[keycloak-dev] cross-realm administration
Bill Burke
bburke at redhat.com
Wed Dec 9 14:22:46 EST 2015
On 12/9/2015 1:35 PM, Marek Posolda wrote:
> On 08/12/15 13:50, Bill Burke wrote:
>> Continuing our hangout from yesterday...
>>
>> The primary goal, IMO is to 1) clean up the master realm realm clients
>> 2) remove the master realm requirement for cross-realm impersonation 3)
>> give possibility to remove the master realm
>>
>> Right now non-master realms trust admins in the master realm. These
>> "child" realms allow the master realm to decide which users in the
>> master realm are allowed to access it. I'll call this "cross-realm
>> administration". We could continue this model, but without role
>> namespaces you'd have to create realm-clients in each trusted realm.
>>
>> Another idea is to do something really simple. Realm A decides to trust
>> Realm B and they "share" admin roles. If user in Realm B has
>> "view-user" permission, then he also has "view-user" permission. The UI
>> is simple and there's no need for Realm A and B to know anything else
>> about each other. This is a simpler version of "cross-realm
>> administration" which doesn't give you any fine grain per-realm control.
>> This requires very little UI work which is the big blocker for me.
>>
>> Building on that idea, which is what I started to implement, is that
>> Realm A "shares" admin roles still, but only allows certain permissions
>> for Realm B. Realm A grants admins in Realm B "view user and create
>> client"
> How about the case when I want to have:
> 1) user "a-admin" in realm A, which is supposed to have "view-user"
> permission just for realm A
> 2) user "b-admin" in realm B, which is supposed to have "view-user"
> permission just for realm B
> 3) user "admin" in realm A, which is supposed to have "view-user"
> permission for both realms A and B
>
> If I understand correctly, I won't be able to model this because:
> For rule (3), I need realm B to trust realm A . However that implies
> that user "a-admin" from realm A will be able to have "view-user" for
> realm B, which breaks rule (1) and is something I don't want.
>
> But still, maybe most of the people don't need something powerful and
> this simple model will be sufficient for them? Maybe we can go with
> simple model for now and later (after 1.0) we can introduce something
> more powerful and incorporate Pedro's authorization stuff to be able to
> specify more fine-grained permissions?
>
Eh, the simple model breaks backward compatibility. Maybe the focus
should be on just continuing what we have:
* Cleaning up master realm per realm clients. We would need to keep
this metadata somewhere else though.
* Ability to turn any one realm into a "master" realm for a set of
"child" realms.
So, everything works the same way as we have now except assigning per
realm permissions in the master realm has a new UI, and we can turn any
other realm into a master realm with the same UI.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list