8:47 p.m.
Perhaps it's a little early to start implementing a Keycloak FP, but I'm
starting to look at it and identify potential issues. So I thought I
should list the issues here and find out which ones are already
addressed and which need some time to work out.
*Task:* Implement a feature pack that adds the Keycloak Auth Server to
either/both of the _WildFly Web build_ and the _WildFly Full build_.
Note that this is completely separate from the effort to use Keycloak to
secure the web console. That only involves Keycloak adapter integration
destined to ride on top of Elytron.
Here, we are talking about using a feature pack to add and configure the
Keycloak Auth Server.
*Issue #1: Module duplication.* Keycloak needs to install the
bouncycastle module. This module already exists in the full build but
not the web build. So you have the same module specified for the
Keycloak FP and the Full WildFly FP.
I assume this is already handled? Will the FP mechanism have a problem
with duplication of modules when I try to add a module to full that
already exists?
*Issue #2: Adding a subsystem:* It looks like the current mechanism for
creating configuration files is inappropriate for the Keycloak FP. The
way this is done right now is that a config file is generated via the
combination of a template file and a list of subsystem snippets. So you
would have, for example:
template-keycloak.xml + subsystems-keycloak.xml = standalone-keycloak.xml
But that's not what we really want. We don't want a separate
standalone-keycloak.xml. We really just want to add the keycloak
subssytem to every generated config file, whatever they may be.
*Issue #3: Adding a deployment:* The Keycloak auth server is deployed
as a WAR. We can use the copy-artifacts mechanism to simply copy the
WAR into the deployments directory. But that doesn't work for a domain
where you want to have the WAR pre-loaded into the content repository.
Furthermore, it's probably not the best way to integrate this for
standalone either.
What would be a better option?
11:24 p.m.
On 9/10/14, 1:47 PM, Stan Silvert wrote:
*Issue #3: Adding a deployment:* The Keycloak auth server is deployed
as a WAR. We can use the copy-artifacts mechanism to simply copy the
WAR into the deployments directory. But that doesn't work for a domain
where you want to have the WAR pre-loaded into the content repository.
Furthermore, it's probably not the best way to integrate this for
standalone either.
What would be a better option?
See the "A Mixed Approach" section at
https://developer.jboss.org/docs/DOC-25627
The two comments at the bottom of that page are also relevant to that
part of the wiki.
Cheers,
--
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat
7:20 p.m.
On 9/10/2014 5:24 PM, Brian Stansberry wrote:
On 9/10/14, 1:47 PM, Stan Silvert wrote:
> *Issue #3: Adding a deployment:* The Keycloak auth server is deployed
> as a WAR. We can use the copy-artifacts mechanism to simply copy the
> WAR into the deployments directory. But that doesn't work for a domain
> where you want to have the WAR pre-loaded into the content repository.
> Furthermore, it's probably not the best way to integrate this for
> standalone either.
>
> What would be a better option?
>
See the "A Mixed Approach" section at
https://developer.jboss.org/docs/DOC-25627
The two comments at the bottom of that page are also relevant to that
part of the wiki.
Cheers,
Awesome. That actually solves several potential problems. Thanks Brian.
8:31 p.m.
New subject: System deployments? WAS: Creating a Keycloak Feature Pack
On 9/11/14, 12:20 PM, Stan Silvert wrote:
On 9/10/2014 5:24 PM, Brian Stansberry wrote:
> On 9/10/14, 1:47 PM, Stan Silvert wrote:
>
>> *Issue #3: Adding a deployment:* The Keycloak auth server is deployed
>> as a WAR. We can use the copy-artifacts mechanism to simply copy the
>> WAR into the deployments directory. But that doesn't work for a domain
>> where you want to have the WAR pre-loaded into the content repository.
>> Furthermore, it's probably not the best way to integrate this for
>> standalone either.
>>
>> What would be a better option?
>>
> See the "A Mixed Approach" section at
> https://developer.jboss.org/docs/DOC-25627
>
> The two comments at the bottom of that page are also relevant to that
> part of the wiki.
>
> Cheers,
>
Awesome. That actually solves several potential problems. Thanks Brian.
You're welcome.
The drawback I mentioned there is these deployments appear in the
resource tree alongside the regular user deployments. That's not ideal,
because things can happen like the user undeploying or removing the
deployment, plus it just mixes things that are somewhat separate.
We've briefly discussed in the past the idea of having a
"system-deployment" tree that looks just like the "deployment" tree
except the registration of the handlers for the "add", "remove"
"deploy"
"undeploy" ops would have a flag added that marks them as private, so
they don't show up in the public API. They can still be invoked
internally by subsystem though.
The change to that "fibo" example in the wiki would be minimal.
This would impact the console's "Runtime" tab, as it's another tree of
runtime data to present. Also, these deployments wouldn't appear in the
Content Repository tab, which in general is good, although there may be
some subtle UX effects.
It would also change the location in the tree at which these things
appear from EAP 6.x to EAP 7.x, but I don't think that's a big deal.
What do folks think about pursuing this? Mazz, your opinion would be useful.
Cheers,
--
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat
8:53 p.m.
New subject: System deployments? WAS: Creating a Keycloak Feature Pack
On 9/11/2014 2:31 PM, Brian Stansberry wrote:
On 9/11/14, 12:20 PM, Stan Silvert wrote:
> On 9/10/2014 5:24 PM, Brian Stansberry wrote:
>> On 9/10/14, 1:47 PM, Stan Silvert wrote:
>>
>>> *Issue #3: Adding a deployment:* The Keycloak auth server is deployed
>>> as a WAR. We can use the copy-artifacts mechanism to simply copy the
>>> WAR into the deployments directory. But that doesn't work for a domain
>>> where you want to have the WAR pre-loaded into the content repository.
>>> Furthermore, it's probably not the best way to integrate this for
>>> standalone either.
>>>
>>> What would be a better option?
>>>
>> See the "A Mixed Approach" section at
>> https://developer.jboss.org/docs/DOC-25627
>>
>> The two comments at the bottom of that page are also relevant to that
>> part of the wiki.
>>
>> Cheers,
>>
> Awesome. That actually solves several potential problems. Thanks Brian.
>
You're welcome.
The drawback I mentioned there is these deployments appear in the
resource tree alongside the regular user deployments. That's not ideal,
because things can happen like the user undeploying or removing the
deployment, plus it just mixes things that are somewhat separate.
That's OK for
now. Still a big improvement over copying to the
/deployments directory.
We've briefly discussed in the past the idea of having a
"system-deployment" tree that looks just like the "deployment" tree
except the registration of the handlers for the "add", "remove"
"deploy"
"undeploy" ops would have a flag added that marks them as private, so
they don't show up in the public API. They can still be invoked
internally by subsystem though.
+1 This might be especially important for
Keycloak. You would want to
limit the damage an attacker could do if he gained access to DMR but not
to Keycloak itself. You don't want the attacker to be able to deploy
his own auth server in place of the real one. Same goes for the
Keycloak datasource and the Keycloak subsystem.
The change to that "fibo" example in the wiki would be minimal.
This would impact the console's "Runtime" tab, as it's another tree of
runtime data to present. Also, these deployments wouldn't appear in the
Content Repository tab, which in general is good, although there may be
some subtle UX effects.
It would also change the location in the tree at which these things
appear from EAP 6.x to EAP 7.x, but I don't think that's a big deal.
What do folks think about pursuing this? Mazz, your opinion would be useful.
Cheers,
8:43 p.m.
On 9/10/2014 5:24 PM, Brian Stansberry wrote:
On 9/10/14, 1:47 PM, Stan Silvert wrote:
> *Issue #3: Adding a deployment:* The Keycloak auth server is deployed
> as a WAR. We can use the copy-artifacts mechanism to simply copy the
> WAR into the deployments directory. But that doesn't work for a domain
> where you want to have the WAR pre-loaded into the content repository.
> Furthermore, it's probably not the best way to integrate this for
> standalone either.
>
> What would be a better option?
>
See the "A Mixed Approach" section at
https://developer.jboss.org/docs/DOC-25627
When I do this in a domain, the
deployment does not live in the content
repository and can not be assigned directly to server groups. Instead,
it is just deployed to any server that has the Keycloak subsystem.
That might be a good thing. The deployment is still "assigned" to the
server group via the profile containing the keycloak subsystem.
Do any of you guys see a problem with this?
The two comments at the bottom of that page are also relevant to that
part of the wiki.
Cheers,
9:07 p.m.
On 9/16/14, 1:43 PM, Stan Silvert wrote:
On 9/10/2014 5:24 PM, Brian Stansberry wrote:
> On 9/10/14, 1:47 PM, Stan Silvert wrote:
>
>> *Issue #3: Adding a deployment:* The Keycloak auth server is deployed
>> as a WAR. We can use the copy-artifacts mechanism to simply copy the
>> WAR into the deployments directory. But that doesn't work for a domain
>> where you want to have the WAR pre-loaded into the content repository.
>> Furthermore, it's probably not the best way to integrate this for
>> standalone either.
>>
>> What would be a better option?
>>
> See the "A Mixed Approach" section at
> https://developer.jboss.org/docs/DOC-25627
When I do this in a domain, the deployment does not live in the content
repository and can not be assigned directly to server groups. Instead,
it is just deployed to any server that has the Keycloak subsystem.
That might be a good thing. The deployment is still "assigned" to the
server group via the profile containing the keycloak subsystem.
Do any of you guys see a problem with this?
That's the goal. The "deployment" is not like end user deployments; it's
an aspect of the subsystem. And subsystems are mapped to server groups
via profiles.
>
> The two comments at the bottom of that page are also relevant to that
> part of the wiki.
>
> Cheers,
>
--
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat
11:30 p.m.
Stan Silvert wrote:
Perhaps it's a little early to start implementing a Keycloak FP,
but I'm
starting to look at it and identify potential issues. So I thought I
should list the issues here and find out which ones are already
addressed and which need some time to work out.
*Task:* Implement a feature pack that adds the Keycloak Auth Server to
either/both of the _WildFly Web build_ and the _WildFly Full build_.
Note that this is completely separate from the effort to use Keycloak to
secure the web console. That only involves Keycloak adapter integration
destined to ride on top of Elytron.
Here, we are talking about using a feature pack to add and configure the
Keycloak Auth Server.
*Issue #1: Module duplication.* Keycloak needs to install the
bouncycastle module. This module already exists in the full build but
not the web build. So you have the same module specified for the
Keycloak FP and the Full WildFly FP.
I assume this is already handled? Will the FP mechanism have a problem
with duplication of modules when I try to add a module to full that
already exists?
This should work fine. Eventually we may have a solution where you can
specify a dependency on just some modules in the full build, although
that is not implemented yet.
*Issue #2: Adding a subsystem:* It looks like the current mechanism for
creating configuration files is inappropriate for the Keycloak FP. The
way this is done right now is that a config file is generated via the
combination of a template file and a list of subsystem snippets. So you
would have, for example:
template-keycloak.xml + subsystems-keycloak.xml = standalone-keycloak.xml
But that's not what we really want. We don't want a separate
standalone-keycloak.xml. We really just want to add the keycloak
subssytem to every generated config file, whatever they may be.
We should be able to add a feature to enable this.
Stuart
*Issue #3: Adding a deployment:* The Keycloak auth server is deployed as
a WAR. We can use the copy-artifacts mechanism to simply copy the WAR
into the deployments directory. But that doesn't work for a domain where
you want to have the WAR pre-loaded into the content repository.
Furthermore, it's probably not the best way to integrate this for
standalone either.
What would be a better option?
_______________________________________________
wildfly-dev mailing list
wildfly-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/wildfly-dev
7:27 p.m.
On 9/10/2014 5:30 PM, Stuart Douglas wrote:
Stan Silvert wrote:
>
> *Issue #2: Adding a subsystem:* It looks like the current mechanism for
> creating configuration files is inappropriate for the Keycloak FP. The
> way this is done right now is that a config file is generated via the
> combination of a template file and a list of subsystem snippets. So you
> would have, for example:
>
> template-keycloak.xml + subsystems-keycloak.xml =
> standalone-keycloak.xml
>
> But that's not what we really want. We don't want a separate
> standalone-keycloak.xml. We really just want to add the keycloak
> subssytem to every generated config file, whatever they may be.
We should be able to add a feature to enable this.
Stuart
Thanks Stuart. Is this covered in your "Wildfly Provisioning"
plans?
Should I open a Jira?
3503
days inactive
3509
days old
9 comments
4 participants
participants (4)
-
Brian Stansberry -
Heiko Braun -
Stan Silvert -
Stuart Douglas