[aerogear-dev] Keycloak user/roles management

Bruno Oliveira bruno at abstractj.org
Mon May 26 10:20:37 EDT 2014


On 2014-05-26, Matthias Wessendorf wrote:
> On Mon, May 26, 2014 at 2:10 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
>
> >
> > Good morning peeps, after the latest change[1] correct me if I'm wrong. But
> > I think KC and UPS will do pretty much what we need.
> >
> > We have a push admin and the super user on KC side enabled. Let me know
> > if that is what you need and I will take a look at viewer role.
> >
>
> One thing that I noticed: when I login as 'admin', I don't see the
> applications created by 'user'
> I think with that change, the 'admin' is the overall Keycloak-Admin.

With the recent changes we have 2 admins:

- KC admin
- UPS admin

I think the UPS admin should have the visibility of all applications
created, right? I will look at this.

>
>
> I had a chat w/ Stian in the past, for the above mentioned
> "super-user" (which is leveraging the Keycloak realm) Stian and I were
> thinking of a "Super User", that simply has not all permissions. For
> instance, it would have:
> * AdminRoles.VIEW_USERS
> * AdminRoles.MANAGE_USERS
>
> But it would not have the "AdminRoles.ADMIN" role. As we don't need to have
> that guy/super-user being able to create realms or other applications, just
> the "user access" items.
>
> I guess that's why we did see the 'remove()' before

I understand the permission scope restriction for KC admin
(aka super-user). But if we remove the admin, how could you login to manage
users/roles?

>
> -Matthias
>
>
>
>
> >
> >
> > [1] -
> >
> > https://github.com/aerogear/aerogear-unifiedpush-server/commit/3e118b1c758493942ef2a00e1541302a03e5519c
> >
> >
> > On 2014-05-21, Matthias Wessendorf wrote:
> > > Just a thought... regarding those two roles 'PushAdmin' and 'Super-User',
> > > IMO the Super-user should be able to see all apps (and their variants,
> > > including registered devices).
> > >
> > >
> > >
> > >
> > > On Wed, May 21, 2014 at 2:55 PM, Bruno Oliveira <bruno at abstractj.org>
> > wrote:
> > >
> > > > Thank you Matthias, I will look at it and return back with more
> > > > questions if necessary.
> > > >
> > > > On 2014-05-21, Matthias Wessendorf wrote:
> > > > > Hello,
> > > > >
> > > > > yes - the handling is done by Keycloak itself; Last time we looked at
> > > > user
> > > > > management, we had the following in terms of roles:
> > > > >
> > > > > https://gist.github.com/sebastienblanc/6547605
> > > > >
> > > > > Not sure the names of these roles are great.... let's see
> > > > >
> > > > > Basically I think the role definition in the gist still addresses
> > most of
> > > > > what we want to archive:
> > > > > * super-user: in charge of managing the UPS realm (including users);
> > can
> > > > > see _ALL_ push applications  (that's the admin in Sebi's gist)
> > > > > * PushAdmin: Someone that can manage applications and variants, but
> > is
> > > > not
> > > > > able to add new users; he also sees only his applications/variants
> > etc
> > > > > (that's the developer in sebis gist)
> > > > >
> > > > > The gist also contains a 'Viewer' role - At this point I am not sure
> > we
> > > > do
> > > > > really need this. My impression is that if we have PushAdmins for our
> > > > 1.0.0
> > > > > community release that will be enough.
> > > > >
> > > > > -Matthias
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Tue, May 20, 2014 at 10:02 PM, Bruno Oliveira <
> > bruno at abstractj.org
> > > > >wrote:
> > > > >
> > > > > > Good morning peeps,
> > > > > >
> > > > > > Before I jump in https://issues.jboss.org/browse/AGPUSH-639. I
> > would
> > > > > > like to understand what do you guys want say with this issue.
> > > > > >
> > > > > > Currently Keycloak already has its own user/roles managements.
> > What do
> > > > > > you guys are looking for? Any specific requirements?
> > > > > >
> > > > > > --
> > > > > >
> > > > > > abstractj
> > > > > > _______________________________________________
> > > > > > aerogear-dev mailing list
> > > > > > aerogear-dev at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Matthias Wessendorf
> > > > >
> > > > > blog: http://matthiaswessendorf.wordpress.com/
> > > > > sessions: http://www.slideshare.net/mwessendorf
> > > > > twitter: http://twitter.com/mwessendorf
> > > >
> > > > > _______________________________________________
> > > > > aerogear-dev mailing list
> > > > > aerogear-dev at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > > >
> > > >
> > > > --
> > > >
> > > > abstractj
> > > > _______________________________________________
> > > > aerogear-dev mailing list
> > > > aerogear-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > > >
> > >
> > >
> > >
> > > --
> > > Matthias Wessendorf
> > >
> > > blog: http://matthiaswessendorf.wordpress.com/
> > > sessions: http://www.slideshare.net/mwessendorf
> > > twitter: http://twitter.com/mwessendorf
> >
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> > --
> >
> > abstractj
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf

> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


--

abstractj


More information about the aerogear-dev mailing list