TL; DR: ãªãŒãã³ãœãŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ã·ã¹ãã ã§ãã Keycloak ã®èª¬æãå éšæ§é ã®åæãæ§æã®è©³çŽ°ã«ã€ããŠèª¬æããŸãã
ã¯ããã«ãšéèŠãªã¢ã€ãã¢
ãã®èšäºã§ã¯ãKubernetes äžã« Keycloak ã¯ã©ã¹ã¿ãŒããããã€ããéã«çæãã¹ãåºæ¬çãªèãæ¹ã«ã€ããŠèª¬æããŸãã
Keycloak ã«ã€ããŠè©³ããç¥ãããå Žåã¯ãèšäºã®æåŸã«ãããªã³ã¯ãåç
§ããŠãã ããã ããå®è·µã«æ²¡é ããããã«ãå匷ããããšãã§ããŸã
Keycloakã¯Javaã§æžãããã¢ããªã±ãŒã·ã§ã³ãµãŒããŒäžã«æ§ç¯ãããå
æ¬çãªã·ã¹ãã ã§ãã
ãã²å
¬åŒãèªãã§ãã ããã
Keycloakã®èµ·å
Keycloakã®å®è¡ã«ã¯XNUMXã€ã®æ°žç¶ããŒã¿ãœãŒã¹ãå¿ èŠã§ãã
- ãŠãŒã¶ãŒæ å ±ãªã©ã®ç¢ºç«ãããããŒã¿ãä¿åããããã«äœ¿çšãããããŒã¿ããŒã¹
- Datagrid ãã£ãã·ã¥ã¯ãããŒã¿ããŒã¹ããããŒã¿ããã£ãã·ã¥ããã ãã§ãªãããŠãŒã¶ãŒ ã»ãã·ã§ã³ãªã©ãæå¹æéãçããé »ç¹ã«å€æŽãããã¡ã¿ããŒã¿ãä¿åããããã«äœ¿çšãããŸãã å®è£
æžã¿
ã€ã³ãã£ãã¹ãã³ ããã¯éåžžãããŒã¿ããŒã¹ãããå€§å¹ ã«é«éã§ãã ãã ãããããã®å ŽåããInfinispan ã«ä¿åãããããŒã¿ã¯äžæçãªãã®ã§ãããã¯ã©ã¹ã¿ãŒã®åèµ·åæã«ã©ãã«ãä¿åããå¿ èŠã¯ãããŸããã
Keycloak 㯠XNUMX ã€ã®ç°ãªãã¢ãŒãã§åäœããŸãã
- ããŒãã« - å¯äžã®ããã»ã¹ããã¡ã€ã«çµç±ã§èšå® ã¹ã¿ã³ãã¢ãã³.xml
- éåžžã®ã¯ã©ã¹ã¿ãŒ (é«å¯çšæ§ãªãã·ã§ã³) - ãã¹ãŠã®ããã»ã¹ã¯åãæ§æã䜿çšããå¿ èŠããããæåã§åæããå¿ èŠããããŸãã èšå®ã¯ãã¡ã€ã«ã«ä¿åãããŸã ã¹ã¿ã³ãã¢ãã³-ha.xmlããã«ãããŒã¿ããŒã¹ãšããŒã ãã©ã³ãµãŒãžã®å ±æã¢ã¯ã»ã¹ãäœæããå¿ èŠããããŸãã
- ãã¡ã€ã³ã¯ã©ã¹ã¿ â éåžžã¢ãŒãã§ã¯ã©ã¹ã¿ãŒãèµ·åããããšã¯ãæ§æãå€æŽããããã³ã«åã¯ã©ã¹ã¿ãŒ ããŒãã§ãã¹ãŠã®å€æŽãè¡ãå¿ èŠããããããã¯ã©ã¹ã¿ãŒãæé·ããã«ã€ããŠããã«æ¥åžžçã§éå±ãªäœæ¥ã«ãªããŸãã ãã¡ã€ã³æäœã¢ãŒãã§ã¯ãå ±æã¹ãã¬ãŒãžã®å Žæãèšå®ããæ§æãå ¬éããããšã§ããã®åé¡ã解決ããŸãã ãããã®èšå®ã¯ãã¡ã€ã«ã«ä¿åãããŸã ãã¡ã€ã³.xml
- ããŒã¿ã»ã³ã¿ãŒéã®ã¬ããªã±ãŒã·ã§ã³ â è€æ°ã®ããŒã¿ã»ã³ã¿ãŒã®ã¯ã©ã¹ã¿ãŒïŒã»ãšãã©ã®å Žåãå°ççã«ç°ãªãå ŽæïŒã§Keycloakãå®è¡ããå Žåã ãã®ãªãã·ã§ã³ã§ã¯ãåããŒã¿ã»ã³ã¿ãŒã« Keycloak ãµãŒããŒã®ç¬èªã®ã¯ã©ã¹ã¿ãŒãååšããŸãã
ãã®èšäºã§ã¯ãXNUMX çªç®ã®ãªãã·ã§ã³ã«ã€ããŠè©³ããæ€èšããŸãã éåžžã®ã¯ã©ã¹ã¿ãŒãŸããKubernetes ã§ããã XNUMX ã€ã®ãªãã·ã§ã³ãå®è¡ããããšã¯çã«ããªã£ãŠãããããããŒã¿ã»ã³ã¿ãŒéã®ã¬ããªã±ãŒã·ã§ã³ã®ãããã¯ã«ã€ããŠãå°ã觊ããŸãã 幞ããªããšã«ãKubernetes ã§ã¯è€æ°ã®ããã (Keycloak ããŒã) ã®èšå®ãåæããããšã«åé¡ã¯ãããŸããã ãã¡ã€ã³ã¯ã©ã¹ã¿ ããã»ã©é£ããããšã§ã¯ãããŸããã
ãŸãããã®èšèã«ã泚æããŠãã ãã éãŸã ãã®èšäºã®æ®ãã®éšåã¯ãé£æºããŠåäœãã Keycloak ããŒãã®ã°ã«ãŒãã«ã®ã¿é©çšãããŸããKubernetes ã¯ã©ã¹ã¿ãŒã«ã€ããŠèšåããå¿ èŠã¯ãããŸããã
éåžžã®Keycloakã¯ã©ã¹ã¿ãŒ
ãã®ã¢ãŒã㧠Keycloak ãå®è¡ããã«ã¯ã次ã®ãã®ãå¿ èŠã§ãã
- å€éšå ±æããŒã¿ããŒã¹ãæ§æãã
- ããŒããã©ã³ãµãŒãã€ã³ã¹ããŒã«ãã
- IP ãã«ããã£ã¹ãããµããŒãããå éšãããã¯ãŒã¯ããã
å€éšããŒã¿ããŒã¹ã®èšå®ã«ã€ããŠã¯ããã®èšäºã®ç®çã§ã¯ãªããã説æããŸããã ã©ããã«çšŒåäžã®ããŒã¿ããŒã¹ãããããããžã®æ¥ç¶ãã€ã³ãããããšä»®å®ããŸãããã ãã®ããŒã¿ãç°å¢å€æ°ã«è¿œå ããã ãã§ãã
Keycloakããã§ã€ã«ãªãŒããŒïŒHAïŒã¯ã©ã¹ã¿ãŒã§ã©ã®ããã«åäœããããããããç解ããã«ã¯ããã¹ãŠãWildflyã®ã¯ã©ã¹ã¿ãªã³ã°æ©èœã«ã©ã®çšåºŠäŸåããŠããããç¥ãããšãéèŠã§ãã
Wildfly ã¯ããã€ãã®ãµãã·ã¹ãã ã䜿çšããŠããããã®äžéšã¯ããŒã ãã©ã³ãµãŒãšããŠäœ¿çšãããäžéšã¯ãã©ãŒã«ã ãã¬ã©ã³ã¹ã®ããã«äœ¿çšãããŸãã ããŒã ãã©ã³ãµã¯ãã¯ã©ã¹ã¿ ããŒããéè² è·ã«ãªã£ãå Žåã§ãã¢ããªã±ãŒã·ã§ã³ã®å¯çšæ§ã確ä¿ãããã©ãŒã«ã ãã¬ã©ã³ã¹ã¯ãäžéšã®ã¯ã©ã¹ã¿ ããŒãã«é害ãçºçããå Žåã§ãã¢ããªã±ãŒã·ã§ã³ã®å¯çšæ§ã確ä¿ããŸãã ãããã®ãµãã·ã¹ãã ã®äžéšã¯æ¬¡ã®ãšããã§ãã
-
mod_cluster
: HTTP ããŒã ãã©ã³ãµãšã㊠Apache ãšé£æºããŠåäœããããã©ã«ã㧠TCP ãã«ããã£ã¹ãã«äŸåããŠãã¹ããæ€çŽ¢ããŸãã å€éšãã©ã³ãµãŒãžã®çœ®ãæããå¯èœã§ãã -
infinispan
: JGroups ãã£ãã«ããã©ã³ã¹ããŒãå±€ãšããŠäœ¿çšããåæ£ãã£ãã·ã¥ã ããã«ãHotRod ãããã³ã«ã䜿çšããŠå€éš Infinispan ã¯ã©ã¹ã¿ãŒãšéä¿¡ãããã£ãã·ã¥ã®å 容ãåæã§ããŸãã -
jgroups
: JGroups ãã£ãã«ã«åºã¥ãé«å¯çšæ§ãµãŒãã¹ã®ã°ã«ãŒãéä¿¡ãµããŒããæäŸããŸãã ååä»ããã€ãã䜿çšãããšãã¯ã©ã¹ã¿ãŒå ã®ã¢ããªã±ãŒã·ã§ã³ ã€ã³ã¹ã¿ã³ã¹ãã°ã«ãŒãã«æ¥ç¶ã§ãããããéä¿¡ã®ä¿¡é Œæ§ã秩åºæ§ãé害ã«å¯Ÿããæ床ãªã©ã®ç¹æ§ãåŸãããŸãã
ããŒããã©ã³ãµ
Kubernetes ã¯ã©ã¹ã¿ãŒã«ãã©ã³ãµãŒãã€ã³ã°ã¬ã¹ ã³ã³ãããŒã©ãŒãšããŠã€ã³ã¹ããŒã«ããå Žåã¯ã次ã®ç¹ã«çæããããšãéèŠã§ãã
Keycloakã¯ãHTTPçµç±ã§èªèšŒãµãŒããŒã«æ¥ç¶ããã¯ã©ã€ã¢ã³ãã®ãªã¢ãŒãã»ã¢ãã¬ã¹ãã¯ã©ã€ã¢ã³ãã»ã³ã³ãã¥ãŒã¿ãŒã®å®éã®IPã¢ãã¬ã¹ã§ãããšæ³å®ããŸãã ãã©ã³ãµãŒãšã€ã³ã°ã¬ã¹èšå®ã§ã¯ HTTP ããããŒãæ£ããèšå®ããå¿
èŠããããŸã X-Forwarded-For
О X-Forwarded-Proto
ãå
ã®ã¿ã€ãã«ãä¿åããŸã HOST
ã ææ°ããŒãžã§ã³ ingress-nginx
(> 0.22.0)
ãã©ã°ãã¢ã¯ãã£ãã«ãã proxy-address-forwarding
ç°å¢å€æ°ãèšå®ããããšã«ãã£ãŠ PROXY_ADDRESS_FORWARDING
в true
Keycloak ã¯ãKeycloak ããããã·ã®èåŸã§åäœããŠããããšãç解ã§ããŸãã
æå¹ã«ããå¿ èŠããããŸã ã¹ãã£ãããŒã»ãã·ã§ã³ ã€ã³ã°ã¬ã¹ã§ã Keycloakã¯åæ£Infinispanãã£ãã·ã¥ã䜿çšããŠãçŸåšã®èªèšŒã»ãã·ã§ã³ããã³ãŠãŒã¶ãŒã»ãã·ã§ã³ã«é¢é£ä»ããããããŒã¿ãä¿åããŸãã ãã£ãã·ã¥ã¯ããã©ã«ãã§åäžã®ææè ã§åäœããŸããã€ãŸãããã®ç¹å®ã®ã»ãã·ã§ã³ã¯ã¯ã©ã¹ã¿ãŒå ã®äžéšã®ããŒãã«ä¿åãããä»ã®ããŒãã¯ãã®ã»ãã·ã§ã³ã«ã¢ã¯ã»ã¹ããå¿ èŠãããå Žåã«ãªã¢ãŒãã§ã¯ãšãªãå®è¡ããå¿ èŠããããŸãã
å ·äœçã«ã¯ãããã¥ã¡ã³ãã«åããŠãCookie ãšããååã®ã»ãã·ã§ã³ãã¢ã¿ããããŠãæ©èœããŸããã§ããã
AUTH_SESSION_ID
ã Keycloakã«ã¯ãªãã€ã¬ã¯ãã«ãŒãããããããã¹ãã£ãããŒã»ãã·ã§ã³ã«ã¯å¥ã®Cookieåãéžæããããšããå§ãããŸãã
Keycloakã¯ãæåã«å¿çããããŒãã®ååãä»å ããŸãã AUTH_SESSION_ID
é«å¯çšæ§ããŒãžã§ã³ã®åããŒãã¯åãããŒã¿ããŒã¹ã䜿çšããããããããã JAVA_OPTS
ãã©ã¡ãŒã¿ jboss.node.name
О jboss.tx.node.id
åããŒãã«äžæã§ããããšãã°ããããã®ååãå
¥åã§ããŸãã ãããåãå
¥åããå Žåã¯ãjboss å€æ°ã® 23 æåå¶éãå¿ããªãã§ãã ããããã®ãããDeployment ã§ã¯ãªã StatefulSet ã䜿çšããããšããå§ãããŸãã
å¥ã® rake - ããããåé€ãŸãã¯åèµ·åããããšããã®ãã£ãã·ã¥ã¯å€±ãããŸãã ãããèæ
®ãããšããã£ãã·ã¥ã®ã³ããŒãæ®ãããã«ããã¹ãŠã®ãã£ãã·ã¥ã®ãã£ãã·ã¥ææè
ã®æ°ãå°ãªããšã XNUMX ã«èšå®ãã䟡å€ããããŸãã 解決çã¯å®è¡ããããšã§ã /opt/jboss/startup-scripts
ã³ã³ããå
:
ã¹ã¯ãªããã®å 容
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo * Setting CACHE_OWNERS to "${env.CACHE_OWNERS}" in all cache-containers
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
run-batch
stop-embedded-server
次ã«ãç°å¢å€æ°ã®å€ãèšå®ããŸã CACHE_OWNERS
å¿
èŠãªãã®ãŸã§ã
IPãã«ããã£ã¹ãããµããŒããããã©ã€ããŒããããã¯ãŒã¯
Weavenet ã CNI ãšããŠäœ¿çšããå Žåããã«ããã£ã¹ãã¯ããã«æ©èœããKeycloak ããŒãã¯èµ·åãããšããã«çžäºã«èªèãããŸãã
Kubernetes ã¯ã©ã¹ã¿ãŒã§ IP ãã«ããã£ã¹ã ãµããŒãããªãå Žåã¯ãä»ã®ãããã³ã«ãšé£æºããŠããŒããæ€çŽ¢ããããã« JGroups ãæ§æã§ããŸãã
æåã®ãªãã·ã§ã³ã¯äœ¿çšããããšã§ã KUBE_DNS
䜿çšãã headless service
Keycloak ããŒããèŠã€ããã«ã¯ãããŒãã®æ€çŽ¢ã«äœ¿çšããããµãŒãã¹ã®ååã JGroups ã«æž¡ãã ãã§ãã
å¥ã®ãªãã·ã§ã³ã¯ãã¡ãœããã䜿çšããããšã§ã KUBE_PING
ãAPI ãšé£æºããŠããŒããæ€çŽ¢ããŸã (èšå®ããå¿
èŠããããŸã) serviceAccount
æš©å©ä»ã list
О get
ããããŠãããšé£æºããããã«ããããèšå®ããŸã serviceAccount
).
JGroups ãããŒããæ€çŽ¢ããæ¹æ³ã¯ãç°å¢å€æ°ãèšå®ããããšã§æ§æãããŸãã JGROUPS_DISCOVERY_PROTOCOL
О JGROUPS_DISCOVERY_PROPERTIES
ã ã®ããã« KUBE_PING
質åããŠããããéžæããå¿
èŠããããŸã namespace
О labels
.
ïž ãã«ããã£ã¹ãã䜿çšããXNUMX ã€ã® Kubernetes ã¯ã©ã¹ã¿ãŒ (åå空éå ã« XNUMX ã€ãšããŸããã) 㧠XNUMX ã€ä»¥äžã® Keycloak ã¯ã©ã¹ã¿ãŒãå®è¡ããå Žå
production
ã XNUMXçªç® -staging
) - XNUMX ã€ã® Keycloak ã¯ã©ã¹ã¿ãŒã®ããŒãã¯å¥ã®ã¯ã©ã¹ã¿ãŒã«åå ã§ããŸãã å€æ°ãèšå®ããŠãåã¯ã©ã¹ã¿ãŒã«å¿ ãäžæã®ãã«ããã£ã¹ã ã¢ãã¬ã¹ã䜿çšããŠãã ãããjboss.default.multicast.address
Оjboss.modcluster.multicast.address
вJAVA_OPTS
.
ããŒã¿ã»ã³ã¿ãŒéã®ã¬ããªã±ãŒã·ã§ã³
СвÑзÑ
Keycloakã¯ãKeycloakããŒãã§æ§æãããKeycloackã¯ã©ã¹ã¿ãŒãé 眮ãããŠããããŒã¿ã»ã³ã¿ãŒããšã«ãè€æ°ã®åå¥ã®Infinispanãã£ãã·ã¥ã¯ã©ã¹ã¿ãŒã䜿çšããŸãã ãã ããç°ãªãããŒã¿ã»ã³ã¿ãŒã® Keycloak ããŒãéã«éãã¯ãããŸããã
Keycloak ããŒãã¯ãããŒã¿ã»ã³ã¿ãŒéã®éä¿¡ã«å€éš Java Data Grid (Infinispan ãµãŒããŒ) ã䜿çšããŸãã éä¿¡ã¯ãããã³ã«ã«åŸã£ãŠåäœããŸã
Infinispan ãã£ãã·ã¥ã¯å±æ§ã䜿çšããŠæ§æããå¿
èŠããããŸã remoteStore
ãããŒã¿ããªã¢ãŒã (å¥ã®ããŒã¿ã»ã³ã¿ãŒã çŽã 翻蚳è
) ãã£ãã·ã¥ã JDG ãµãŒããŒéã«ã¯åå¥ã® infinispan ã¯ã©ã¹ã¿ãŒãååšããããããµã€ãäžã® JDG1 ã«ããŒã¿ãä¿åãããŸãã site1
ãµã€ãäžã® JDG2 ã«ã¬ããªã±ãŒããããŸã site2
.
æåŸã«ãåä¿¡åŽã® JDG ãµãŒããŒã¯ã¯ã©ã€ã¢ã³ãæ¥ç¶ãéããŠã¯ã©ã¹ã¿ãŒã® Keycloak ãµãŒããŒã«éç¥ããŸãããã㯠HotRod ãããã³ã«ã®æ©èœã§ãã Keycloak ããŒã site2
Infinispan ãã£ãã·ã¥ãæŽæ°ãããšãç¹å®ã®ãŠãŒã¶ãŒ ã»ãã·ã§ã³ã Keycloak ããŒãã§ãå©çšã§ããããã«ãªããŸãã site2
.
äžéšã®ãã£ãã·ã¥ã§ã¯ãããã¯ã¢ãããäœæãããInfinispan ãµãŒããŒãä»ããããŒã¿ã®æžã蟌ã¿ãå®å
šã«åé¿ããããšãã§ããŸãã ãããè¡ãã«ã¯ãèšå®ãåé€ããå¿
èŠããããŸã remote-store
ç¹å®ã® Infinispan ãã£ãã·ã¥ (ãã¡ã€ã«å
) ã¹ã¿ã³ãã¢ãã³-ha.xml)ããã®åŸãããã€ãã®å
·äœç㪠replicated-cache
Infinispan ãµãŒããŒåŽã§ãå¿
èŠãªããªããŸãã
ãã£ãã·ã¥ã®ã»ããã¢ãã
Keycloakã«ã¯XNUMXçš®é¡ã®ãã£ãã·ã¥ããããŸãã
-
å°å ã ããã¯ããŒã¿ããŒã¹ã®é£ã«é 眮ãããããŒã¿ããŒã¹ã®è² è·ã軜æžããå¿çåŸ ã¡æéãççž®ããã®ã«åœ¹ç«ã¡ãŸãã ãã®ã¿ã€ãã®ãã£ãã·ã¥ã«ã¯ãã¬ã«ã ãã¯ã©ã€ã¢ã³ããããŒã«ãããã³ãŠãŒã¶ãŒã®ã¡ã¿ããŒã¿ãä¿åãããŸãã ãã®ã¿ã€ãã®ãã£ãã·ã¥ã¯ããã£ãã·ã¥ãKeycloakã¯ã©ã¹ã¿ãŒã®äžéšã§ãã£ãŠãã¬ããªã±ãŒããããŸããã ãã£ãã·ã¥å ã®ãšã³ããªãå€æŽããããšãå€æŽã«é¢ããã¡ãã»ãŒãžãã¯ã©ã¹ã¿å ã®æ®ãã®ãµãŒããŒã«éä¿¡ããããã®åŸãšã³ããªã¯ãã£ãã·ã¥ããé€å€ãããŸãã 詳现åç §
work
æé ã®è©³çŽ°ã«ã€ããŠã¯ã以äžãåç §ããŠãã ããã -
è€è£œãããŸããã ãŠãŒã¶ãŒ ã»ãã·ã§ã³ããªãã©ã€ã³ ããŒã¯ã³ãåŠçãããã°ã€ã³ ãšã©ãŒãç£èŠããŠãã¹ã¯ãŒã ãã£ãã·ã³ã°ã®è©Šã¿ããã®ä»ã®æ»æãæ€åºããŸãã ãããã®ãã£ãã·ã¥ã«ä¿åãããããŒã¿ã¯äžæçãªãã®ã§ãRAM ã«ã®ã¿ä¿åãããŸãããã¯ã©ã¹ã¿ãŒå šäœã§è€è£œã§ããŸãã
ã€ã³ãã£ãã¹ãã³ãã£ãã·ã¥
ã»ãã·ã§ã³ - Keycloakã®æŠå¿µããšåŒã°ããåå¥ã®ãã£ãã·ã¥ authenticationSessions
ãç¹å®ã®ãŠãŒã¶ãŒã®ããŒã¿ãä¿åããããã«äœ¿çšãããŸãã ãããã®ãã£ãã·ã¥ããã®ãªã¯ãšã¹ãã¯éåžžââãã¢ããªã±ãŒã·ã§ã³ã§ã¯ãªããã©ãŠã¶ãšKeycloakãµãŒããŒã«ãã£ãŠå¿
èŠãšãããŸãã ããã§ã¹ãã£ãã㌠ã»ãã·ã§ã³ãžã®äŸåãé¢ä¿ããã¢ã¯ãã£ã/ã¢ã¯ãã£ã ã¢ãŒãã®å Žåã§ãããã®ãããªãã£ãã·ã¥èªäœãã¬ããªã±ãŒãããå¿
èŠã¯ãããŸããã
ã¢ã¯ã·ã§ã³ããŒã¯ã³ã ãã XNUMX ã€ã®æŠå¿µã¯ãéåžžãããšãã°ãŠãŒã¶ãŒãã¡ãŒã«ã§éåæã«äœããè¡ãå¿
èŠãããå Žåãªã©ãããŸããŸãªã·ããªãªã§äœ¿çšãããŸãã ããšãã°ãæç¶ãäžã« forget password
ãã£ãã·ã¥ actionTokens
é¢é£ããããŒã¯ã³ã®ã¡ã¿ããŒã¿ã远跡ããããã«äœ¿çšãããŸããããšãã°ãããŒã¯ã³ã¯ãã§ã«äœ¿çšãããŠãããå床ã¢ã¯ãã£ãåããããšã¯ã§ããŸããã ãã®ã¿ã€ãã®ãã£ãã·ã¥ã¯éåžžãããŒã¿ã»ã³ã¿ãŒéã§è€è£œããå¿
èŠããããŸãã
ä¿åãããããŒã¿ã®ãã£ãã·ã¥ãšãšãŒãžã³ã° ããŒã¿ããŒã¹ã®è² è·ã軜æžããããã«æ©èœããŸãã ãã®çš®ã®ãã£ãã·ã¥ã«ããããã©ãŒãã³ã¹ã¯åäžããŸãããæãããªåé¡ãè¿œå ãããŸãã XNUMXã€ã®KeycloakãµãŒããŒãããŒã¿ãæŽæ°ããå Žåãä»ã®ãµãŒããŒããã£ãã·ã¥å
ã®ããŒã¿ãæŽæ°ã§ããããã«ãä»ã®ãµãŒããŒã«éç¥ããå¿
èŠããããŸãã Keycloakã¯ããŒã«ã«ãã£ãã·ã¥ã䜿çšããŸã realms
, users
О authorization
ããŒã¿ããŒã¹ããããŒã¿ããã£ãã·ã¥ããããã
å¥éãã£ãã·ã¥ããããŸã work
ããã¹ãŠã®ããŒã¿ã»ã³ã¿ãŒã«ããã£ãŠã¬ããªã±ãŒããããŸãã ããèªäœã¯ããŒã¿ããŒã¹ããã®ããŒã¿ãä¿åããŸããããããŒã¿ã®èåã«é¢ããã¡ãã»ãŒãžãããŒã¿ã»ã³ã¿ãŒéã®ã¯ã©ã¹ã¿ãŒ ããŒãã«éä¿¡ãã圹å²ãæãããŸãã ã€ãŸããããŒã¿ãæŽæ°ããããšããã«ãKeycloak ããŒãã¯ãã®ããŒã¿ã»ã³ã¿ãŒå
ã®ä»ã®ããŒãã ãã§ãªããä»ã®ããŒã¿ã»ã³ã¿ãŒå
ã®ããŒãã«ãã¡ãã»ãŒãžãéä¿¡ããŸãã ãã®ãããªã¡ãã»ãŒãžãåä¿¡ããåŸãåããŒãã¯ããŒã«ã« ãã£ãã·ã¥å
ã®å¯Ÿå¿ããããŒã¿ãã¯ãªã¢ããŸãã
ãŠãŒã¶ãŒã»ãã·ã§ã³ã ååä»ããã£ãã·ã¥ sessions
, clientSessions
, offlineSessions
О offlineClientSessions
ãéåžžã¯ããŒã¿ã»ã³ã¿ãŒéã§ã¬ããªã±ãŒãããããŠãŒã¶ãŒããã©ãŠã¶ãŒã§ã¢ã¯ãã£ãã§ããéã«ã¢ã¯ãã£ããªãŠãŒã¶ãŒ ã»ãã·ã§ã³ã«é¢ããããŒã¿ãä¿åããããã«æ©èœããŸãã ãããã®ãã£ãã·ã¥ã¯ããšã³ã ãŠãŒã¶ãŒããã® HTTP ãªã¯ãšã¹ããåŠçããã¢ããªã±ãŒã·ã§ã³ãšé£æºããŠåäœãããããã¹ãã£ãã㌠ã»ãã·ã§ã³ã«é¢é£ä»ããããããŒã¿ ã»ã³ã¿ãŒéã§è€è£œããå¿
èŠããããŸãã
ãã«ãŒããã©ãŒã¹ä¿è·ã ãã£ãã·ã¥ loginFailures
ãŠãŒã¶ãŒãééã£ããã¹ã¯ãŒããå
¥åããåæ°ãªã©ããã°ã€ã³ ãšã©ãŒ ããŒã¿ã远跡ããããã«äœ¿çšãããŸãã ãã®ãã£ãã·ã¥ã®è€è£œã¯ç®¡çè
ã®è²¬ä»»ã§ãã ãã ããæ£ç¢ºãªèšç®ãè¡ãã«ã¯ãããŒã¿ã»ã³ã¿ãŒéã®ã¬ããªã±ãŒã·ã§ã³ãæå¹ã«ãã䟡å€ããããŸãã ããããã®äžæ¹ã§ããã®ããŒã¿ãã¬ããªã±ãŒãããªããšããã©ãŒãã³ã¹ãåäžããŸããããã®åé¡ãçºçãããšã¬ããªã±ãŒã·ã§ã³ãã¢ã¯ãã£ãåãããªããªãå¯èœæ§ããããŸãã
Infinispan ã¯ã©ã¹ã¿ãŒãããŒã«ã¢ãŠããããšãã¯ãèšå®ãã¡ã€ã«ã«ãã£ãã·ã¥å®çŸ©ãè¿œå ããå¿ èŠããããŸãã
<replicated-cache-configuration name="keycloak-sessions" mode="ASYNC" start="EAGER" batching="false">
</replicated-cache-configuration>
<replicated-cache name="work" configuration="keycloak-sessions" />
<replicated-cache name="sessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineSessions" configuration="keycloak-sessions" />
<replicated-cache name="actionTokens" configuration="keycloak-sessions" />
<replicated-cache name="loginFailures" configuration="keycloak-sessions" />
<replicated-cache name="clientSessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineClientSessions" configuration="keycloak-sessions" />
Keycloakã¯ã©ã¹ã¿ãŒãéå§ããåã«ãInfinispanã¯ã©ã¹ã¿ãŒãæ§æããŠéå§ããå¿ èŠããããŸã
次ã«ãèšå®ããå¿
èŠããããŸã remoteStore
Keycloakãã£ãã·ã¥çšã ãããè¡ãã«ã¯ãå€æ°ãèšå®ããããã«äœ¿çšãããåã®ãã®ãšåæ§ã«å®è¡ãããã¹ã¯ãªããã§ååã§ãã CACHE_OWNERS
ããã¡ã€ã«ã«ä¿åããŠãã£ã¬ã¯ããªã«çœ®ãå¿
èŠããããŸã /opt/jboss/startup-scripts
:
ã¹ã¯ãªããã®å 容
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo *** Update infinispan subsystem ***
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=module, value=org.keycloak.keycloak-model-infinispan)
echo ** Add remote socket binding to infinispan server **
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-cache:add(host=${remote.cache.host:localhost}, port=${remote.cache.port:11222})
echo ** Update replicated-cache work element **
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=work,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache sessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=sessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache clientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=clientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineClientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineClientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache loginFailures element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=loginFailures,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache actionTokens element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
cache=actionTokens,
remote-servers=["remote-cache"],
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache authenticationSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
echo *** Update undertow subsystem ***
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
run-batch
stop-embedded-server
å¿ããã«ã€ã³ã¹ããŒã«ããŠãã ãã JAVA_OPTS
Keycloak ããŒã㧠HotRod ãå®è¡ããã«ã¯: remote.cache.host
, remote.cache.port
ãšãµãŒãã¹å jboss.site.name
.
ãªã³ã¯ãšè¿œå ããã¥ã¡ã³ã
https://www.keycloak.org/docs/latest/server_installation/index.html https://docs.wildfly.org/17/High_Availability_Guide.html#cluster-configuration https://infinispan.org/docs/9.4.x/user_guide/user_guide.html https://hub.docker.com/r/jboss/keycloak https://hub.docker.com/r/jboss/infinispan
ãã®èšäºã¯åŸæ¥å¡ã«ãã£ãŠç¿»èš³ãããHabr åãã«äœæãããŸããã
åºæïŒ habr.com