[keycloak-dev] Multi tenancy support - a proposal to discuss

Marek Posolda mposolda at redhat.com
Thu Oct 23 04:28:12 EDT 2014 

On 22.10.2014 19:29, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 10/21/2014 11:26 PM, Bill Burke wrote:
>> Would be cool if you added a unit test and documentation for this
>> feature.  If you need some help with that, let me know.
> I've pushed some updates to a branch in my fork[1], which includes a
> sample application (multi-tenants), documentation and some javadoc.
> I'm planning on working on an integration test tomorrow.
>
> This branch is also already integrated with Marek's clustering
> feature, which caused some conflicts during the first rebase.
>
> A question I've got when improving the sample application is regarding
> some permissions.
>
> On the sample application, the "registration" part contacts the server
> as "registration" user, which has the "create-realm" permission. It
> creates a new realm, say, "acme". Inside this new realm, there's an
> application named "metrics", of which I want to retrieve the
> keycloak.json and add to the response to the registration.
>
> Unfortunately, I couldn't figure out which permission this user has to
> have in order to retrieve this application's keycloak.json
> installation file. Note that this is an user on the "master" realm,
> trying to access a JSON from an application in another realm.
When you create new realm "foo", keycloak automatically creates 
application in master realm called "foo-realm" and it creates set of 
'admin' roles for this application.

 From what I can see, for retrieve keycloak.json from admin console, you 
should be either in role "view-applications" or "manage-applications" of 
this "foo-realm" application. Actually the realm creator is 
automatically granted to all roles of the "foo-realm" application (see 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/RealmsAdminResource.java#L134 
) so he should be able to do everything in realm, which he just created. 
So it's a bit strange to me that you're seeing issues.

Actually isn't problem in scopes? The client application, which you are 
using to access KC should be in scopes for those "view-applications" or 
"manage-applications" roles. Admin console is using application 
"Security-admin-console", which has scope to realm role "admin" so it 
has defacto scope to everything. Maybe you can also use this scope or 
use "Full scope allowed" switch for your app.

Marek
>
> I've tried "view-realm" and "view-applications" from the
> "master-realm" application, but I'm trying to access the application
> from the new realm (not from master). As a result, I get a "forbidden"
> error. I've tried several combinations, but I could only bypass it by
> using the "admin" role, which is certainly *not* something I would
> want to have on the registration application :-)
>
> One more thing to note is that there seem to be a new "application" in
> the roles combo, named "acme-realm". A possible solution would be to
> add the original user to the "view-realm" on this new application, but
> I guess only an admin can do that (chicken-egg problem).
>
> So, would it make sense to clone the master-realm permissions from one
> user when this user creates a new realm? I think it would make sense
> to give "read" permissions to an user on the realm that it itself
> created, no?
>
> This is certainly not a blocker, but I'm afraid that users would just
> copy/paste things and this might lead to a bigger problem in the future.
>
> [1] http://git.io/GkVyyQ
>
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBCgAGBQJUR+mJAAoJEDnJtskdmzLM2IkIAKn/My0zyKTCe6aElFRXER83
> T+vCsEHEgNUN+emPp7LigvOU3l/V1jInEbSVnQwQKDoDQm4R79SXGSQBiFa4DLFJ
> 1lHN/kIQI3DG+B0+CyUlq3pyHOTcpLc+FqFfV5RyBYuhH+JYH82v0FZia98wCMLF
> XVBbw3jesMTOiQvHnWXq4qYCDh1zKVs+rv6BpKLp8s3ikC4hEtwjoPrm5/KYQoJI
> LagFEhq/kQ1KQH/aQDn3qrVwPcvel4vSU1KbO2z/mE9+YdH80PY/nLwykZK4QX7J
> wi76NjpZjB2+b3GhnxE3mfxRgeHwEpe04jUYxF8aPY3zsM4auGB958wQJ9W6Dus=
> =s4Lp
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list