[keycloak-dev] Authz for admin console/endpoints (KEYCLOAK-292)

Bill Burke bburke at redhat.com
Thu Feb 20 11:54:28 EST 2014

On 2/20/2014 11:21 AM, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 20 February, 2014 4:06:37 PM
>> Subject: Re: [keycloak-dev] Authz for admin console/endpoints (KEYCLOAK-292)
>> On 2/20/2014 10:05 AM, Stian Thorgersen wrote:
>>> Currently a user in the 'keycloak-admin' realm with the role 'admin' has
>>> full access to all realms. We need to support a bit more fine-grained
>>> access control for admin console/endpoints. At the bare minimum we need to
>>> be able to have users that can administer only some realms. Further, it
>>> would be nice to build this on-top of roles alone and not require an ACL
>>> table or something similar.
>>> We could start with the following permissions/roles for a realm:
>>> * view-realm-config
>>> * manage-realm-config
>>> * view-users
>>> * manage-users
>>> * view-applications
>>> * manage-applications
>>> * view-clients
>>> * manage-clients
>>> * admin (composite role containing all the above roles)
>>> One approach to this would be to create an application per-realm that
>>> represents that realm (application name could be 'realm-<realm name>').
>>> This would be created automatically when we create a new realm, and it
>>> would have the above roles as application roles. Users can then be granted
>>> access to individual realms by mapping the roles for the associated
>>> application to them.
>>> We could also have a composite realm role 'admin' that maps to the 'admin'
>>> role in all realm applications. Any user that is granted this role would
>>> have full access to all realms.
>>> This made me think about the concept of "resources" in Keycloak. A resource
>>> is similar to an application except it doesn't have scope mappings, nor
>>> does it have credentials. This could be used in the demo for the
>>> 'database-service', which would mean we'd have roles associated with the
>>> 'database-service' rather than using realm roles. It would also provide an
>>> installation file (and wildfly config) where 'bearer-only' is set to
>>> 'true'.
>> We need to think of this in terms of OAuth grants.  i.e.  You have one
>> Keycloak server that wants to export/migrate metadata from its realm(s)
>> to another Keycloak server.  You have a service like Aerogear UPS where
>> you want to grant it temporary permission to define applications within
>> the realm.
> I don't see how what I proposed doesn't work with OAuth grants.
>> This is why I think the best approach would be to create an application
>> per-realm that represents realm management.  The application would just
>> be named "realm-management", just like we already have for "account".
>> This way these admin roles to mix or pollute anything user specific.  We
>> would also create an application within the "keycloak-admin" realm with
>> similar role definitions.
>> With the above setup, we would have "keycloak-admin" users who would
>> have various permissions on *ALL* realms.  And per realm users that have
>> permissions for one *specific* realm.  But, there would not be a concept
>> of a user that has permissions on a subset of realms.  It could be
>> access to 1 realm, or access to all realms.
> This sounds messy to me. It means you end up with having to manage access to a realm in two different realms. Also, for admin console you'd have to have an option of selecting what realm to login to. Anyone that is only given access to one or two realms would have to re-login to swap or something.

I was actually agreeing with your original post, but I don't think I 
fully understood your original post! I might understand now.  Is this 
what you mean?

* Create an application within "keycloak-admin" for each new realm
* Under that application create all the roles mentioned in the OP.
* Create a realm level composite role named "superuser".  When a new 
realm is created, associate all those new application roles to this 
superuser composite.

Then, when you log into the admin console, the server just checks which 
roles you have assigned to you to fill the realm selection box on the 
admin console main page.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list