[keycloak-user] export of realm json
Thomas Raehalme
thomas.raehalme at aitiofinland.com
Mon Oct 5 14:37:33 EDT 2015
On Oct 5, 2015 21:33, "Stan Silvert" <ssilvert at redhat.com> wrote:
>
> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>
>>
>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com> wrote:
>> >
>> > I'm still averse to allowing export from admin console of any
>> > credentials or private keys.
>>
>> Even if they are not directly downloadable but require access to the
server just like now?
>
> I think there should be no secrets ever downloadable from admin console.
Admin console is, by definition, remote.
>
> If you have access to the server then you can use what is there now.
>
> It is possible, however, that when we do our CLI implementation we can
verify that the user is local and allow full access. That way, you could
do full export on a running server. WildFly CLI already has logic to
verify a user is local.
I guess that would be equal in terms of functionality, you just start the
export from the CLI instead of from the admin console.
>
>
>>
>> >
>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>> > > I'm actually starting on the design and implementation of this right
>> > > now. It's import/export from the admin console. It will also have
the
>> > > ability to import/export partial pieces of a realm such as just
users.
>> > >
>> > > Thanks for the comments so far on this thread. They have been very
helpful.
>> > >
>> > > We will keep the idea that no secrets should ever be exported from
admin
>> > > console. I'm not sure that having a flag for it in
keycloak-server.json
>> > > helps. To edit keycloak-server.json, you need access to the server,
in
>> > > which case you might as well do the current import/export.
>> > >
>> > > So what do you do after you import a user with no credentials? Some
ideas:
>> > > * The administrator can reset the password manually.
>> > > * The user can do password recovery (if enabled)
>> > >
>> > > An other ideas?
>> > >
>> > > Stan
>> > >
>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> > >> That's a good point. Having to stop/start the server to generate an
>> > >> export is not ideal.
>> > >>
>> > >> Tim
>> > >>
>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com
>> > >>> <mailto:bburke at redhat.com>> wrote:
>> > >>>
>> > >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>> > >>>
>> > >>>
>> > >>> On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>
wrote:
>> > >>> >
>> > >>> > For security reasons we did not want to have a remote
>> > >>> option to export.
>> > >>>
>> > >>>
>> > >>> How about just storing the export as a local file on the server?
>> > >>> You'd need access to the server in order to get the file (making
the
>> > >>> system compromised anyways). The change to current behaviour is
that
>> > >>> you would be able to trigger the export at will without server
restart.
>> > >>>
>> > >>> Best regards,
>> > >>> Thomas
>> > >>>
>> > >>>
>> > >>> _______________________________________________
>> > >>> keycloak-user mailing list
>> > >>> keycloak-user at lists.jboss.org
>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-user mailing list
>> > >> keycloak-user at lists.jboss.org
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/1f281a0d/attachment.html
More information about the keycloak-user
mailing list