[keycloak-dev] WildFly integration (READ ME!)
Stian Thorgersen
stian at redhat.com
Wed Feb 25 08:08:21 EST 2015
----- Original Message -----
> From: "Summers Pittman" <supittma at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Stan Silvert" <ssilvert at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Wednesday, February 25, 2015 1:52:50 PM
> Subject: Re: [keycloak-dev] WildFly integration (READ ME!)
>
> On 02/25/2015 12:38 AM, Stian Thorgersen wrote:
> >
> > ----- Original Message -----
> >> From: "Summers Pittman" <supittma at redhat.com>
> >> To: "Stan Silvert" <ssilvert at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, February 24, 2015 4:45:17 PM
> >> Subject: Re: [keycloak-dev] WildFly integration (READ ME!)
> >>
> >> On 02/23/2015 12:26 PM, Stan Silvert wrote:
> >>
> >>
> >>
> >> On 2/23/2015 12:23 PM, Stan Silvert wrote:
> >>
> >>
> >>
> >> On 2/23/2015 12:06 PM, Summers Pittman wrote:
> >>
> >>
> >>
> >> On 02/23/2015 11:09 AM, Stan Silvert wrote:
> >>
> >>
> >>
> >> On 2/23/2015 10:42 AM, Summers Pittman wrote:
> >>
> >>
> >>
> >> On 02/23/2015 09:50 AM, Stian Thorgersen wrote:
> >>
> >>
> >>
> >> Just to clarify we're only talking about the server, not adapters.
> >>
> >> For the best and most friction free experience it would be best to have a
> >> dedicated Keycloak server, not to co-locate it with your JEE apps by
> >> deploying a WAR. With that regards we are considering dropping support for
> >> deploying Keycloak as a WAR.
> >> If I'm reading you correctly instead of
> >>
> >>
> >>
> >> ~/WILDFLY_HOME/bin/startup.sh
> >> code
> >>
> >> it will be
> >>
> >>
> >>
> >>
> >>
> >> $WILDFLY_HOME/bin/startup.sh
> >> code
> >> #^@%! what broke in my auth
> >> waste 10 minutes
> >> $KEYCLOAK_HOME/bin/startup.sh
> >> I don't understand. What would break?
> >> I start developing after a reboot and KeyCloak's server isn't running. The
> >> auth is broken because the server isn't running because I forgot to start
> >> it.
> >> Sorry. Missed this response. My question to you is would having the
> >> ability
> >> to deploy your app on the Keycloak distribution be sufficient?
> >> No. I already have a Wildfly server which is part of my development
> >> process
> >> that I know how to deploy things to. I don't want to set up a second one.
> >>
> >> If getting a deployable package is not an option and the only solution
> >> that
> >> is being entertained is a stand alone app server I will just containerize
> >> the thing, give it a host name alias and forget about it.
> > # docker run jboss/keycloak
> >
> > That being said we may provide the option to install Keycloak into an
> > existing WildFly (we'll probably only support the last version available
> > at the time we release).
> I understand you are trying to be glib, but there ARE issues with this.
> First off getting a realm.json file OUT of a docker container is nigh
> impossible, secondly the default configuration will lose all of your
> data when it is restarted, and third on non Linux systems docker support
> is pretty terrible. Data volumes do not work on Mac OS X out of the box
> for example.
I forgot irony doesn't translate well on email, sorry!
The real answer was that we're probably going to provide an option to easily install Keycloak into an existing WildFly ;)
> >
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> By keeping it a separate war 1) I can download the thing faster and 2) I
> >> don't have to decide who to kick off of port 8080.
> >> I don't think we would do anything to ban you from deploying your apps in
> >> the
> >> same WildFly instance as Keycloak. Can you explain your concerns in more
> >> detail?
> >> My reading of the original email was that the standalone server would be
> >> the
> >> only distribution. IE there would be no more warfile distribution.
> >> Right. But it would be a distribution that has two modes. The modes would
> >> be
> >> standalone mode and a mode that would allow it to join a WildFly domain.
> >>
> >> You could still deploy your applications to the Keycloak distribution. But
> >> for production, that's probably not what you want.
> >>
> >> What I don't understand is what problems it would cause. Can you elaborate
> >> on
> >> that?
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Again, IF I'm reading your message correctly
> >>
> >>
> >>
> >>
> >> That being said we still need to support embedding Keycloak in other
> >> projects. We plan to continue to support this through the mechanism UPS
> >> does, basically build-your-own auth-server.war.
> >>
> >> ----- Original Message -----
> >>
> >>
> >>
> >> From: "Summers Pittman" <supittma at redhat.com> To:
> >> keycloak-dev at lists.jboss.org Sent: Friday, February 20, 2015 7:10:12 PM
> >> Subject: Re: [keycloak-dev] WildFly integration (READ ME!)
> >>
> >> On 02/20/2015 12:52 PM, Stan Silvert wrote:
> >>
> >>
> >>
> >> On 2/20/2015 10:05 AM, Summers Pittman wrote:
> >>
> >>
> >>
> >> On 02/19/2015 03:32 AM, Stian Thorgersen wrote:
> >>
> >>
> >>
> >> No comments?!
> >> Peanut gallery chiming in; you asked for it ;)
> >>
> >> I am not a WildFly developer or administrator. So read this email as
> >> the opinions of a talented developer who loves the hell out of using
> >> KeyCloak and WildFly and sings its praises from the roof tops but has no
> >> idea what you are talking about.
> >> Thanks Summers. Very valuable feedback.
> >> Thanks for taking the time to explain some things I know more than I did
> >> this morning.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ----- Original Message -----
> >>
> >>
> >>
> >> From: "Stian Thorgersen" <stian at redhat.com> To: "keycloak dev"
> >> <keycloak-dev at lists.jboss.org> Sent: Tuesday, February 3, 2015 10:08:50 AM
> >> Subject: [keycloak-dev] WildFly integration (READ ME!)
> >>
> >> All,
> >>
> >> We have a few decisions to make in the not so far future. I'm away from
> >> Thursday, so let's have a hangout when I get back on the 17th February
> >> if
> >> that works for everyone.
> >>
> >> The list of things to discuss includes:
> >>
> >> * Drop keycloak-server.json - Should we drop our own configuration file
> >> and
> >> use DMR (standalone.xml)
> >> If on day one enabling KeyCloak in my project was any more complicated
> >> than dropping a pregenerated file into my WEB-INF directory I would have
> >> closed the project and never looked back. -1
> >> We're talking about the auth server's config rather than the config for
> >> your project. For projects, we want to make it even easier to the
> >> point where you don't even need the json file to get a default
> >> configuration.
> >> Ah, that makes more sense.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> * Keycloak CLI - Should we create our own or use WildFly CLI
> >> On the one hand the wildfly CLI is black magic. On the other hand it is
> >> really well done black magic. It is very hard to do CLIs well so I
> >> would like to see the wildfly CLI be used.
> >> That's the general feedback we often get from the WildFly community. I
> >> agree.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> * Admin operations exposed over DMR - Should we expose none, some or all
> >> admin operations over DMR? If we expose all should we deprecate the
> >> current
> >> REST endpoints?
> >> Is DMR the thing that puts stuff in the WildFly admin UI (I tried to
> >> read the google result for "wildfly DMR" but it quickly turned into
> >> turtles all the way down)?
> >> At its core, DMR is really just a tiny single-package library where the
> >> API is just 3 or 4 classes. Those classes are the "language" spoken to
> >> make changes to the WildFly management model
> >> (standalone.xml/domain.xml). So the question is whether we should hook
> >> into the management model infrastructure to make Keycloak changes.
> >>
> >>
> >>
> >> In my experience I don't LIKE using the WildFly admin UI, I would rather
> >> use the CLI, scripts, etc.
> >> Also a typical response. Again, I agree. Thankfully, the Keycloak
> >> admin UI doesn't suffer from the same deficiencies as the WildFly admin
> >> UI.
> >>
> >> But with Keycloak, we don't yet have a CLI, so there are lots of
> >> questions around whether we piggyback on WildFly CLI, which means
> >> adopting DMR in some way.
> >>
> >>
> >>
> >> I haven't used the KeyCloak REST endpoints
> >> and keeping them just increases the attack surface.
> >> Do you mean that keeping the REST endpoints would be a good thing or a
> >> bad thing? Can we hear more from you on this topic?
> >> I think that if there were a WildFly way to do all of the admin tasks
> >> that the RESTful endpoints do now it would be good to remove the RESTful
> >> API to decrease the API surface to just WildFly. IE fewer things to
> >> worry about getting hacked and to watch for for vulnerabilities.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> * Packaging/distribution - How do we distribute Keycloak? Options:
> >> - Full WildFly
> >> - Core/web WildFly
> >> - Overlay/installer/feature-pack to install to existing WF and EAP
> >> - WAR bundle
> >> How about a shell script that examines a WF install directory and does
> >> all the magic for me or aDocker container?
> >>
> >> In general I have not liked the experience of having wildfly bundled
> >> with a product. It tends to mess with other servers I have installed
> >> and be a general PITA to maintain for anything more than the most
> >> trivial of demos.
> >> Good feedback.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> * How should we deal with providers, themes and keycloak-server.json in
> >> domain-mode
> >>
> >> * MSC all the way - We can deploy directly through the Undertow
> >> sub-system
> >> instead of deploying a WAR from the sub-system
> >> What is MSC?
> >> Modular Service Container. It's the thing that lets you declare and
> >> register services in WildFly. But I'm not completely sure what Stian is
> >> proposing here.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> * Split sub-systems - Should we split the sub-system in two? One for the
> >> auth-server and another for the adapter
> >> What are the trade offs? What will using KeyCloak look like from my POV
> >> if we split?
> >> Instead of
> >>
> >> subsystem=keycloak/auth-server=main-auth-server
> >> subsystem=keycloak/secure-deployment=foo
> >>
> >> you would have
> >>
> >> subsystem=keycloak-server/auth-server=main-auth-server
> >> subsystem=keycloak-deployments/secure-deployment=foo
> >>
> >> Another option would be to just leave it as it is today and just hide
> >> the "auth-server" resource for installations where you don't expect the
> >> auth server to run.
> >>
> >> The answer will probably be more a function of how we want to organize
> >> the code rather than how it will look to the end user.
> >> As a end user it sounds like both work for me.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> * Deployable to other containers - Should it be possible to deploy
> >> Keycloak
> >> to Tomcat, Jetty, Fuse, etc..? One option could be to have reduced
> >> features
> >> in other containers (for example no client-cert)
> >> The awesomeness of WildFly has forever made web containers look
> >> insignificant to me. If Glassfish still had a community edition worth a
> >> damn I would say target it as well. I don't know how TomEE is but that
> >> may be good to support just for a "first one's free" to get people into
> >> WildFly land.
> >>
> >> I don't think Websphere or WebLogic support has ever gotten anyone
> >> excited about a project. Honestly they are the technology equivalent of
> >> taking a cold shower with grandma.
> >> I could have done without that image. :-|
> >>
> >> But thanks again!
> >> YW.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Please add any other relevant topics.
> >>
> >> Next big discussion I want to have is about distribution of adapters,
> >> but
> >> let's do one at a time ;)
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> --
> >> Summers Pittman
> >>
> >>
> >>
> >>
> >>
> >> Phone:404 941 4698
> >> Java is my crack.
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Summers Pittman
> >>>> Phone:404 941 4698
> >>>> Java is my crack.
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >> --
> >> Summers Pittman
> >>>> Phone:404 941 4698
> >>>> Java is my crack.
> >>
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >> --
> >> Summers Pittman
> >>>> Phone:404 941 4698
> >>>> Java is my crack.
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> --
> Summers Pittman
> >>Phone:404 941 4698
> >>Java is my crack.
>
>
More information about the keycloak-dev
mailing list