Open pt247 opened 1 month ago
Nebari uses Keycloak to manage users and groups.
Keycloak also manages clients for services like Jupyterhub, argo-server-sso, conda_store, etc. Nebari creates These clients automatically, so we don't have to expose them. Nebari also pre-created roles, so we can skip exposing them.
The Nebari API will consolidate responses from the internal Keycloak API and return a consolidated JSON response. This JSON representation should contain enough information to restore the same user in another instance of Keycloak. Assumptions:
With this context, to accurately re-create the Nebari Keycloak, we need the following endpoints:
GET
/users
(Get all users)
GET
/users/{id}
(Get user details)
POST
/users/
(Create a new user.)
DELETE
/users/{id}
(Get user details)
That's a nice description of all the concepts thanks, @pt247, Have you started working on this yet? I am considering scheduling a meeting for this as well
Thanks @viniciusdc
Have you started working on this yet? I am considering scheduling a meeting for this as well
No, I have not started. Meeting only foucsing on Keycloak backup and restore would help.
@tylergraff I assume you have some experience in backup and restore. I was wondering how you migrate credentials? Also, can you scripts any scripts you use to automate/simi-automate Keycloak migration.
@kalpanachinnappan We are starting work on backup and restore. Keycloak is the first component we are considering. We would like your input on this as well.
As this solution may rely on the Keycloak API, @viniciusdc suggested we might want to compare the current Keycloak API with the latest version of Keycloak.
yes, mainly due to more flexibility of the exporting/importing features that the newer Keycloak versions allow (it might help us handle the credentials issue)
Feature description
Backup and Restore RFD
Value and/or benefit
Nebari Admin can access Keycloak API and query user data.
We need to create a backup controller to expose the existing Keycloak API to authenticated users. This can be a REST API using FastAPI.
/api/v1/keycloak
: Expose existing Keycload Admin REST API - docsSo for example: GET
/api/v1/keycloak/admin/realms/nebari/users
should get us a list of all the non-admin users.Anything else? Related META issue- #2518