TL; DR: kuya kubakho inkcazo ye-Keycloak, inkqubo yokulawula ukufikelela kumthombo ovulekileyo, uhlalutyo lwesakhiwo sangaphakathi, iinkcukacha zokucwangcisa.
Intshayelelo kunye neMibono ePhambili
Kweli nqaku, siza kubona iingcamango ezisisiseko ekufuneka sizigcine engqondweni xa uhambisa iqela le-Keycloak phezu kwe-Kubernetes.
Ukuba ufuna ukwazi ngakumbi nge-Keycloak, bhekisa kwiikhonkco ekupheleni kwenqaku. Ukuze ube nokuntywiliselwa ngakumbi ekusebenzeni, unokufunda kunye nemodyuli esebenzisa iingcamango eziphambili zeli nqaku (isikhokelo sokuphehlelelwa sikhona, eli nqaku liza kubonelela ngesishwankathelo sesixhobo kunye nezicwangciso, malunga. umguquleli).
I-Keycloak yinkqubo ebanzi ebhalwe kwiJava kwaye yakhelwe phezu kweseva yesicelo . Ngamafutshane, sisikhokelo sogunyaziso olunika abasebenzisi besicelo umanyano kunye ne-SSO (ukusayina okukodwa) amandla.
Siyakumema ukuba ufunde eli gosa okanye ukuqonda okuneenkcukacha.
Ukuphehlelela Keycloak
I-Keycloak ifuna imithombo emibini yedatha eqhubekayo ukuze iqhube:
- I-database esetyenziselwa ukugcina idatha esele ikho, efana nolwazi lomsebenzisi
- I-cache ye-Datagrid, esetyenziselwa ukugcina idatha kwi-database, kunye nokugcina i-metadata yexesha elifutshane kunye nokutshintsha rhoqo, njengeeseshoni zabasebenzisi. Iphunyeziwe , edla ngokukhawuleza kakhulu kunovimba weenkcukacha. Kodwa kuyo nayiphi na imeko, idatha egcinwe kwi-Infinispan i-ephemeral - kwaye ayifuni kugcinwa naphi na xa iqela liqaliswa kwakhona.
I-Keycloak isebenza ngeendlela ezine ezahlukeneyo:
- Ngokwesiqhelo - inkqubo enye kunye nenye kuphela, iqwalaselwe ngefayile ezimele.xml
- Iqela eliqhelekileyo (ukhetho oluphezulu lokufumaneka) - zonke iinkqubo kufuneka zisebenzise ulungelelwaniso olufanayo, ekufuneka lulungelelaniswe ngesandla. Izicwangciso zigcinwa kwifayile ezimele-ha.xml, ukongeza kufuneka wenze ukufikelela okwabelwana ngako kwisiseko sedatha kunye ne-balancer yomthwalo.
- Iqela lesizinda - ukuqala i-cluster kwimodi yesiqhelo ngokukhawuleza kuba yinto yesiqhelo kunye nomsebenzi onzima njengoko i-cluster ikhula, ekubeni lonke ixesha ukuguqulwa kohlengahlengiso, zonke iinguqu kufuneka zenziwe kwi-node ye-cluster nganye. Imowudi ye-Domain yokusebenza isombulula lo mba ngokumisela indawo yokugcina ekwabelwana ngayo kunye nokupapasha ubumbeko. Olu seto lugcinwe kwifayile ithambeka.xml
- Ukuphindaphinda phakathi kwamaziko edatha β ukuba ufuna ukwenza i-Keycloak kwingqokelela yamaziko edatha amaninzi, rhoqo kwiindawo ezahlukeneyo zejografi. Kolu khetho, iziko ledatha ngalinye liya kuba neqela lalo le-Keycloak servers.
Kweli nqaku siza kuqwalasela ngokweenkcukacha ukhetho lwesibini, oko kukuthi iqela eliqhelekileyo, kwaye siya kuphinda sichukumise kancinci kwisihloko sokuphindaphinda phakathi kwamaziko edatha, kuba kunengqiqo ukuqhuba ezi zimbini zikhetho kwi-Kubernetes. Ngethamsanqa, kwi-Kubernetes akukho ngxaki ngokuvumelanisa useto lweepod ezininzi (i-Keycloak nodes), ke. iqela lommandla Akuyi kuba nzima kakhulu ukwenza.
Kwakhona nceda uqaphele ukuba igama iklasta kuba lonke inqaku liya kusebenza kuphela kwiqela le-Keycloak nodes esebenza kunye, akukho mfuneko yokubhekisela kwiqela le-Kubernetes.
Iqela le-Keycloak eqhelekileyo
Ukusebenzisa i-Keycloak kule mowudi kufuneka:
- qwalasela isiseko sedatha ekwabelwana ngaso sangaphandle
- faka isilinganisi somthwalo
- ube nenethiwekhi yangaphakathi enenkxaso ye-IP multicast
Asiyi kuxoxa ngokuseka i-database yangaphandle, kuba akusiyo injongo yeli nqaku. Masicinge ukuba kukho isiseko sedatha kwindawo ethile-kwaye sinendawo yokudibanisa kuyo. Siza kongeza ngokulula le datha kwizinto eziguquguqukayo zokusingqongileyo.
Ukuqonda ngcono indlela i-Keycloak esebenza ngayo kwi-failover (HA) cluster, kubalulekile ukwazi ukuba kuxhomekeke kangakanani kwi-Wildfly's clustering capabilities.
I-Wildfly isebenzisa ii-subsystems ezininzi, ezinye zazo zisetyenziselwa ukulinganisa umthwalo, ezinye zokunyamezela iimpazamo. I-balancer yomthwalo iqinisekisa ukufumaneka kwesicelo xa i-node ye-cluster igcwele kakhulu, kwaye ukunyamezela impazamo kuqinisekisa ukufumaneka kwesicelo nokuba ezinye iindawo ze-cluster ziyasilela. Ezinye zezi ndlela zisezantsi:
-
mod_cluster: Isebenza ngokubambisana ne-Apache njenge-balancer yomthwalo we-HTTP, kuxhomekeke kwi-TCP multicast ukufumana iinginginya ngokungagqibekanga. Inokutshintshwa nge-balancer yangaphandle. -
infinispan: I-cache esasazwayo kusetyenziswa amajelo e-JGroups njengomaleko wezothutho. Ukongeza, inokusebenzisa iprotocol yeHotRod ukunxibelelana neqela langaphandle le-Infinispan ukuvumelanisa imixholo ye-cache. -
jgroups: Ibonelela ngenkxaso yonxibelelwano lweqela kwiinkonzo ezifumaneka kakhulu ezisekelwe kumajelo e-JGroups. Imibhobho egama ivumela iimeko zesicelo kwi-cluster ukuba idibaniswe kumaqela ukwenzela ukuba unxibelelwano luneempawu ezifana nokuthembeka, ukulungelelaniswa, kunye novakalelo kwiintsilelo.
Layisha iBalancer
Xa ufaka i-balancer njengomlawuli we-ingress kwi-cluster ye-Kubernetes, kubalulekile ukugcina ezi zinto zilandelayo engqondweni:
I-Keycloak ithatha ukuba idilesi ekude yomthengi odibanisa nge-HTTP kumncedisi woqinisekiso yidilesi yokwenyani ye-IP yekhompyuter yomxhasi. I-Balancer kunye nezicwangciso zokungena kufuneka zisete iiheader zeHTTP ngokuchanekileyo X-Forwarded-For ΠΈ X-Forwarded-Proto, kwaye kwakhona ugcine isihloko sokuqala HOST. Inguqulelo yamva nje ingress-nginx (>0.22.0)
Ukwenza iflegi isebenze proxy-address-forwarding ngokuseta imo eguquguqukayo PROXY_ADDRESS_FORWARDING Π² true inika i-Keycloak ukuqonda ukuba isebenza ngasemva kweproksi.
Kananjalo kufuneka uvule iiseshoni ezincangathi ukungena. I-Keycloak isebenzisa i-cache ye-Infinispan esasaziweyo yokugcina idatha ehambelana neseshoni yokuqinisekisa yangoku kunye neseshoni yomsebenzisi. Iicache zisebenza ngomnini omnye ngokungagqibekanga, ngamanye amazwi, loo seshoni igcinwa kwindawo ethile kwiqela, kwaye ezinye iindawo kufuneka ziyibuze ukude ukuba zifuna ukufikelela kuloo seshini.
Ngokukodwa, ngokuchasene namaxwebhu, ukuncamathisela iseshoni kunye ne-cookie yegama akuzange kusisebenzele
AUTH_SESSION_ID. I-Keycloak ine-loop yokuqondisa kwakhona, ngoko sincoma ukukhetha igama le-cookie elahlukileyo kwiseshoni encangathi.
I-Keycloak idibanisa negama le-node ephendule kuqala AUTH_SESSION_ID, kwaye ekubeni indawo nganye kuguqulelo olufumanekayo kakhulu isebenzisa isiseko sedatha enye, nganye kuzo isazisi esahlukileyo nesisodwa solawulo lweentengiselwano. Kucetyiswa ukuba ufake JAVA_OPTS iiparameter jboss.node.name ΠΈ jboss.tx.node.id ekhethekileyo kwi-node nganye - unako, umzekelo, ubeke igama le-pod. Ukuba ubeka igama le-pod, ungalibali malunga nomda weempawu ze-23 kwiinguqu ze-jboss, ngoko ke kungcono ukusebenzisa i-StatefulSet kunokuba i-Deployment.
Enye iraki - ukuba i-pod icinyiwe okanye iqaliswe kwakhona, i-cache yayo ilahlekile. Ukuthathela ingqalelo oku, kuyafaneleka ukuseta inani labanini be-cache kuzo zonke ii-cache ubuncinane ezimbini, ukwenzela ukuba ikopi ye-cache iya kuhlala. Isisombululo kukubaleka xa uqala ipod, uyibeka kulawulo /opt/jboss/startup-scripts kwisikhongozeli:
Imixholo yeSikripthi
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo * Setting CACHE_OWNERS to "${env.CACHE_OWNERS}" in all cache-containers
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
run-batch
stop-embedded-serveremva koko misela ixabiso lemeko-bume eguquguqukayo CACHE_OWNERS kokufunekayo.
Inethwekhi yabucala enenkxaso ye-IP multicast
Ukuba usebenzisa i-Weavenet njenge-CNI, i-multicast iya kusebenza ngokukhawuleza- kwaye iindawo zakho ze-Keycloak ziya kubonana nje ukuba ziqaliswe.
Ukuba awunayo inkxaso ye-ip ye-multicast kwiqela lakho le-Kubernetes, ungaqwalasela i-JGroups ukuze isebenze nezinye iiprothokholi zokufumana iindawo.
Inketho yokuqala kukusebenzisa KUBE_DNSesebenzisa headless service ukufumana iiNodes zeSitshixo, ugqitha ngokulula JGroups igama lenkonzo elizakusetyenziswa ukufumana iindawo.
Enye inketho kukusebenzisa indlela KUBE_PING, esebenza kunye ne-API ukukhangela iindawo (kufuneka uqwalasele serviceAccount ngamalungelo list ΠΈ get, kwaye emva koko uqwalasele iipods ukuba zisebenze nale serviceAccount).
Indlela Amaqela e-JGroups afumana ngayo iindawo zokuhlala iqwalaselwe ngokuseta iinguqu zemo engqongileyo JGROUPS_DISCOVERY_PROTOCOL ΠΈ JGROUPS_DISCOVERY_PROPERTIES... Kuba KUBE_PING kufuneka ukhethe iipod ngokubuza namespace ΠΈ labels.
οΈ Ukuba usebenzisa i-multicast kwaye uqhube amaqela amabini okanye ngaphezulu e-Keycloak kwiqela elinye le-Kubernetes (masithi enye kwindawo yegama
production, umzuzwana -staging) - iindawo zeqela elinye leKeycloak zinokudibanisa elinye iqela. Qinisekisa ukusebenzisa idilesi yosasazo oluninzi olulodwa kwiqela ngalinye ngokuseta izinto eziguquguqukayojboss.default.multicast.addressΠΈjboss.modcluster.multicast.addressΠ²JAVA_OPTS.
Ukuphindaphinda phakathi kwamaziko edatha
Ukudibanisa
I-Keycloak isebenzisa amaqela amaninzi ahlukeneyo e-Infinispan cache kwiziko ngalinye ledatha apho iqoqo le-Keycloak elenziwe ngeenodi ze-Keycloak zikhoyo. Kodwa akukho mahluko phakathi kwe-Keycloak nodes kumaziko ahlukeneyo edatha.
Iinodi ze-keycloak zisebenzisa i-Java Data Grid yangaphandle (iiseva ze-Infinispan) zonxibelelwano phakathi kwamaziko edatha. Unxibelelwano lusebenza ngokweprotocol .
Iicache ze-Infinispan kufuneka ziqwalaselwe kunye nophawu remoteStore, ukuze idatha igcinwe kude (kwelinye iziko ledatha, malunga. umguquleli) ii-caches. Kukho amaqela ahlukeneyo e-infinispan phakathi kweeseva ze-JDG, ukuze idatha egcinwe kwi-JDG1 kwindawo site1 iya kuphinda-phindwa kwi-JDG2 kwindawo site2.
Kwaye ekugqibeleni, umncedisi we-JDG owamkelayo wazisa iiseva ze-Keycloak zeqela layo ngokusebenzisa uxhulumaniso lomxumi, oluluphawu lweprotocol yeHotRod. Iinodi zesitshixo zivuliwe site2 ukuhlaziya iicache zabo ze-Infinispan kunye neseshini ethile yomsebenzisi ifumaneka kwakhona kwiinodi ze-Keycloak kwi site2.
Kwezinye ii-cache, kunokwenzeka ukuba ungenzi i-backups kwaye ugweme ukubhala idatha nge-Infinispan server ngokupheleleyo. Ukwenza oku kufuneka ususe useto remote-store ethile Infinispan cache (kwifayile ezimele-ha.xml), emva koko ezinye ezithile replicated-cache ayisayi kuphinda ifuneke kwicala lomncedisi we-Infinispan.
Ukuseta iicache
Kukho iindidi ezimbini ze-cache kwi-Keycloak:
-
Indawo. Ibekwe ecaleni kwesiseko sedatha kwaye isebenzela ukunciphisa umthwalo kwisiseko sedatha, kunye nokunciphisa i-latency yokuphendula. Olu hlobo lwe-cache lugcina indawo, abathengi, iindima, kunye nemetadata yomsebenzisi. Olu hlobo lwe-cache aluphindaphindwa, nokuba i-cache yinxalenye yeCluster ye-Keycloak. Ukuba ingeniso kwi-cache iyatshintsha, umyalezo malunga notshintsho uthunyelwa kwiiseva eziseleyo kwiqela, emva koko ungeniso alubandakanywa kwi-cache. Jonga inkcazo
workJonga ngezantsi ngengcaciso ethe kratya yenkqubo. -
Iphindaphindwe. Icubungula iiseshini zabasebenzisi, iithokheni ezingaxhunyiwe kwi-intanethi, kwaye ibeka iliso kwiimpazamo zokungena ukuze ibone iinzame zokukhohlisa kunye nolunye uhlaselo. Idatha egcinwe kwezi cache yeyexeshana, igcinwe kuphela kwi-RAM, kodwa inokuphinda iphindeke kwakhona kwiqela lonke.
Infinispan caches
Iiseshoni - ingcamango kwi-Keycloak, i-cache eyahlukileyo ebizwa authenticationSessions, zisetyenziselwa ukugcina idatha yabasebenzisi abathile. Izicelo ezivela kwezi cache zihlala zifunwa sisikhangeli kunye neeseva ze-Keycloak, hayi ngezicelo. Apha kulapho ukuxhomekeka kwiiseshoni ezincangathi kungena kudlala, kwaye iicache ezinjalo ngokwazo akufuneki ziphindaphindwe, nakwimeko ye-Esebenzayo-Esebenzayo imo.
Iimpawu zesenzo. Enye ingqikelelo, eqhele ukusetyenziselwa iimeko ezahlukeneyo xa, umzekelo, umsebenzisi kufuneka enze into engahambelaniyo ngeposi. Umzekelo, ngexesha lenkqubo forget password i-cache actionTokens isetyenziselwa ukulandelela imethadatha yeethokheni ezinxulumeneyo - umzekelo, uphawu sele lusetyenzisiwe kwaye alunakuphinda lusebenze kwakhona. Olu hlobo lwe-cache lufuna ukuphinda-phinda phakathi kwamaziko edatha.
Ukugcinwa kunye nokuguga kwedatha egciniweyo isebenza ukukhulula umthwalo kwisiseko sedatha. Olu hlobo lwe-caching luphucula ukusebenza, kodwa longeza ingxaki ecacileyo. Ukuba enye iseva ye-Keycloak ihlaziya idatha, ezinye iiseva kufuneka zaziswe ukuze zihlaziye idatha kwii-caches zazo. I-Keycloak isebenzisa i-cache yendawo realms, users ΠΈ authorization kugcino lwedatha esuka kuvimba weenkcukacha.
Kukho kwakhona i-cache eyahlukileyo work, ephindaphindwa kuwo onke amaziko edatha. Yona ngokwayo ayigcini nayiphi na idatha esuka kwisiseko sedatha, kodwa ikhonza ukuthumela imiyalezo malunga nokuguga kwedatha kwi-cluster nodes phakathi kwamaziko edatha. Ngamanye amazwi, ngokukhawuleza xa idatha ihlaziywa, i-Keycloak node ithumela umyalezo kwezinye iindawo kwiziko layo ledatha, kunye neengqungquthela kwamanye amaziko edatha. Emva kokufumana umyalezo onjalo, i-node nganye icoca idatha ehambelanayo kwii-caches zayo zendawo.
Iiseshoni zabasebenzisi. Cache enamagama sessions, clientSessions, offlineSessions ΠΈ offlineClientSessions, zidla ngokuphindaphindwa phakathi kwamaziko edatha kwaye zisebenza ukugcina idatha malunga neeseshoni zabasebenzisi ezisebenzayo ngelixa umsebenzisi esebenza kwisikhangeli. Ezi cache zisebenza kunye nesicelo sokusetyenzwa kwezicelo ze-HTTP ezivela kubasebenzisi bokugqibela, ngoko ke zidityaniswa neeseshoni ezincangathi kwaye kufuneka ziphindwe phakathi kwamaziko edatha.
Ukhuseleko lwamandla e-Brute. Cache loginFailures Isetyenziselwa ukulandelela idatha yempazamo yokungena, njengokuba mangaphi amaxesha umsebenzisi afake igama eligqithisiweyo elingachanekanga. Ukuphindaphindwa kwale cache luxanduva lomlawuli. Kodwa kubalo oluchanekileyo, kufanelekile ukuba kusebenze ukuphindaphinda phakathi kwamaziko edatha. Kodwa kwelinye icala, ukuba awuyiphindaphindi le datha, uya kuphucula ukusebenza, kwaye ukuba lo mbandela uvela, ukuphindaphinda akunakusebenza.
Xa ukhupha iqela le-Infinispan, kufuneka udibanise iinkcazo ze-cache kwifayile yesethingi:
<replicated-cache-configuration name="keycloak-sessions" mode="ASYNC" start="EAGER" batching="false">
</replicated-cache-configuration>
<replicated-cache name="work" configuration="keycloak-sessions" />
<replicated-cache name="sessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineSessions" configuration="keycloak-sessions" />
<replicated-cache name="actionTokens" configuration="keycloak-sessions" />
<replicated-cache name="loginFailures" configuration="keycloak-sessions" />
<replicated-cache name="clientSessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineClientSessions" configuration="keycloak-sessions" />Kufuneka uqwalasele kwaye uqale i-Infinispan cluster phambi kokuba uqalise i-Keycloak cluster
Emva koko kufuneka uqwalasele remoteStore ukwenzela i-keycloak caches. Ukwenza oku, iskripthi sanele, esenziwe ngokufanayo nangaphambili, esisetyenziselwa ukuseta ukuguquguquka CACHE_OWNERS, kufuneka uyigcine kwifayile kwaye uyibeke kulawulo /opt/jboss/startup-scripts:
Imixholo yeSikripthi
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo *** Update infinispan subsystem ***
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=module, value=org.keycloak.keycloak-model-infinispan)
echo ** Add remote socket binding to infinispan server **
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-cache:add(host=${remote.cache.host:localhost}, port=${remote.cache.port:11222})
echo ** Update replicated-cache work element **
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=work,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache sessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=sessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache clientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=clientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineClientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineClientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache loginFailures element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=loginFailures,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache actionTokens element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
cache=actionTokens,
remote-servers=["remote-cache"],
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache authenticationSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
echo *** Update undertow subsystem ***
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
run-batch
stop-embedded-serverUngalibali ukufaka JAVA_OPTS ukuze iinodi ze-Keycloak ziqhube iHotRod: remote.cache.host, remote.cache.port kunye negama lenkonzo jboss.site.name.
Amakhonkco kunye namaxwebhu ongezelelweyo
Inqaku laguqulelwa laza lalungiselelwa uHabr ngabasebenzi -izifundo ezinzulu, iikhosi zevidiyo kunye noqeqesho lweshishini oluvela kwiingcali zokuziqhelanisa (Kubernetes, DevOps, Docker, Ansible, Ceph, SRE)
umthombo: www.habr.com