-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
216 create endpoints for import/export orgs (#222)
* 216 create endpoints for import/export orgs * 216 resolve comments
- Loading branch information
Showing
48 changed files
with
2,197 additions
and
1,299 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,29 +10,142 @@ | |
* [Import](#import) | ||
* [Organization import/export schema](#organization-importexport-schema) | ||
* [Organization roles import/export schema](#organization-roles-importexport-schema) | ||
* [IDP link import/export schema](#idp-link-importexport-schema) | ||
* [IDP link import/export schema](#identity-provider-link-importexport-schema) | ||
* [Members import/export schema](#members-importexport-schema) | ||
* [Invitations import/export schema](#invitations-importexport-schema) | ||
* [Export](#export) | ||
* [Compatibility](#compatibility) | ||
|
||
## Overview | ||
|
||
This documents describes the functionality for importing and exporting a realm containing organizations. | ||
|
||
The current approach works with the import/export functionality from the Keycloak UI console (not CLI commands) | ||
This documents describes the functionality for importing and exporting organizations from a realm. | ||
|
||
## Import | ||
|
||
Organizations can be imported, by adding `organizations` in the realm representation json. | ||
Organizations can be imported, by performing a `POST` http call to `orgs/import` endpoint. <br> | ||
The endpoint support two query parameters `skipMissingMember` and `skipMissingIdp`. <br> | ||
|
||
|
||
The import functionality is transactional meaning that all elements in the `organizations` array must be imported in order to complete successfully. | ||
|
||
|
||
If both `skipMissingMember` and `skipMissingIdp`are set to `false` the import will be strict, meaning that the realm should contain the all users and idps which are referred in the import json file. <br> | ||
|
||
E.q.: | ||
``` | ||
{ | ||
"realm": "org-realm", | ||
"enabled": true, | ||
..... | ||
"organizations": [...] | ||
} | ||
curl --location 'https://{$fqdn}/auth/realms/{{$realm}}/orgs/import?skipMissingMember=false&skipMissingIdp=false' \ | ||
--header 'Content-Type: application/json' \ | ||
--header 'Authorization: Bearer {{$access_token}}' \ | ||
--data-raw '{ | ||
"organizations": [ | ||
{ | ||
"organization": { | ||
"name": "test", | ||
"displayName": "test", | ||
"url": "test", | ||
"domains": [ | ||
"test.com", | ||
"test2.com" | ||
], | ||
"attributes": { | ||
"attr1": [ | ||
"attr1" | ||
] | ||
} | ||
}, | ||
"roles": [ | ||
{ | ||
"name": "role1", | ||
"description": "" | ||
}, | ||
{ | ||
"name": "role2", | ||
"description": "role2" | ||
} | ||
], | ||
"idpLink": "keycloak-oidc", | ||
"members": [ | ||
{ | ||
"username": "testUser", | ||
"roles": [ | ||
"role1", | ||
"manage-members" | ||
] | ||
} | ||
], | ||
"invitations": [ | ||
{ | ||
"email": "[email protected]", | ||
"inviterUsername": "testUser", | ||
"roles": ["role2"], | ||
"redirectUri": "", | ||
"attributes": {} | ||
} | ||
] | ||
}, | ||
{ | ||
"organization": { | ||
"name": "test2", | ||
"displayName": "test", | ||
"url": "", | ||
"domains": [], | ||
"attributes": {} | ||
}, | ||
"roles": [ | ||
{ | ||
"name": "view-organization" | ||
}, | ||
{ | ||
"name": "manage-organization" | ||
}, | ||
{ | ||
"name": "view-members" | ||
}, | ||
{ | ||
"name": "manage-members" | ||
}, | ||
{ | ||
"name": "view-roles" | ||
}, | ||
{ | ||
"name": "manage-roles" | ||
}, | ||
{ | ||
"name": "view-invitations" | ||
}, | ||
{ | ||
"name": "manage-invitations" | ||
}, | ||
{ | ||
"name": "view-identity-providers" | ||
}, | ||
{ | ||
"name": "manage-identity-providers" | ||
}, | ||
{ | ||
"name": "role2_test", | ||
"description": "gdssdg" | ||
} | ||
], | ||
"members": [ | ||
{ | ||
"username": "testUser2", | ||
"roles": [ | ||
"view-identity-providers", | ||
"role2_test" | ||
] | ||
}, | ||
{ | ||
"username": "testUser3", | ||
"roles": [ | ||
"view-organization", | ||
"role2_test" | ||
] | ||
} | ||
], | ||
"invitations": [] | ||
} | ||
] | ||
}' | ||
``` | ||
|
||
### Organization import/export schema | ||
|
@@ -41,9 +154,6 @@ To import an organization use the following schema. | |
|
||
``` | ||
{ | ||
"realm": "org-realm", | ||
"enabled": true, | ||
..... | ||
"organizations": [ | ||
{ | ||
"organization": { | ||
|
@@ -76,9 +186,6 @@ To import an organization roles use the following schema. | |
|
||
``` | ||
{ | ||
"realm": "org-realm", | ||
"enabled": true, | ||
....... | ||
"organizations": [ | ||
{ | ||
"organization": { | ||
|
@@ -108,20 +215,14 @@ The default organization roles are created even if not defined in the `roles`. | |
|
||
### Identity provider link import/export schema | ||
|
||
To add an identity provider to a organization use the following schema. <br> | ||
The identity provider with the `alias` mentioned in the property `idpLink` must be defined in the realm `identityProviders`. | ||
To add an identity provider to a organization use the following schema. | ||
|
||
If the `skipMissingIdp` is set to `false`, the identity provider with the `alias` mentioned in the property `idpLink` must be present the realm `identityProviders`. | ||
|
||
If the `skipMissingIdp` is set to `true`, if the identity provider with the `alias` mentioned in the property `idpLink` is not present the realm `identityProviders` the import will ignore it. | ||
|
||
``` | ||
{ | ||
"realm": "org-realm", | ||
"enabled": true, | ||
"identityProviders": [ | ||
{ | ||
"alias": "keycloak-oidc", | ||
...... | ||
} | ||
] | ||
..... | ||
"organizations": [ | ||
{ | ||
"organization": { | ||
|
@@ -136,9 +237,16 @@ The identity provider with the `alias` mentioned in the property `idpLink` must | |
|
||
### Members import/export schema | ||
|
||
To add a member to an organization use the following schema.<br> | ||
The users from the `members` must be defined in realm `users`.<br> | ||
The roles associated to a `member` must be defined in organization `roles`. | ||
To add a member to an organization use the following schema. | ||
|
||
|
||
If the `skipMissingMember` is set to `false`: | ||
- The users from the `members` must be defined in realm `users`. | ||
- The roles associated to a `member` must be defined in organization `roles`. | ||
|
||
|
||
If the `skipMissingMember` is set to `true`: | ||
- The users from the `members` which are not found in the realm `users` will be ignored. | ||
|
||
``` | ||
{ | ||
|
@@ -194,20 +302,17 @@ The roles associated to a `member` must be defined in organization `roles`. | |
|
||
### Invitations import/export schema | ||
|
||
To add an invitations to an organization use the following schema. <br> | ||
The invitation `email` should not belong to a member of the organization.<br> | ||
The `inviter` must be defined in `users` import schema. | ||
To add an invitations to an organization use the following schema. | ||
The invitation `email` should not belong to a existing member of the organization. | ||
|
||
If the `skipMissingMember` is set to `false`: | ||
- The `inviter` must be defined in `users` import schema. | ||
|
||
|
||
If the `skipMissingMember` is set to `true`: | ||
- If the `inviter` is not found in the realm `users` the invitation import will be skipped. | ||
|
||
``` | ||
"realm": "org-realm", | ||
"enabled": true, | ||
...... | ||
"users": [ | ||
{ | ||
"username": "test", | ||
"enabled": true | ||
} | ||
], | ||
"organizations": [ | ||
{ | ||
"organization": { | ||
|
@@ -242,15 +347,11 @@ The `inviter` must be defined in `users` import schema. | |
|
||
## Export | ||
|
||
Using Keycloak `/partial-export` the realm representation should include the `organizations`. Organization will not | ||
contain `members` and `invitations`.<br> | ||
Using Keycloak a `GET` http call to `orgs/export` the realm representation should include the `organizations`. Organization will not | ||
contain `members` and `invitations` if the flag `exportMembersAndInvitations` is set to `false`.<br> | ||
|
||
## Compatibility | ||
|
||
### Standard Keycloak -> Keycloak + keycloak-orgs extension | ||
|
||
A realm can be created using a valid realm representation json for the current Keycloak version. | ||
|
||
### Keycloak + keycloak-orgs extension -> Standard Keycloak | ||
|
||
To port back from PhaseTwo to standard Keycloak the `organizations` must be removed from the realm representation json. | ||
E.q.: | ||
``` | ||
curl --location 'https://{$fqdn}/auth/realms/{{$realm}}/orgs/export?exportMembersAndInvitations=true' \ | ||
--header 'Authorization: Bearer {{$access_token}}' | ||
``` |
20 changes: 0 additions & 20 deletions
20
src/main/java/io/phasetwo/service/datastore/KeycloakOrgsDatastoreProvider.java
This file was deleted.
Oops, something went wrong.
16 changes: 0 additions & 16 deletions
16
src/main/java/io/phasetwo/service/datastore/KeycloakOrgsDatastoreProviderFactory.java
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.