Merge pull request #426 from patriot1burke/master
docs and master realm rename
This commit is contained in:
commit
3c605a7740
9 changed files with 116 additions and 19 deletions
|
@ -12,7 +12,7 @@ public class Config {
|
|||
}
|
||||
|
||||
public static String getAdminRealm() {
|
||||
return configProvider.scope("admin").get("realm", "keycloak-admin");
|
||||
return configProvider.scope("admin").get("realm", "master");
|
||||
}
|
||||
|
||||
public static String getProvider(String spi) {
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
<!ENTITY Installation SYSTEM "modules/server-installation.xml">
|
||||
<!ENTITY OpenShift SYSTEM "modules/openshift.xml">
|
||||
<!ENTITY AdminPermissions SYSTEM "modules/admin-permissions.xml">
|
||||
<!ENTITY PerRealmAdminPermissions SYSTEM "modules/per-realm-admin-permissions.xml">
|
||||
<!ENTITY AdapterConfig SYSTEM "modules/adapter-config.xml">
|
||||
<!ENTITY JBossAdapter SYSTEM "modules/jboss-adapter.xml">
|
||||
<!ENTITY JavascriptAdapter SYSTEM "modules/javascript-adapter.xml">
|
||||
|
@ -64,6 +65,7 @@ This one is short
|
|||
&Installation;
|
||||
&OpenShift;
|
||||
&AdminPermissions;
|
||||
&PerRealmAdminPermissions;
|
||||
<chapter>
|
||||
<title>Adapters</title>
|
||||
<para>
|
||||
|
|
|
@ -23,6 +23,10 @@
|
|||
Social Login. Enable Google, GitHub, Facebook, Twitter social login with no code required.
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
LDAP and Active Directory support.
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
Optional User Registration
|
||||
</listitem>
|
||||
|
@ -32,7 +36,25 @@
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
Pluggable theme and style support for user facing screens.
|
||||
Forgot password support. User can have an email sent to them
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
Reset password/totp. Admin can force a password reset, or set up a temporary password.
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
Not-before revocation policies per realm, application, or user.
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
User session management. Admin can view user sessions and what applications/clients have an access token. Sessions can be invalidated
|
||||
per realm or per user.
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
Pluggable theme and style support for user facing screens. Login, grant pages, account mgmt, and admin console all
|
||||
can be styled, branded, and tailored to your application and organizational needs.
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -64,11 +86,14 @@
|
|||
Admin Console for managing users, roles, role mappings, applications, user sessions, allowed CORS web origins, and OAuth clients.
|
||||
</listitem>
|
||||
<listitem>
|
||||
Account Management console that allows users to manage their own account
|
||||
Account Management console that allows users to manage their own account, view their open sessions, reset passwords, etc.
|
||||
</listitem>
|
||||
<listitem>
|
||||
Deployable as a WAR, appliance, or on Openshift.
|
||||
</listitem>
|
||||
<listitem>
|
||||
Multitenancy support. You can host and manage multiple realms for multiple organizations.
|
||||
</listitem>
|
||||
<listitem>
|
||||
Supports JBoss AS7, EAP 6.x, Wildfly and JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
|
||||
</listitem>
|
||||
|
@ -100,7 +125,7 @@
|
|||
<section>
|
||||
<title>How Does Security Work in Keycloak?</title>
|
||||
<para>
|
||||
Keycloak uses <emphasis>access tokens</emphasis>. Access tokens contains security metadata specifying the
|
||||
Keycloak uses <emphasis>access tokens</emphasis> to secure web invocations. Access tokens contains security metadata specifying the
|
||||
identity of the user as well as the role mappings for that user. The format of these tokens is a Keycloak
|
||||
extension to the <ulink url="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14">JSON Web Token</ulink> specification. Each realm has a private and public key pair
|
||||
which it uses to digitally sign the access token using the <ulink url="http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-19">JSON Web Signature</ulink> specification.
|
||||
|
@ -114,7 +139,7 @@
|
|||
no need for them to store any security metadata locally other than the public key of the realm.
|
||||
</para>
|
||||
<para>
|
||||
Signed access tokens can also be proprogated by REST client requests within an <literal>Authorization</literal>
|
||||
Signed access tokens can also be propagated by REST client requests within an <literal>Authorization</literal>
|
||||
header. This is great for distributed integration as applications can request a login from a client to obtain
|
||||
an access token, then invoke any aggregated REST invocations to other services using that access token. So,
|
||||
you have a distributed security model that is centrally managed, yet does not require a Keycloak Server hit
|
||||
|
|
|
@ -1,13 +1,20 @@
|
|||
<chapter id="admin-permissions">
|
||||
<title>Admin Access Control</title>
|
||||
<title>Master Admin Access Control</title>
|
||||
<para>
|
||||
Access to The Admin Console and REST endpoints can be controlled by mapping roles to users in the <literal>keycloak-admin</literal> realm.
|
||||
You can create and manage multiple realms by logging into the <literal>master</literal> Keycloak admin console
|
||||
at <literal>/{keycloak-root/admin/index.html</literal>
|
||||
</para>
|
||||
<para>
|
||||
Users in the Keycloak <literal>master</literal> realm can be granted permission to manage zero or more realms that are
|
||||
deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain
|
||||
permissions to access that new realm.
|
||||
Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the <literal>master</literal> realm.
|
||||
It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.
|
||||
</para>
|
||||
<section>
|
||||
<title>Global Roles</title>
|
||||
<para>
|
||||
There are two realm roles in the <literal>keycloak-admin</literal> realm. These are:
|
||||
There are two realm roles in the <literal>master</literal> realm. These are:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<literal>admin</literal> - This is the super-user role and grants permissions to all operations on all realms
|
||||
|
@ -18,7 +25,7 @@
|
|||
</itemizedlist>
|
||||
</para>
|
||||
<para>
|
||||
To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
|
||||
To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
|
||||
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
|
||||
<literal>Realm Roles</literal> assign any of the above roles to the user by selecting it and clicking on the right-arrow.
|
||||
</para>
|
||||
|
@ -27,7 +34,7 @@
|
|||
<section>
|
||||
<title>Realm Specific Roles</title>
|
||||
<para>
|
||||
Each realm in Keycloak is represented by an application in the <literal>keycloak-admin</literal> realm. The name of the application
|
||||
Each realm in Keycloak is represented by an application in the <literal>master</literal> realm. The name of the application
|
||||
is <literal><realm name>-realm</literal>. This allows assigning access to users for individual realms. The
|
||||
roles available are:
|
||||
<itemizedlist>
|
||||
|
@ -60,7 +67,7 @@
|
|||
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
|
||||
</para>
|
||||
<para>
|
||||
To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
|
||||
To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
|
||||
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
|
||||
<literal>Application Roles</literal> select the application that represents the realm you're adding permissions to
|
||||
(<literal><realm name>-realm</literal>), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
|
||||
|
|
59
docbook/reference/en/en-US/modules/per-realm-admin-permissions.xml
Executable file
59
docbook/reference/en/en-US/modules/per-realm-admin-permissions.xml
Executable file
|
@ -0,0 +1,59 @@
|
|||
<chapter id="per-realm-admin-permissions">
|
||||
<title>Per Realm Admin Access Control</title>
|
||||
<para>
|
||||
Administering your realm through the <literal>master</literal> realm as discussed in <xref linkend="admin-permissions" /> may not always be
|
||||
ideal or feasible. For example, maybe you have more than one admin application that manages various admin aspects of your organization
|
||||
and you want to unify all these different "admin consoles" under one realm so you can do SSO between them. Keycloak allows you to
|
||||
grant realm admin privleges to users within that realm. These realm admins can participate in SSO for that realm and
|
||||
visit a keycloak admin console instance that is dedicated solely for that realm by going to the url:
|
||||
<literal>/{keycloak-root}/admin/{realm}/console</literal>
|
||||
</para>
|
||||
<section>
|
||||
<title>Realm Roles</title>
|
||||
<para>
|
||||
Each realm has a built-in application called <literal>realm-management</literal>. This application defines
|
||||
roles that define permissions that can be granted to manage the realm.
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<literal>realm-admin</literal> - This is a composite role that grants all admin privileges for managing
|
||||
security for that realm.
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
These are more fine-grain roles you can assign to the user.
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<literal>view-realm</literal> - View the realm configuration
|
||||
</listitem>
|
||||
<listitem>
|
||||
<literal>view-users</literal> - View users (including details for specific user) in the realm
|
||||
</listitem>
|
||||
<listitem>
|
||||
<literal>view-applications</literal> - View applications in the realm
|
||||
</listitem>
|
||||
<listitem>
|
||||
<literal>view-clients</literal> - View clients in the realm
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<literal>manage-realm</literal> - Modify the realm configuration (and delete the realm)
|
||||
</listitem>
|
||||
<listitem>
|
||||
<literal>manage-users</literal> - Create, modify and delete users in the realm
|
||||
</listitem>
|
||||
<listitem>
|
||||
<literal>manage-applications</literal> - Create, modify and delete applications in the realm
|
||||
</listitem>
|
||||
<listitem>
|
||||
<literal>manage-clients</literal> - Create, modify and delete clients in the realm
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
|
||||
</para>
|
||||
<para>
|
||||
To add these roles to a user select the realm you want. Then click on <literal>Users</literal>.
|
||||
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
|
||||
<literal>Application Roles</literal> select <literal>realm-management</literal>, then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
|
||||
</para>
|
||||
</section>
|
||||
</chapter>
|
|
@ -56,8 +56,8 @@ keycloak-appliance-dist-all-1.0-beta-1-SNAPSHOT/
|
|||
<literal>standalone.bat</literal>
|
||||
script is used to start the server.
|
||||
After executing that, log into the admin console at<ulink
|
||||
url="http://localhost:8080/auth/rest/admin/login">
|
||||
http://localhost:8080/auth/rest/admin/login</ulink>.
|
||||
url="http://localhost:8080/auth/admin/index.html">
|
||||
http://localhost:8080/auth/admin/index.html</ulink>.
|
||||
Username: <emphasis>admin</emphasis>
|
||||
Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
|
||||
enter in a new password.
|
||||
|
@ -107,8 +107,11 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
|
|||
</para>
|
||||
<para>
|
||||
After booting up the JBoss or Wildfly distro, you can then make sure it is installed properly
|
||||
by logging into the admin console at<ulink url="http://localhost:8080/auth/admin">http://localhost:8080/auth/admin</ulink>.
|
||||
Username: <emphasis>admin</emphasis>, Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
|
||||
by logging into the admin console at<ulink
|
||||
url="http://localhost:8080/auth/admin/index.html">
|
||||
http://localhost:8080/auth/admin/index.html</ulink>.
|
||||
Username: <emphasis>admin</emphasis>
|
||||
Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
|
||||
enter in a new password.
|
||||
</para>
|
||||
</section>
|
||||
|
@ -315,6 +318,7 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
|
|||
<programlisting>
|
||||
WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.0.0.1:8080-3)
|
||||
Field providers of subresource xxx will not be injected according to spec
|
||||
|
||||
</programlisting>
|
||||
|
||||
<para>
|
||||
|
|
2
project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/keycloak-server.json
Normal file → Executable file
2
project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/keycloak-server.json
Normal file → Executable file
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"admin": {
|
||||
"realm": "keycloak-admin"
|
||||
"realm": "master"
|
||||
},
|
||||
|
||||
"model": {
|
||||
|
|
2
server/src/main/resources/META-INF/keycloak-server.json
Normal file → Executable file
2
server/src/main/resources/META-INF/keycloak-server.json
Normal file → Executable file
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"admin": {
|
||||
"realm": "keycloak-admin"
|
||||
"realm": "master"
|
||||
},
|
||||
|
||||
"audit": {
|
||||
|
|
2
testsuite/integration/src/main/resources/META-INF/keycloak-server.json
Normal file → Executable file
2
testsuite/integration/src/main/resources/META-INF/keycloak-server.json
Normal file → Executable file
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"admin": {
|
||||
"realm": "keycloak-admin"
|
||||
"realm": "master"
|
||||
},
|
||||
|
||||
"audit": {
|
||||
|
|
Loading…
Reference in a new issue