[keycloak-user] Keycloak data stores - Config, User, Realm, Session ...
Stian Thorgersen
sthorger at redhat.com
Wed Jan 11 05:23:16 EST 2017
On 10 January 2017 at 07:31, Santosh Haranath <santosh.haranath at gmail.com>
wrote:
> We are evaluating to use Keycloak for a multi-tenant access management
> solution deployed across 2 regions. Red Hat OpenShift Container Platform
> version 3.3 is the deployment platform.
>
> We have some data model constraints which requires us to use LDAP store.
>
> - What is Keycloak's configuration store? How is configuration
> synchronized? Where is SAML meta data, OAuth Client credentials etc.
> stored?
>
Relational DB or Mongo
>
> - I have read concerns about Mongo DB data store due to transaction
> requirements and possible removal of support from V3. Which SPI requires
> transactions? When is Version 3 due ?
>
Anything that updates more than one document could result in
inconsistencies in Mongo and our current Mongo implementation is broken
into quite a few documents/collections
3 is couple months away
>
> - Can we split data store responsibilities as below?
>
> SPI -> Data Store Provider
> /subsystem=keycloak-server/spi=realm -> Mongo
> /subsystem=keycloak-server/spi=user -> LDAP
> /subsystem=keycloak-server/spi=userSessionPersister -> Infinispan
> /subsystem=keycloak-server/spi=authorizationPersister -> Infinispan
> /subsystem=keycloak-server/spi=userFederatedStorage -> LDAP
> /subsystem=keycloak-server/spi=eventsStore -> Mongo
>
Not quite yet as we still require users synced to KC database, but
https://issues.jboss.org/browse/KEYCLOAK-3964 will allow having users
purely in LDAP
>
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list