Merge pull request #426 from patriot1burke/master

docs and master realm rename
This commit is contained in:
Bill Burke 2014-05-28 09:51:56 -04:00
commit 3c605a7740
9 changed files with 116 additions and 19 deletions

View file

@ -12,7 +12,7 @@ public class Config {
}
public static String getAdminRealm() {
return configProvider.scope("admin").get("realm", "keycloak-admin");
return configProvider.scope("admin").get("realm", "master");
}
public static String getProvider(String spi) {

View file

@ -6,6 +6,7 @@
<!ENTITY Installation SYSTEM "modules/server-installation.xml">
<!ENTITY OpenShift SYSTEM "modules/openshift.xml">
<!ENTITY AdminPermissions SYSTEM "modules/admin-permissions.xml">
<!ENTITY PerRealmAdminPermissions SYSTEM "modules/per-realm-admin-permissions.xml">
<!ENTITY AdapterConfig SYSTEM "modules/adapter-config.xml">
<!ENTITY JBossAdapter SYSTEM "modules/jboss-adapter.xml">
<!ENTITY JavascriptAdapter SYSTEM "modules/javascript-adapter.xml">
@ -64,6 +65,7 @@ This one is short
&Installation;
&OpenShift;
&AdminPermissions;
&PerRealmAdminPermissions;
<chapter>
<title>Adapters</title>
<para>

View file

@ -23,6 +23,10 @@
Social Login. Enable Google, GitHub, Facebook, Twitter social login with no code required.
</listitem>
<listitem>
LDAP and Active Directory support.
</listitem>
<listitem>
Optional User Registration
</listitem>
@ -32,7 +36,25 @@
</listitem>
<listitem>
Pluggable theme and style support for user facing screens.
Forgot password support. User can have an email sent to them
</listitem>
<listitem>
Reset password/totp. Admin can force a password reset, or set up a temporary password.
</listitem>
<listitem>
Not-before revocation policies per realm, application, or user.
</listitem>
<listitem>
User session management. Admin can view user sessions and what applications/clients have an access token. Sessions can be invalidated
per realm or per user.
</listitem>
<listitem>
Pluggable theme and style support for user facing screens. Login, grant pages, account mgmt, and admin console all
can be styled, branded, and tailored to your application and organizational needs.
</listitem>
<listitem>
@ -64,11 +86,14 @@
Admin Console for managing users, roles, role mappings, applications, user sessions, allowed CORS web origins, and OAuth clients.
</listitem>
<listitem>
Account Management console that allows users to manage their own account
Account Management console that allows users to manage their own account, view their open sessions, reset passwords, etc.
</listitem>
<listitem>
Deployable as a WAR, appliance, or on Openshift.
</listitem>
<listitem>
Multitenancy support. You can host and manage multiple realms for multiple organizations.
</listitem>
<listitem>
Supports JBoss AS7, EAP 6.x, Wildfly and JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
</listitem>
@ -100,7 +125,7 @@
<section>
<title>How Does Security Work in Keycloak?</title>
<para>
Keycloak uses <emphasis>access tokens</emphasis>. Access tokens contains security metadata specifying the
Keycloak uses <emphasis>access tokens</emphasis> to secure web invocations. Access tokens contains security metadata specifying the
identity of the user as well as the role mappings for that user. The format of these tokens is a Keycloak
extension to the <ulink url="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14">JSON Web Token</ulink> specification. Each realm has a private and public key pair
which it uses to digitally sign the access token using the <ulink url="http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-19">JSON Web Signature</ulink> specification.
@ -114,7 +139,7 @@
no need for them to store any security metadata locally other than the public key of the realm.
</para>
<para>
Signed access tokens can also be proprogated by REST client requests within an <literal>Authorization</literal>
Signed access tokens can also be propagated by REST client requests within an <literal>Authorization</literal>
header. This is great for distributed integration as applications can request a login from a client to obtain
an access token, then invoke any aggregated REST invocations to other services using that access token. So,
you have a distributed security model that is centrally managed, yet does not require a Keycloak Server hit

View file

@ -1,13 +1,20 @@
<chapter id="admin-permissions">
<title>Admin Access Control</title>
<title>Master Admin Access Control</title>
<para>
Access to The Admin Console and REST endpoints can be controlled by mapping roles to users in the <literal>keycloak-admin</literal> realm.
You can create and manage multiple realms by logging into the <literal>master</literal> Keycloak admin console
at <literal>/{keycloak-root/admin/index.html</literal>
</para>
<para>
Users in the Keycloak <literal>master</literal> realm can be granted permission to manage zero or more realms that are
deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain
permissions to access that new realm.
Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the <literal>master</literal> realm.
It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.
</para>
<section>
<title>Global Roles</title>
<para>
There are two realm roles in the <literal>keycloak-admin</literal> realm. These are:
There are two realm roles in the <literal>master</literal> realm. These are:
<itemizedlist>
<listitem>
<literal>admin</literal> - This is the super-user role and grants permissions to all operations on all realms
@ -18,7 +25,7 @@
</itemizedlist>
</para>
<para>
To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
<literal>Realm Roles</literal> assign any of the above roles to the user by selecting it and clicking on the right-arrow.
</para>
@ -27,7 +34,7 @@
<section>
<title>Realm Specific Roles</title>
<para>
Each realm in Keycloak is represented by an application in the <literal>keycloak-admin</literal> realm. The name of the application
Each realm in Keycloak is represented by an application in the <literal>master</literal> realm. The name of the application
is <literal>&lt;realm name&gt;-realm</literal>. This allows assigning access to users for individual realms. The
roles available are:
<itemizedlist>
@ -60,7 +67,7 @@
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
</para>
<para>
To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
<literal>Application Roles</literal> select the application that represents the realm you're adding permissions to
(<literal>&lt;realm name&gt;-realm</literal>), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.

View file

@ -0,0 +1,59 @@
<chapter id="per-realm-admin-permissions">
<title>Per Realm Admin Access Control</title>
<para>
Administering your realm through the <literal>master</literal> realm as discussed in <xref linkend="admin-permissions" /> may not always be
ideal or feasible. For example, maybe you have more than one admin application that manages various admin aspects of your organization
and you want to unify all these different "admin consoles" under one realm so you can do SSO between them. Keycloak allows you to
grant realm admin privleges to users within that realm. These realm admins can participate in SSO for that realm and
visit a keycloak admin console instance that is dedicated solely for that realm by going to the url:
<literal>/{keycloak-root}/admin/{realm}/console</literal>
</para>
<section>
<title>Realm Roles</title>
<para>
Each realm has a built-in application called <literal>realm-management</literal>. This application defines
roles that define permissions that can be granted to manage the realm.
<itemizedlist>
<listitem>
<literal>realm-admin</literal> - This is a composite role that grants all admin privileges for managing
security for that realm.
</listitem>
</itemizedlist>
These are more fine-grain roles you can assign to the user.
<itemizedlist>
<listitem>
<literal>view-realm</literal> - View the realm configuration
</listitem>
<listitem>
<literal>view-users</literal> - View users (including details for specific user) in the realm
</listitem>
<listitem>
<literal>view-applications</literal> - View applications in the realm
</listitem>
<listitem>
<literal>view-clients</literal> - View clients in the realm
</listitem>
<listitem>
<literal>manage-realm</literal> - Modify the realm configuration (and delete the realm)
</listitem>
<listitem>
<literal>manage-users</literal> - Create, modify and delete users in the realm
</listitem>
<listitem>
<literal>manage-applications</literal> - Create, modify and delete applications in the realm
</listitem>
<listitem>
<literal>manage-clients</literal> - Create, modify and delete clients in the realm
</listitem>
</itemizedlist>
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
</para>
<para>
To add these roles to a user select the realm you want. Then click on <literal>Users</literal>.
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
<literal>Application Roles</literal> select <literal>realm-management</literal>, then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
</para>
</section>
</chapter>

View file

@ -56,8 +56,8 @@ keycloak-appliance-dist-all-1.0-beta-1-SNAPSHOT/
<literal>standalone.bat</literal>
script is used to start the server.
After executing that, log into the admin console at<ulink
url="http://localhost:8080/auth/rest/admin/login">
http://localhost:8080/auth/rest/admin/login</ulink>.
url="http://localhost:8080/auth/admin/index.html">
http://localhost:8080/auth/admin/index.html</ulink>.
Username: <emphasis>admin</emphasis>
Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
enter in a new password.
@ -107,8 +107,11 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
</para>
<para>
After booting up the JBoss or Wildfly distro, you can then make sure it is installed properly
by logging into the admin console at<ulink url="http://localhost:8080/auth/admin">http://localhost:8080/auth/admin</ulink>.
Username: <emphasis>admin</emphasis>, Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
by logging into the admin console at<ulink
url="http://localhost:8080/auth/admin/index.html">
http://localhost:8080/auth/admin/index.html</ulink>.
Username: <emphasis>admin</emphasis>
Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
enter in a new password.
</para>
</section>
@ -315,6 +318,7 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
<programlisting>
WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.0.0.1:8080-3)
Field providers of subresource xxx will not be injected according to spec
</programlisting>
<para>

View file

@ -1,6 +1,6 @@
{
"admin": {
"realm": "keycloak-admin"
"realm": "master"
},
"model": {

View file

@ -1,6 +1,6 @@
{
"admin": {
"realm": "keycloak-admin"
"realm": "master"
},
"audit": {

View file

@ -1,6 +1,6 @@
{
"admin": {
"realm": "keycloak-admin"
"realm": "master"
},
"audit": {