[keycloak-user] export of realm json

Stan Silvert ssilvert at redhat.com
Tue Oct 6 07:04:46 EDT 2015 

On 10/5/2015 3:18 PM, Marek Posolda wrote:
> Btv. Stan, is your work going to be added into 1.6 or is it for next 
> release? I am just asking because there is one pending PR, which is 
> likely going to be merged for 1.6 - 
> https://github.com/keycloak/keycloak/pull/1656/files . After merging 
> this, we discussed with Stian some additional minor changes (namely 
> removing "zip" export/import provider as nobody doesn't seem to be 
> using it so far). I should also doublecheck that import still works 
> after those changes.
>
> I am going to look at this likely next week and it's going to be 
> included in 1.6. I am asking as I don't want to edit same code like 
> you and break something you're working on ;-)
It definitely won't make it for 1.6.  I'm just getting started, figuring 
out the requirements, and figuring out how it will all work.

>
> Marek
>
> On 05/10/15 20:33, Stan Silvert wrote:
>> On 10/5/2015 2:26 PM, Thomas Raehalme wrote:
>>>
>>>
>>> On Oct 5, 2015 21:24, "Bill Burke" <bburke at redhat.com> wrote:
>>> >
>>> > I'm still averse to allowing export from admin console of any
>>> > credentials or private keys.
>>>
>>> Even if they are not directly downloadable but require access to the 
>>> server just like now?
>>>
>> I think there should be no secrets ever downloadable from admin 
>> console.  Admin console is, by definition, remote.
>>
>> If you have access to the server then you can use what is there now.
>>
>> It is possible, however, that when we do our CLI implementation we 
>> can verify that the user is local and allow full access. That way, 
>> you could do full export on a running server.  WildFly CLI already 
>> has logic to verify a user is local.
>>
>>>
>>> >
>>> > On 10/5/2015 2:02 PM, Stan Silvert wrote:
>>> > > I'm actually starting on the design and implementation of this right
>>> > > now.  It's import/export from the admin console. It will also 
>>> have the
>>> > > ability to import/export partial pieces of a realm such as just 
>>> users.
>>> > >
>>> > > Thanks for the comments so far on this thread. They have been 
>>> very helpful.
>>> > >
>>> > > We will keep the idea that no secrets should ever be exported 
>>> from admin
>>> > > console.  I'm not sure that having a flag for it in 
>>> keycloak-server.json
>>> > > helps.  To edit keycloak-server.json, you need access to the 
>>> server, in
>>> > > which case you might as well do the current import/export.
>>> > >
>>> > > So what do you do after you import a user with no credentials? 
>>> Some ideas:
>>> > > * The administrator can reset the password manually.
>>> > > * The user can do password recovery (if enabled)
>>> > >
>>> > > An other ideas?
>>> > >
>>> > > Stan
>>> > >
>>> > > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>> > >> That's a good point. Having to stop/start the server to generate an
>>> > >> export is not ideal.
>>> > >>
>>> > >> Tim
>>> > >>
>>> > >> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>> > >>>
>>> > >>>
>>> > >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com 
>>> <mailto:bburke at redhat.com>
>>> > >>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>> > >>>
>>> > >>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>> > >>>
>>> > >>>
>>> > >>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com 
>>> <mailto:bburke at redhat.com>
>>> > >>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com> 
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>> > >>>          >
>>> > >>>          > For security reasons we did not want to have a remote
>>> > >>>         option to export.
>>> > >>>
>>> > >>>
>>> > >>> How about just storing the export as a local file on the server?
>>> > >>> You'd need access to the server in order to get the file 
>>> (making the
>>> > >>> system compromised anyways). The change to current behaviour 
>>> is that
>>> > >>> you would be able to trigger the export at will without server 
>>> restart.
>>> > >>>
>>> > >>> Best regards,
>>> > >>> Thomas
>>> > >>>
>>> > >>>
>>> > >>> _______________________________________________
>>> > >>> keycloak-user mailing list
>>> > >>> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >>
>>> > >>
>>> > >>
>>> > >> _______________________________________________
>>> > >> keycloak-user mailing list
>>> > >> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > keycloak-user mailing list
>>> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >
>>> >
>>> > --
>>> > Bill Burke
>>> > JBoss, a division of Red Hat
>>> > http://bill.burkecentral.com
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/0446f66a/attachment.html

More information about the keycloak-user mailing list