[keycloak-user] How to migrate users and roles from in-house storage

Stian Thorgersen sthorger at redhat.com
Thu Jul 21 08:13:42 EDT 2016 

We like cowboy style :)

Could you add a JIRA please?

Also you could add tests to
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java

On 21 July 2016 at 13:13, Paulo Pires <pires at littlebits.cc> wrote:

> I went ahead, cowboy style and opened a PR for it
> https://github.com/keycloak/keycloak/pull/3056
>
> Couldn't find tests so didn't add any.
>
> Pires
>
> On Thu, Jul 21, 2016 at 12:06 PM Paulo Pires <pires at littlebits.cc> wrote:
>
>> Something like this should work though:
>>
>> @GET
>> @Produces({"application/json"})
>> @Path("default-roles")
>> List<RoleRepresentation> getDefaultRoles();
>>
>> @PUT
>> @Path("default-roles/{roleId}")
>> void addDefaultRole(@PathParam("roleId") String roleId);
>>
>> @DELETE
>> @Path("default-roles/{roleId}")
>> void removeDefaultRole(@PathParam("roleId") String roleId);
>>
>> On Thu, Jul 21, 2016 at 12:03 PM Paulo Pires <pires at littlebits.cc> wrote:
>>
>>> It's working like a charm :)
>>>
>>> Some things I learned:
>>> * Need to import resteasy deps for keycloak-admin-cli explicitly
>>> * Methods won't return errors but will throw InvocationTargetException
>>> (must be checked)
>>>
>>> Question: is there a way to set default roles? I can't seem to find it
>>> in the Java code but it is available through REST.
>>>
>>> Thanks,
>>> Pires
>>>
>>> On Thu, Jul 21, 2016 at 8:47 AM Paulo Pires <pires at littlebits.cc> wrote:
>>>
>>>> Thank you Bruno, I haven't been able to verify your code but I assume
>>>> you're sharing it because it works.
>>>>
>>>> It seems pretty trivial, awesome!
>>>>
>>>> Cheers,
>>>> Pires
>>>>
>>>> On Wed, Jul 20, 2016 at 9:30 PM Bruno Oliveira <bruno at abstractj.org>
>>>> wrote:
>>>>
>>>>> Note sure if it helps, but an example about how to do it
>>>>> programatically is here[1].
>>>>>
>>>>> I just adapted from the admin-client[2].
>>>>>
>>>>>
>>>>> [1] -
>>>>> https://gist.github.com/abstractj/78b127e8c9273cdcea6eb82a1cfc153c
>>>>> [2] -
>>>>> https://github.com/keycloak/keycloak/tree/master/examples/admin-client
>>>>>
>>>>> On 2016-07-20, Paulo Pires wrote:
>>>>> > I did check the admin-cli JAR but it's not clear how to add roles and
>>>>> > users, or if it's even implemented (I did check the REST API and
>>>>> there's
>>>>> > endpoints for that).
>>>>> >
>>>>> > Thank you very much for clarifying,
>>>>> > Pires
>>>>> >
>>>>> > On Wed, Jul 20, 2016 at 2:52 PM Stian Thorgersen <
>>>>> sthorger at redhat.com>
>>>>> > wrote:
>>>>> >
>>>>> > > Yep, take a look at
>>>>> > >
>>>>> https://keycloak.gitbooks.io/server-developer-guide/content/topics/admin-rest-api.html
>>>>> > >
>>>>> > > On 20 July 2016 at 15:33, Paulo Pires <pires at littlebits.cc> wrote:
>>>>> > >
>>>>> > >> More than 150k. Is there a Java library for the REST api?
>>>>> > >>
>>>>> > >> On Jul 20, 2016 13:56, "Stian Thorgersen" <sthorger at redhat.com>
>>>>> wrote:
>>>>> > >>
>>>>> > >>> Depending on the amount of users I'd use either partial import
>>>>> through
>>>>> > >>> the admin console (if you don't have more than a thousand or so
>>>>> users) or
>>>>> > >>> use the admin REST endpoints if you have quite a lot of users.
>>>>> > >>>
>>>>> > >>> On 20 July 2016 at 11:52, Paulo Pires <pires at littlebits.cc>
>>>>> wrote:
>>>>> > >>>
>>>>> > >>>> Hi all,
>>>>> > >>>>
>>>>> > >>>> I'm in the process of migrating from an in-house user-role
>>>>> storage to
>>>>> > >>>> Keycloak and I'm looking for programmatic (Java) ways to
>>>>> migrate all
>>>>> > >>>> current users to the new storage. And I need your help to
>>>>> figure out the
>>>>> > >>>> best approach.
>>>>> > >>>>
>>>>> > >>>> At first, when reading KC documentation, I believed I could
>>>>> easily
>>>>> > >>>> achieve this by implementing a User Federation provider but
>>>>> after diving a
>>>>> > >>>> little more into it, and looking for examples, I can't see a
>>>>> way to migrate
>>>>> > >>>> all users on-demand but simply one user at a time, possible
>>>>> during log-in.
>>>>> > >>>>
>>>>> > >>>> Next, I tried and look into ways, such as admin-cli, REST, etc
>>>>> but
>>>>> > >>>> nothing strikes me as the solution to use.
>>>>> > >>>>
>>>>> > >>>> Here's what I was hoping to deliver:
>>>>> > >>>> * Get all roles and users from my soon-to-be deprecated
>>>>> storage, e.g.
>>>>> > >>>> MySQL tables
>>>>> > >>>> * Add roles to KC
>>>>> > >>>> * Iterate users and add user to KC + map roles + update
>>>>> password hashes
>>>>> > >>>> (here I know I need to implement a HashProvider)
>>>>> > >>>>
>>>>> > >>>> Any hints will be appreciated!
>>>>> > >>>>
>>>>> > >>>> Pires
>>>>> > >>>>
>>>>> > >>>> _______________________________________________
>>>>> > >>>> keycloak-user mailing list
>>>>> > >>>> keycloak-user at lists.jboss.org
>>>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> > >>>>
>>>>> > >>>
>>>>> > >>>
>>>>> > >
>>>>>
>>>>> > _______________________________________________
>>>>> > keycloak-user mailing list
>>>>> > keycloak-user at lists.jboss.org
>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> abstractj
>>>>> PGP: 0x84DC9914
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160721/1f2f702e/attachment.html

More information about the keycloak-user mailing list