sure that having a flag for it in keycloak-server.json
helps. To edit keycloak-server.json, you need access to the server, in
which case you might as well do the current import/export.
So what do you do after you import a user with no credentials? Some ideas:
* The administrator can reset the password manually.
* The user can do password recovery (if enabled)
An other ideas?
Stan
On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
That's a good point. Having to stop/start the server to generate
an
export is not ideal.
Tim
On 05/10/2015 11:56, Thomas Raehalme wrote:
>
>
> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>
>
> On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
> >
> > For security reasons we did not want to have a remote
> option to export.
>
>
> How about just storing the export as a local file on the server?
> You'd need access to the server in order to get the file (making the
> system compromised anyways). The change to current behaviour is that
> you would be able to trigger the export at will without server restart.
>
> Best regards,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:09 p.m.
On Oct 5, 2015 21:03, "Stan Silvert" <ssilvert(a)redhat.com> wrote:
I'm actually starting on the design and implementation of this right
now.
It's import/export from the admin console. It will also have the
ability to import/export partial pieces of a realm such as just users.
Thanks for the comments so far on this thread. They have been very
helpful.
We will keep the idea that no secrets should ever be exported from admin
console.
I'm not sure that having a flag for it in keycloak-server.json
helps. To edit keycloak-server.json, you need access to the server, in
which case you might as well do the current import/export.
So what do you do after you import a user with no credentials? Some
ideas:
* The administrator can reset the password manually.
* The user can do password recovery (if enabled)
An other ideas?
It'd be helpful if one could use exported realms as a template allowing you
to overwrite some properties such as the realm name when importing. I know
you can do it manually by editing the file which is why I haven't suggested
it earlier. Also allowing you to control with toggles whether to keep or
regenerate keys and secrets would be useful.
Best regards,
Thomas
Stan
On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>
> That's a good point. Having to stop/start the server to generate an
export
is not ideal.
>
> Tim
>
> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>
>>
>>
>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com> wrote:
>>>
>>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>>
>>>>
>>>> On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
>>>> <mailto:bburke@redhat.com>> wrote:
>>>> >
>>>> > For security reasons we did not want to have a remote option to
export.
>>>>
>>
>> How about just storing the export as a local file on the server? You'd
need access to the server in order to get the file (making the system
compromised anyways). The change to current behaviour is that you would be
able to trigger the export at will without server restart.
>>
>> Best regards,
>> Thomas
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:24 p.m.
I'm still averse to allowing export from admin console of any
credentials or private keys.
On 10/5/2015 2:02 PM, Stan Silvert wrote:
I'm actually starting on the design and implementation of this
right
now. It's import/export from the admin console. It will also have the
ability to import/export partial pieces of a realm such as just users.
Thanks for the comments so far on this thread. They have been very helpful.
We will keep the idea that no secrets should ever be exported from admin
console. I'm not sure that having a flag for it in keycloak-server.json
helps. To edit keycloak-server.json, you need access to the server, in
which case you might as well do the current import/export.
So what do you do after you import a user with no credentials? Some ideas:
* The administrator can reset the password manually.
* The user can do password recovery (if enabled)
An other ideas?
Stan
On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> That's a good point. Having to stop/start the server to generate an
> export is not ideal.
>
> Tim
>
> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>
>>
>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>>
>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
wrote:
>> >
>> > For security reasons we did not want to have a remote
>> option to export.
>>
>>
>> How about just storing the export as a local file on the server?
>> You'd need access to the server in order to get the file (making the
>> system compromised anyways). The change to current behaviour is that
>> you would be able to trigger the export at will without server restart.
>>
>> Best regards,
>> Thomas
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
1:26 p.m.
On Oct 5, 2015 21:24, "Bill Burke" <bburke(a)redhat.com> wrote:
I'm still averse to allowing export from admin console of any
credentials or private keys.
Even if they are not directly downloadable but require access to the server
just like now?
On 10/5/2015 2:02 PM, Stan Silvert wrote:
> I'm actually starting on the design and implementation of this right
> now. It's import/export from the admin console. It will also have the
> ability to import/export partial pieces of a realm such as just users.
>
> Thanks for the comments so far on this thread. They have been very
helpful.
>
> We will keep the idea that no secrets should ever be exported from admin
> console. I'm not sure that having a flag for it in keycloak-server.json
> helps. To edit keycloak-server.json, you need access to the server, in
> which case you might as well do the current import/export.
>
> So what do you do after you import a user with no credentials? Some
ideas:
> * The administrator can reset the password manually.
> * The user can do password recovery (if enabled)
>
> An other ideas?
>
> Stan
>
> On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> That's a good point. Having to stop/start the server to generate an
>> export is not ideal.
>>
>> Tim
>>
>> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>
>>>
>>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
>>> <mailto:bburke@redhat.com>> wrote:
>>>
>>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>
>>>
>>> On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
>>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>> wrote:
>>> >
>>> > For security reasons we did not want to have a remote
>>> option to export.
>>>
>>>
>>> How about just storing the export as a local file on the server?
>>> You'd need access to the server in order to get the file (making the
>>> system compromised anyways). The change to current behaviour is that
>>> you would be able to trigger the export at will without server
restart.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:33 p.m.
On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
On Oct 5, 2015 21:24, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
>
> I'm still averse to allowing export from admin console of any
> credentials or private keys.
Even if they are not directly downloadable but require access to the
server just like now?
I think there should be no secrets ever downloadable from admin
console. Admin console is, by definition, remote.
If you have access to the server then you can use what is there now.
It is possible, however, that when we do our CLI implementation we can
verify that the user is local and allow full access. That way, you
could do full export on a running server. WildFly CLI already has logic
to verify a user is local.
>
> On 10/5/2015 2:02 PM, Stan Silvert wrote:
> > I'm actually starting on the design and implementation of this right
> > now. It's import/export from the admin console. It will also
have the
> > ability to import/export partial pieces of a realm such as just users.
> >
> > Thanks for the comments so far on this thread. They have been
very helpful.
> >
> > We will keep the idea that no secrets should ever be exported from
admin
> > console. I'm not sure that having a flag for it in
keycloak-server.json
> > helps. To edit keycloak-server.json, you need access to the
server, in
> > which case you might as well do the current import/export.
> >
> > So what do you do after you import a user with no credentials?
Some ideas:
> > * The administrator can reset the password manually.
> > * The user can do password recovery (if enabled)
> >
> > An other ideas?
> >
> > Stan
> >
> > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> >> That's a good point. Having to stop/start the server to generate an
> >> export is not ideal.
> >>
> >> Tim
> >>
> >> On 05/10/2015 11:56, Thomas Raehalme wrote:
> >>>
> >>>
> >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>
> >>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
wrote:
> >>>
> >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> >>>
> >>>
> >>> On Oct 4, 2015 23:57, "Bill Burke"
<bburke(a)redhat.com
<mailto:bburke@redhat.com>
> >>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>> wrote:
> >>> >
> >>> > For security reasons we did not want to have a remote
> >>> option to export.
> >>>
> >>>
> >>> How about just storing the export as a local file on the server?
> >>> You'd need access to the server in order to get the file (making
the
> >>> system compromised anyways). The change to current behaviour is that
> >>> you would be able to trigger the export at will without server
restart.
> >>>
> >>> Best regards,
> >>> Thomas
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:37 p.m.
On Oct 5, 2015 21:33, "Stan Silvert" <ssilvert(a)redhat.com> wrote:
On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>
>
> On Oct 5, 2015 21:24, "Bill Burke" <bburke(a)redhat.com> wrote:
> >
> > I'm still averse to allowing export from admin console of any
> > credentials or private keys.
>
> Even if they are not directly downloadable but require access to the
server
just like now?
I think there should be no secrets ever downloadable from admin console.
Admin
console is, by definition, remote.
If you have access to the server then you can use what is there now.
It is possible, however, that when we do our CLI implementation we can
verify that
the user is local and allow full access. That way, you could
do full export on a running server. WildFly CLI already has logic to
verify a user is local.
I guess that would be equal in terms of functionality, you just start the
export from the CLI instead of from the admin console.
>
> >
> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
> > > I'm actually starting on the design and implementation of this right
> > > now. It's import/export from the admin console. It will also have
the
> > > ability to import/export partial pieces of a realm such
as just
users.
> > >
> > > Thanks for the comments so far on this thread. They have been very
helpful.
> > >
> > > We will keep the idea that no secrets should ever be exported from
admin
> > > console. I'm not sure that having a flag for it in
keycloak-server.json
> > > helps. To edit keycloak-server.json, you need access
to the server,
in
> > > which case you might as well do the current
import/export.
> > >
> > > So what do you do after you import a user with no credentials? Some
ideas:
> > > * The administrator can reset the password manually.
> > > * The user can do password recovery (if enabled)
> > >
> > > An other ideas?
> > >
> > > Stan
> > >
> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> > >> That's a good point. Having to stop/start the server to generate
an
> > >> export is not ideal.
> > >>
> > >> Tim
> > >>
> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
> > >>> <mailto:bburke@redhat.com>> wrote:
> > >>>
> > >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>> On Oct 4, 2015 23:57, "Bill Burke"
<bburke(a)redhat.com
> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>>
wrote:
> > >>> >
> > >>> > For security reasons we did not want to have a
remote
> > >>> option to export.
> > >>>
> > >>>
> > >>> How about just storing the export as a local file on the server?
> > >>> You'd need access to the server in order to get the file
(making
the
> > >>> system compromised anyways). The change to
current behaviour is
that
> > >>> you would be able to trigger the export at will
without server
restart.
> > >>>
> > >>> Best regards,
> > >>> Thomas
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user(a)lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user(a)lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:10 p.m.
+1 on not allow remote export from admin console with possibility to
download file . However I am not seeing a problem with allowing export
from admin console as long as the exported file is downloaded to the
server filesystem - either to specified file or directory. As mentioned
by Thomas, the advantage of this is, that you can do export at runtime
without need to restart server.
However there is one tricky with export at runtime, that some user may
do modifications when export is in progress (For example some user
registers himself or changes his stuff in account management). This may
results in broken data/inconsistencies. And that's the main reason why
the export is currently allowed just at the startup when server is not
yet opened for any requests from users. This can be likely handled
somehow - for example with the locking servlet filter, which will block
any requests to server when export is in progress etc.
Another good thing to add might be the "progress" table. This can be
useful when admin has some very large database with million of users and
export can take 10 hours or so. So admin will be able to go to the table
and check the progress of export task (500.000 users already exported,
500.000 users still remaining, expected time to end: 3 hours 30 minutes)
etc. This stuff might be good for other long running tasks in Keycloak
as well (like syncing users from federation provider when you have
million users in LDAP etc)
Marek
On 05/10/15 20:33, Stan Silvert wrote:
On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>
>
> On Oct 5, 2015 21:24, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
> >
> > I'm still averse to allowing export from admin console of any
> > credentials or private keys.
>
> Even if they are not directly downloadable but require access to the
> server just like now?
>
I think there should be no secrets ever downloadable from admin
console. Admin console is, by definition, remote.
If you have access to the server then you can use what is there now.
It is possible, however, that when we do our CLI implementation we can
verify that the user is local and allow full access. That way, you
could do full export on a running server. WildFly CLI already has
logic to verify a user is local.
>
> >
> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
> > > I'm actually starting on the design and implementation of this right
> > > now. It's import/export from the admin console. It will also
> have the
> > > ability to import/export partial pieces of a realm such as just
> users.
> > >
> > > Thanks for the comments so far on this thread. They have been
> very helpful.
> > >
> > > We will keep the idea that no secrets should ever be exported
> from admin
> > > console. I'm not sure that having a flag for it in
> keycloak-server.json
> > > helps. To edit keycloak-server.json, you need access to the
> server, in
> > > which case you might as well do the current import/export.
> > >
> > > So what do you do after you import a user with no credentials?
> Some ideas:
> > > * The administrator can reset the password manually.
> > > * The user can do password recovery (if enabled)
> > >
> > > An other ideas?
> > >
> > > Stan
> > >
> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> > >> That's a good point. Having to stop/start the server to generate
an
> > >> export is not ideal.
> > >>
> > >> Tim
> > >>
> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>> wrote:
> > >>>
> > >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>> On Oct 4, 2015 23:57, "Bill Burke"
<bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>> wrote:
> > >>> >
> > >>> > For security reasons we did not want to have a
remote
> > >>> option to export.
> > >>>
> > >>>
> > >>> How about just storing the export as a local file on the server?
> > >>> You'd need access to the server in order to get the file
> (making the
> > >>> system compromised anyways). The change to current behaviour is
> that
> > >>> you would be able to trigger the export at will without server
> restart.
> > >>>
> > >>> Best regards,
> > >>> Thomas
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:18 p.m.
Btv. Stan, is your work going to be added into 1.6 or is it for next
release? I am just asking because there is one pending PR, which is
likely going to be merged for 1.6 -
https://github.com/keycloak/keycloak/pull/1656/files . After merging
this, we discussed with Stian some additional minor changes (namely
removing "zip" export/import provider as nobody doesn't seem to be using
it so far). I should also doublecheck that import still works after
those changes.
I am going to look at this likely next week and it's going to be
included in 1.6. I am asking as I don't want to edit same code like you
and break something you're working on ;-)
Marek
On 05/10/15 20:33, Stan Silvert wrote:
On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>
>
> On Oct 5, 2015 21:24, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
> >
> > I'm still averse to allowing export from admin console of any
> > credentials or private keys.
>
> Even if they are not directly downloadable but require access to the
> server just like now?
>
I think there should be no secrets ever downloadable from admin
console. Admin console is, by definition, remote.
If you have access to the server then you can use what is there now.
It is possible, however, that when we do our CLI implementation we can
verify that the user is local and allow full access. That way, you
could do full export on a running server. WildFly CLI already has
logic to verify a user is local.
>
> >
> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
> > > I'm actually starting on the design and implementation of this right
> > > now. It's import/export from the admin console. It will also
> have the
> > > ability to import/export partial pieces of a realm such as just
> users.
> > >
> > > Thanks for the comments so far on this thread. They have been
> very helpful.
> > >
> > > We will keep the idea that no secrets should ever be exported
> from admin
> > > console. I'm not sure that having a flag for it in
> keycloak-server.json
> > > helps. To edit keycloak-server.json, you need access to the
> server, in
> > > which case you might as well do the current import/export.
> > >
> > > So what do you do after you import a user with no credentials?
> Some ideas:
> > > * The administrator can reset the password manually.
> > > * The user can do password recovery (if enabled)
> > >
> > > An other ideas?
> > >
> > > Stan
> > >
> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
> > >> That's a good point. Having to stop/start the server to generate
an
> > >> export is not ideal.
> > >>
> > >> Tim
> > >>
> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>> wrote:
> > >>>
> > >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
> > >>>
> > >>>
> > >>> On Oct 4, 2015 23:57, "Bill Burke"
<bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>> wrote:
> > >>> >
> > >>> > For security reasons we did not want to have a
remote
> > >>> option to export.
> > >>>
> > >>>
> > >>> How about just storing the export as a local file on the server?
> > >>> You'd need access to the server in order to get the file
> (making the
> > >>> system compromised anyways). The change to current behaviour is
> that
> > >>> you would be able to trigger the export at will without server
> restart.
> > >>>
> > >>> Best regards,
> > >>> Thomas
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:04 a.m.
On 10/5/2015 3:18 PM, Marek Posolda wrote:
Btv. Stan, is your work going to be added into 1.6 or is it for next
release? I am just asking because there is one pending PR, which is
likely going to be merged for 1.6 -
https://github.com/keycloak/keycloak/pull/1656/files . After merging
this, we discussed with Stian some additional minor changes (namely
removing "zip" export/import provider as nobody doesn't seem to be
using it so far). I should also doublecheck that import still works
after those changes.
I am going to look at this likely next week and it's going to be
included in 1.6. I am asking as I don't want to edit same code like
you and break something you're working on ;-)
It definitely won't make it
for 1.6. I'm just getting started, figuring
out the requirements, and figuring out how it will all work.
Marek
On 05/10/15 20:33, Stan Silvert wrote:
> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 5, 2015 21:24, "Bill Burke" <bburke(a)redhat.com> wrote:
>> >
>> > I'm still averse to allowing export from admin console of any
>> > credentials or private keys.
>>
>> Even if they are not directly downloadable but require access to the
>> server just like now?
>>
> I think there should be no secrets ever downloadable from admin
> console. Admin console is, by definition, remote.
>
> If you have access to the server then you can use what is there now.
>
> It is possible, however, that when we do our CLI implementation we
> can verify that the user is local and allow full access. That way,
> you could do full export on a running server. WildFly CLI already
> has logic to verify a user is local.
>
>>
>> >
>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>> > > I'm actually starting on the design and implementation of this
right
>> > > now. It's import/export from the admin console. It will also
>> have the
>> > > ability to import/export partial pieces of a realm such as just
>> users.
>> > >
>> > > Thanks for the comments so far on this thread. They have been
>> very helpful.
>> > >
>> > > We will keep the idea that no secrets should ever be exported
>> from admin
>> > > console. I'm not sure that having a flag for it in
>> keycloak-server.json
>> > > helps. To edit keycloak-server.json, you need access to the
>> server, in
>> > > which case you might as well do the current import/export.
>> > >
>> > > So what do you do after you import a user with no credentials?
>> Some ideas:
>> > > * The administrator can reset the password manually.
>> > > * The user can do password recovery (if enabled)
>> > >
>> > > An other ideas?
>> > >
>> > > Stan
>> > >
>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> > >> That's a good point. Having to stop/start the server to
generate an
>> > >> export is not ideal.
>> > >>
>> > >> Tim
>> > >>
>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke
<bburke(a)redhat.com
>> <mailto:bburke@redhat.com>
>> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>> wrote:
>> > >>>
>> > >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Oct 4, 2015 23:57, "Bill Burke"
<bburke(a)redhat.com
>> <mailto:bburke@redhat.com>
>> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>
>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>> wrote:
>> > >>> >
>> > >>> > For security reasons we did not want to have a
remote
>> > >>> option to export.
>> > >>>
>> > >>>
>> > >>> How about just storing the export as a local file on the
server?
>> > >>> You'd need access to the server in order to get the file
>> (making the
>> > >>> system compromised anyways). The change to current behaviour
>> is that
>> > >>> you would be able to trigger the export at will without server
>> restart.
>> > >>>
>> > >>> Best regards,
>> > >>> Thomas
>> > >>>
>> > >>>
>> > >>> _______________________________________________
>> > >>> keycloak-user mailing list
>> > >>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-user mailing list
>> > >> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
6:09 a.m.
On 06/10/15 13:04, Stan Silvert wrote:
On 10/5/2015 3:18 PM, Marek Posolda wrote:
> Btv. Stan, is your work going to be added into 1.6 or is it for next
> release? I am just asking because there is one pending PR, which is
> likely going to be merged for 1.6 -
> https://github.com/keycloak/keycloak/pull/1656/files . After merging
> this, we discussed with Stian some additional minor changes (namely
> removing "zip" export/import provider as nobody doesn't seem to be
> using it so far). I should also doublecheck that import still works
> after those changes.
>
> I am going to look at this likely next week and it's going to be
> included in 1.6. I am asking as I don't want to edit same code like
> you and break something you're working on ;-)
It definitely won't make it for 1.6. I'm just getting started,
figuring out the requirements, and figuring out how it will all work.
ah, ok.
Thanks. No conflicts expected then :-)
Marek
>
> Marek
>
> On 05/10/15 20:33, Stan Silvert wrote:
>> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>>
>>>
>>> On Oct 5, 2015 21:24, "Bill Burke" <bburke(a)redhat.com>
wrote:
>>> >
>>> > I'm still averse to allowing export from admin console of any
>>> > credentials or private keys.
>>>
>>> Even if they are not directly downloadable but require access to
>>> the server just like now?
>>>
>> I think there should be no secrets ever downloadable from admin
>> console. Admin console is, by definition, remote.
>>
>> If you have access to the server then you can use what is there now.
>>
>> It is possible, however, that when we do our CLI implementation we
>> can verify that the user is local and allow full access. That way,
>> you could do full export on a running server. WildFly CLI already
>> has logic to verify a user is local.
>>
>>>
>>> >
>>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>>> > > I'm actually starting on the design and implementation of this
>>> right
>>> > > now. It's import/export from the admin console. It will also
>>> have the
>>> > > ability to import/export partial pieces of a realm such as just
>>> users.
>>> > >
>>> > > Thanks for the comments so far on this thread. They have been
>>> very helpful.
>>> > >
>>> > > We will keep the idea that no secrets should ever be exported
>>> from admin
>>> > > console. I'm not sure that having a flag for it in
>>> keycloak-server.json
>>> > > helps. To edit keycloak-server.json, you need access to the
>>> server, in
>>> > > which case you might as well do the current import/export.
>>> > >
>>> > > So what do you do after you import a user with no credentials?
>>> Some ideas:
>>> > > * The administrator can reset the password manually.
>>> > > * The user can do password recovery (if enabled)
>>> > >
>>> > > An other ideas?
>>> > >
>>> > > Stan
>>> > >
>>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>> > >> That's a good point. Having to stop/start the server to
>>> generate an
>>> > >> export is not ideal.
>>> > >>
>>> > >> Tim
>>> > >>
>>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>> > >>>
>>> > >>>
>>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke
<bburke(a)redhat.com
>>> <mailto:bburke@redhat.com>
>>> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>> wrote:
>>> > >>>
>>> > >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>> > >>>
>>> > >>>
>>> > >>> On Oct 4, 2015 23:57, "Bill Burke"
<bburke(a)redhat.com
>>> <mailto:bburke@redhat.com>
>>> > >>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>
>>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>>
wrote:
>>> > >>> >
>>> > >>> > For security reasons we did not want to have
a remote
>>> > >>> option to export.
>>> > >>>
>>> > >>>
>>> > >>> How about just storing the export as a local file on the
server?
>>> > >>> You'd need access to the server in order to get the
file
>>> (making the
>>> > >>> system compromised anyways). The change to current
behaviour
>>> is that
>>> > >>> you would be able to trigger the export at will without
>>> server restart.
>>> > >>>
>>> > >>> Best regards,
>>> > >>> Thomas
>>> > >>>
>>> > >>>
>>> > >>> _______________________________________________
>>> > >>> keycloak-user mailing list
>>> > >>> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >>
>>> > >>
>>> > >>
>>> > >> _______________________________________________
>>> > >> keycloak-user mailing list
>>> > >> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > keycloak-user mailing list
>>> > > keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >
>>> >
>>> > --
>>> > Bill Burke
>>> > JBoss, a division of Red Hat
>>> > http://bill.burkecentral.com
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
1:27 p.m.
agreed
On 10/5/2015 2:24 PM, Bill Burke wrote:
I'm still averse to allowing export from admin console of any
credentials or private keys.
On 10/5/2015 2:02 PM, Stan Silvert wrote:
> I'm actually starting on the design and implementation of this right
> now. It's import/export from the admin console. It will also have the
> ability to import/export partial pieces of a realm such as just users.
>
> Thanks for the comments so far on this thread. They have been very helpful.
>
> We will keep the idea that no secrets should ever be exported from admin
> console. I'm not sure that having a flag for it in keycloak-server.json
> helps. To edit keycloak-server.json, you need access to the server, in
> which case you might as well do the current import/export.
>
> So what do you do after you import a user with no credentials? Some ideas:
> * The administrator can reset the password manually.
> * The user can do password recovery (if enabled)
>
> An other ideas?
>
> Stan
>
> On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> That's a good point. Having to stop/start the server to generate an
>> export is not ideal.
>>
>> Tim
>>
>> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>
>>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke(a)redhat.com
>>> <mailto:bburke@redhat.com>> wrote:
>>>
>>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>
>>>
>>> On Oct 4, 2015 23:57, "Bill Burke" <bburke(a)redhat.com
>>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>> wrote:
>>> >
>>> > For security reasons we did not want to have a remote
>>> option to export.
>>>
>>>
>>> How about just storing the export as a local file on the server?
>>> You'd need access to the server in order to get the file (making the
>>> system compromised anyways). The change to current behaviour is that
>>> you would be able to trigger the export at will without server restart.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3369
days inactive
3372
days old
20 comments
8 participants
participants (8)
-
Bill Burke -
Giriraj Sharma -
Marek Posolda -
Scott Rossillo -
Stan Silvert -
Thomas Raehalme -
Thomas Raehalme -
Tim Dudgeon