[keycloak-dev] management problems

Stian Thorgersen stian at redhat.com
Fri May 2 04:23:30 EDT 2014


My thoughts was that admins would log in to a single "admin realm", which would let them manage any Keycloaks, AeroGears, EAPs and any other servers they have.

Then you'd have one or more application realms where end-users would login.

If we don't have AeroGear admins in the same realm as Keycloak admins, admins will have to login multiple times.

So basically I think the AeroGear admin console should be in the Keycloak admin realm, then there's one or more realms for AeroGear users.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 1 May, 2014 5:06:42 PM
> Subject: Re: [keycloak-dev] management problems
> 
> Yes, as you would have to know to switch between realms.  Defeats the
> idea of Aerogear looking like one product.
> 
> On 5/1/2014 11:49 AM, Stian Thorgersen wrote:
> > Is that really an issue?
> >
> > Users would just be admin users, there would be a separate realm for
> > AeroGear users.
> >
> > And there'd probably be a single AeroGear console application, with a few
> > associated roles.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 1 May, 2014 4:47:24 PM
> >> Subject: Re: [keycloak-dev] management problems
> >>
> >>
> >>
> >> On 5/1/2014 11:41 AM, Stian Thorgersen wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-dev at lists.jboss.org
> >>>> Sent: Thursday, 1 May, 2014 4:37:39 PM
> >>>> Subject: Re: [keycloak-dev] management problems
> >>>>
> >>>>
> >>>>
> >>>> On 5/1/2014 11:24 AM, Stian Thorgersen wrote:
> >>>>>
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>> Sent: Thursday, 1 May, 2014 4:19:26 PM
> >>>>>> Subject: Re: [keycloak-dev] management problems
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 5/1/2014 10:16 AM, Stian Thorgersen wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>>>> Sent: Thursday, 1 May, 2014 3:11:48 PM
> >>>>>>>> Subject: Re: [keycloak-dev] management problems
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 5/1/2014 9:30 AM, Stian Thorgersen wrote:
> >>>>>>>>> I'm wondering about what issues there are with having a single
> >>>>>>>>> shared
> >>>>>>>>> admin
> >>>>>>>>> realm though. That seems the optional solution to me.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> Isn't the issue multi-tenancy?
> >>>>>>>
> >>>>>>> We can grant admin users access to manage only specific realms
> >>>>>>> though?
> >>>>>>>
> >>>>>>> Or are you thinking multi-tenancy for AeroGear?
> >>>>>>
> >>>>>> What I mean is that you want to manage Aerogear in a realm on a server
> >>>>>> that is multi-tenant (1 server managing multiple realms).  Can't
> >>>>>> really
> >>>>>> have a single shared admin realm in that case.
> >>>>>
> >>>>> I'm still not following :/
> >>>>>
> >>>>> Can you spoon-feed me an example?
> >>>>>
> >>>>
> >>>> Aerogear UPS admin needs to:
> >>>>
> >>>> * manage users
> >>>> * manage role mappings
> >>>> * manage oauth clients
> >>>> * Manage aerogear specific things
> >>>>
> >>>> You want to have one login to do all those things.  This means there
> >>>> needs to be one realm to do all these things.  You could re-use the
> >>>> "keycloak-admin" realm, but re-using the "keycloak-admin" realm doesn't
> >>>> work if you're dealing with a Keycloak deployment that is managing
> >>>> multiple realms.  A.K.A.  Multi-tenancy.
> >>>
> >>> The part I'm not understanding is why it doesn't work with a Keycloak
> >>> deployment with multiple realms?
> >>>
> >>
> >> Because you're polluting the "keycloak-admin" realm with Aerogear
> >> specific things: users, roles, applications, etc.
> >>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list