migration fro User Federation SPI
This commit is contained in:
parent
9ef5a143c5
commit
1174ca1ef9
3 changed files with 105 additions and 0 deletions
|
@ -23,3 +23,4 @@
|
|||
.. link:topics/user-storage/cache.adoc[User Caches]
|
||||
.. link:topics/user-storage/javaee.adoc[Leveraging Java EE]
|
||||
.. link:topics/user-storage/rest.adoc[REST Management API]
|
||||
.. link:topics/user-storage/migration.adoc[Migratring from Old User Federation SPI]
|
||||
|
|
|
@ -76,3 +76,12 @@ public class EjbExampleUserStorageProviderFactory
|
|||
}
|
||||
----
|
||||
|
||||
This example also assumes that you've defined a JPA deployment in the same jar as the provider. This means a `persistence.xml`
|
||||
file as well as any JPA `@Entity` classes.
|
||||
|
||||
WARNING: When doing JPA any additional datasource you use must be an XA datasource. The {{book.project.name}} datasource
|
||||
is non-xa. If you interact with two or more non-xa datasource in the same transaction, the server will barf with
|
||||
an error message. You can only have one non-xa resource in a single transaction.
|
||||
|
||||
See the JBoss/Wildfly manual for more details on deploying an XA datasource.
|
||||
|
||||
|
|
95
topics/user-storage/migration.adoc
Normal file
95
topics/user-storage/migration.adoc
Normal file
|
@ -0,0 +1,95 @@
|
|||
|
||||
=== Migratring from Old User Federation SPI
|
||||
|
||||
NOTE: You do not need to read this chapter if you have not implemented a provider using the old (and removed)
|
||||
User Federation SPI
|
||||
|
||||
Keycloak had an older User Federation SPI in Keycloak 2.4.0 and earlier. RH-SSO 7.0, although unsupported, also had
|
||||
this older SPI available as well. This older User Federation SPI has been removed in Keycloak 2.5.0 and RH-SSO 7.1.
|
||||
If you have written a provider with this older SPI, this chapter discusses some strategies you can use to port it.
|
||||
|
||||
|
||||
==== Import vs. Non-Import
|
||||
|
||||
The old User Federation SPI required you to create a local copy of a user in the {{book.project.name}}'s database
|
||||
and import information from your exteral store to the local copy. This is no longer a requirement. You can still
|
||||
port your old provider as-is, but you should consider whether a non-import strategy might be a better approach.
|
||||
|
||||
Advantages of Import Strategy:
|
||||
|
||||
* {{book.project.name}} basically becomes a persistence user cache for your external store. Once the user is imported
|
||||
you'll no longer hit the external store thus taking load off of it.
|
||||
* If you are moving to {{book.project.name}} as your official user store and deprecating the old external store, you
|
||||
can slowly migrate applications to use {{book.project.name}}. When all applications have been migrated, unlink the
|
||||
imported user, and retire the old legacy external store.
|
||||
|
||||
There are some obvious disadvantages though to using an import strategy:
|
||||
|
||||
* Looking up a user for the first time will require multiple updates to {{book.project.name}} database. This can
|
||||
be a big performance loss under load and put a lot of strain on the {{book.project.name}} database. The user federated
|
||||
storage approach will only store extra data as needed and may never be used depending on the capabilities of your external store.
|
||||
* With the import approach, you have to keep local keycloak storage and external storage in sync. The User Storage SPI
|
||||
has capability interfaces that you can implement to support synchronization, but this can quickly become painful and messy.
|
||||
|
||||
==== UserFederationProvider vs. UserStorageProvider
|
||||
|
||||
The first thing to notice is that `UserFederationProvider` was a complete interface. You just implemented every method
|
||||
in this interface. `UserStorageProvider` instead has broken up this interface into multiple capability interfaces that
|
||||
you implement as needed.
|
||||
|
||||
`UserFederationProvider.getUserByUsername()` and `getUserByEmail()` have exact equivalents in the new SPI. The difference
|
||||
between the two is how you import. If you are going to continue with an import strategy, you no longer call
|
||||
`KeycloakSession.userStorage().addUser()' to create the user locally. Instead you call `KeycloakSession.userLocalStorage().addUser()`.
|
||||
The `userStorage()` method no longer exists.
|
||||
|
||||
The `UserFederationProvider.validateAndProxy()` method has been moved to an optional capability interface, `ImportedUserValidation`.
|
||||
You'll want to implement this interface if you are porting your old provider as-is.
|
||||
Also note that in the old SPI, this method was called every time the user was accessed, even if the local user is in the cache.
|
||||
In the new SPI, this method is only called when the local user is loaded from local storage. If the local user is cached,
|
||||
then the `ImportedUserValidation.validate()` method is not called at all.
|
||||
|
||||
The `UserFederationProvider.isValid()` method no longer exists in the new model.
|
||||
|
||||
The `UserFederationProvider` methods `synchronizeRegistrations()`, `registerUser()`, and `removeUser()` methods have been
|
||||
moved to the `UserRegistrationProvider` capability interface. This new interface is optional to implement so if your
|
||||
provider does not support creating and removing users, you don't have to implement it. If your old provider had switch
|
||||
to toggle support for registering new users, this would be supported in the new SPI be returning `null` from
|
||||
`UserRegistrationProvider.addUser()` if the provider doesn't support adding users.
|
||||
|
||||
The older `UserFederationProvider` methods centered around credentials are now encapsulated in the `CredentialInputValidator`
|
||||
and `CredentialInputUpdater` interfaces, which are also optional to implement depending on if you support validating or
|
||||
updating credentials. Credential management used to exist in `UserModel` methods. These also have been moved to the
|
||||
`CredentialInputValidator` and `CredentialInputUpdater` interfaces.
|
||||
One thing to note that if you do not implement the `CredentialInputUpdater` interface, then
|
||||
any credentials provided by your provider may be overridden locally in {{book.project.name}} storage. So if you want
|
||||
your credentials to be read-only, you should implement the `CredentialInputUpdater.updateCredential()` method and
|
||||
return a `ReadOnlyException`.
|
||||
|
||||
The `UserFederationProvider` query methods like `searchByAttributes()` and `getGroupMembers()` are now encapsulated
|
||||
in an optional interface `UserQueryProvider`. If you do not implement this interface, then users will not be viewable
|
||||
in the admin console. You'll still be able to login though.
|
||||
|
||||
==== UserFederationProviderFactory vs. UserStorageProviderFactory
|
||||
|
||||
The synchronization methods in the old SPI are now encapsulated within an optional `ImportSynchronization` interface.
|
||||
If you have implemented synchronization logic, then have your new `UserStorageProviderFactory` implement the
|
||||
`ImportSynchronization` interface.
|
||||
|
||||
==== Upgrading to new Model
|
||||
|
||||
The User Storage SPI instances are stored in a completely different set of relational tables or Mongo schema. {{book.project.name}}
|
||||
automatically runs a migration script. If any older User Federation providers are deployed for a realm, they will be converted
|
||||
to the new storage model as is, including the `id` of the data. This migration will only happen if there exists a User Storage provider
|
||||
with the same provider id (i.e. "ldap", "kerberos") as the old User Federation provider.
|
||||
|
||||
So, knowing this there are different approaches you can take.
|
||||
|
||||
. You can remove the old provider in your old {{book.project.name}} deployment. This will remove all local linked copies
|
||||
of imported users. Then, when you upgrade {{book.project.name}}, just deploy and configure your new provider for your realm.
|
||||
. The second option is to write your new provider making sure it has the same provider id: `UserStorageProviderFactory.getId()`.
|
||||
Make sure this provider is in the `deploy/` directory of the new {{book.project.name}} installation. Boot the server, and have
|
||||
the built-in migration script convert from the old data model to the new data model. In this case all your old linked imported
|
||||
users will work and be the same.
|
||||
|
||||
If you have decided to get rid of the import strategy and rewrite your User Storage provider, we suggest that you remove the old provider
|
||||
before upgrading {{book.project.name}}. This will remove linked local imported copies of any user you imported.
|
Loading…
Reference in a new issue