[keycloak-dev] cross-realm administration
Marek Posolda
mposolda at redhat.com
Wed Dec 9 13:35:41 EST 2015
On 08/12/15 13:50, Bill Burke wrote:
> Continuing our hangout from yesterday...
>
> The primary goal, IMO is to 1) clean up the master realm realm clients
> 2) remove the master realm requirement for cross-realm impersonation 3)
> give possibility to remove the master realm
>
> Right now non-master realms trust admins in the master realm. These
> "child" realms allow the master realm to decide which users in the
> master realm are allowed to access it. I'll call this "cross-realm
> administration". We could continue this model, but without role
> namespaces you'd have to create realm-clients in each trusted realm.
>
> Another idea is to do something really simple. Realm A decides to trust
> Realm B and they "share" admin roles. If user in Realm B has
> "view-user" permission, then he also has "view-user" permission. The UI
> is simple and there's no need for Realm A and B to know anything else
> about each other. This is a simpler version of "cross-realm
> administration" which doesn't give you any fine grain per-realm control.
> This requires very little UI work which is the big blocker for me.
>
> Building on that idea, which is what I started to implement, is that
> Realm A "shares" admin roles still, but only allows certain permissions
> for Realm B. Realm A grants admins in Realm B "view user and create client"
How about the case when I want to have:
1) user "a-admin" in realm A, which is supposed to have "view-user"
permission just for realm A
2) user "b-admin" in realm B, which is supposed to have "view-user"
permission just for realm B
3) user "admin" in realm A, which is supposed to have "view-user"
permission for both realms A and B
If I understand correctly, I won't be able to model this because:
For rule (3), I need realm B to trust realm A . However that implies
that user "a-admin" from realm A will be able to have "view-user" for
realm B, which breaks rule (1) and is something I don't want.
But still, maybe most of the people don't need something powerful and
this simple model will be sufficient for them? Maybe we can go with
simple model for now and later (after 1.0) we can introduce something
more powerful and incorporate Pedro's authorization stuff to be able to
specify more fine-grained permissions?
Marek
>
> If you want to go further with the ability to grant a specific user or
> group in another realm admin privileges then it becomes more
> complicated. You have a chicken and egg problem first as you'd need a
> way to view users and groups in another realm so you can grant
> permission to them. I guess it could be you
>
> 1. Granting trust ot a realm allows that realm to view your users and
> groups. Well, at least query for username/email/attributes
> 2. UI screens would have to be created specific for managing
> users/groups in another realm as you would want to filter what
> information gets displayed
>
>
More information about the keycloak-dev
mailing list