TL; DR: yoo jẹ apejuwe ti Keycloak, eto iṣakoso wiwọle orisun ṣiṣi, itupalẹ ti eto inu, awọn alaye iṣeto.
Ifihan ati Key ero
Ninu nkan yii, a yoo rii awọn imọran ipilẹ lati tọju ni lokan nigbati o ba nfi iṣupọ Keycloak sori oke Kubernetes.
Ti o ba fẹ mọ diẹ sii nipa Keycloak, tọka si awọn ọna asopọ ni opin nkan naa. Lati le ni immersed diẹ sii ni adaṣe, o le kọ ẹkọ pẹlu module kan ti o ṣe awọn imọran akọkọ ti nkan yii (itọsọna ifilọlẹ wa nibẹ, nkan yii yoo pese akopọ ti ẹrọ ati awọn eto, isunmọ. onitumọ).
Keycloak jẹ eto okeerẹ ti a kọ sinu Java ati ti a ṣe si oke olupin ohun elo kan . Ni kukuru, o jẹ ilana fun aṣẹ ti o fun awọn olumulo ohun elo federation ati SSO (ami-iwọle kan) awọn agbara.
A pe o lati ka osise tabi fun oye alaye.
Ifilọlẹ Keycloak
Keycloak nilo awọn orisun data itẹramọṣẹ meji lati ṣiṣẹ:
- Ipamọ data ti a lo lati tọju data ti iṣeto, gẹgẹbi alaye olumulo
- Kaṣe Datagrid, eyiti o jẹ lilo lati kaṣe data lati ibi ipamọ data, bakannaa lati ṣafipamọ diẹ ninu igba kukuru ati iyipada metadata nigbagbogbo, gẹgẹbi awọn akoko olumulo. Ti ṣe imuse , eyi ti o jẹ maa n significantly yiyara ju awọn database. Ṣugbọn ni eyikeyi ọran, data ti o fipamọ ni Infinispan jẹ ephemeral - ati pe ko nilo lati wa ni fipamọ nibikibi nigbati iṣupọ naa ba tun bẹrẹ.
Keycloak ṣiṣẹ ni awọn ọna oriṣiriṣi mẹrin:
- Deede - ilana kan ati ọkan kan, tunto nipasẹ faili kan adaduro.xml
- Iṣupọ deede (aṣayan wiwa giga) - gbogbo awọn ilana gbọdọ lo iṣeto kanna, eyiti o gbọdọ muuṣiṣẹpọ pẹlu ọwọ. Eto ti wa ni ipamọ ninu faili kan adaduro-ha.xml, ni afikun o nilo lati ṣe iraye si pinpin si ibi ipamọ data ati iwọntunwọnsi fifuye.
- Àkójọpọ̀ ìkápá - Bibẹrẹ iṣupọ kan ni ipo deede yarayara di iṣẹ ṣiṣe deede ati iṣẹ alaidun bi iṣupọ n dagba, niwọn igba ti iṣeto ba yipada, gbogbo awọn ayipada gbọdọ ṣee ṣe lori ipade iṣupọ kọọkan. Ipo iṣẹ ṣiṣe yanju ọran yii nipa siseto diẹ ninu ipo ibi ipamọ pinpin ati titẹjade iṣeto naa. Awọn eto wọnyi wa ni ipamọ ninu faili naa ibugbe.xml
- Atunṣe laarin awọn ile-iṣẹ data - ti o ba fẹ ṣiṣe Keycloak ni iṣupọ ti ọpọlọpọ awọn ile-iṣẹ data, pupọ julọ ni awọn ipo agbegbe ti o yatọ. Ninu aṣayan yii, ile-iṣẹ data kọọkan yoo ni iṣupọ tirẹ ti awọn olupin Keycloak.
Ninu àpilẹkọ yii a yoo ṣe akiyesi ni kikun aṣayan keji, iyẹn iṣupọ deede, ati pe a yoo tun fi ọwọ kan diẹ lori koko-ọrọ ti atunṣe laarin awọn ile-iṣẹ data, niwon o jẹ oye lati ṣiṣe awọn aṣayan meji wọnyi ni Kubernetes. O da, ni Kubernetes ko si iṣoro pẹlu mimuuṣiṣẹpọ awọn eto ti awọn adarọ-ese pupọ (awọn apa Keycloak), nitorinaa. ašẹ iṣupọ Kii yoo nira pupọ lati ṣe.
Tun jọwọ ṣe akiyesi pe ọrọ naa iṣupọ fun iyoku nkan naa yoo kan nikan si ẹgbẹ kan ti awọn apa Keycloak ti n ṣiṣẹ papọ, ko si iwulo lati tọka si iṣupọ Kubernetes kan.
Iṣupọ Keycloak deede
Lati ṣiṣẹ Keycloak ni ipo yii o nilo:
- tunto ita pín database
- fi sori ẹrọ fifuye iwontunwonsi
- ni nẹtiwọki inu pẹlu atilẹyin multicast IP
A kii yoo jiroro lori iṣeto ibi ipamọ data ita, nitori kii ṣe idi ti nkan yii. Jẹ ki a ro pe aaye data ti n ṣiṣẹ wa ni ibikan - ati pe a ni aaye asopọ si rẹ. A yoo rọrun ṣafikun data yii si awọn oniyipada ayika wa.
Lati ni oye daradara bi Keycloak ṣe n ṣiṣẹ ni iṣupọ ikuna (HA), o ṣe pataki lati mọ iye ti gbogbo rẹ da lori awọn agbara ikojọpọ Wildfly.
Wildfly nlo ọpọlọpọ awọn ọna ṣiṣe abẹlẹ, diẹ ninu wọn ni a lo bi iwọntunwọnsi fifuye, diẹ ninu fun ifarada ẹbi. Iwontunwonsi fifuye n ṣe idaniloju wiwa ohun elo nigbati ipade iṣupọ kan ti kojọpọ, ati ifarada ẹbi ṣe idaniloju wiwa ohun elo paapaa ti awọn apa iṣupọ kan ba kuna. Diẹ ninu awọn ọna ṣiṣe abẹlẹ wọnyi:
-
mod_cluster: Ṣiṣẹ ni apapo pẹlu Apache gẹgẹbi iwọntunwọnsi fifuye HTTP, da lori TCP multicast lati wa awọn ogun nipasẹ aiyipada. Le paarọ rẹ pẹlu iwọntunwọnsi ita. -
infinispan: Kaṣe ti a pin kaakiri nipa lilo awọn ikanni JGroups bi Layer gbigbe. Ni afikun, o le lo Ilana HotRod lati ṣe ibaraẹnisọrọ pẹlu iṣupọ Infinispan ita lati mu awọn akoonu kaṣe ṣiṣẹpọ. -
jgroups: Pese atilẹyin ibaraẹnisọrọ ẹgbẹ fun awọn iṣẹ ti o ga julọ ti o da lori awọn ikanni JGroups. Awọn paipu ti a fun ni gba awọn apẹẹrẹ ohun elo ninu iṣupọ kan lati sopọ si awọn ẹgbẹ ki ibaraẹnisọrọ naa ni awọn ohun-ini bii igbẹkẹle, ilana, ati ifamọ si awọn ikuna.
Fifuye Iwontunws.funfun
Nigbati o ba nfi iwọntunwọnsi sori ẹrọ bi oludari ingress ninu iṣupọ Kubernetes, o ṣe pataki lati tọju awọn nkan wọnyi ni lokan:
Keycloak dawọle pe adirẹsi latọna jijin ti alabara ti o sopọ nipasẹ HTTP si olupin ijẹrisi jẹ adirẹsi IP gidi ti kọnputa alabara. Oniwontunwonsi ati awọn eto ingress yẹ ki o ṣeto awọn akọle HTTP ni deede X-Forwarded-For и X-Forwarded-Proto, ati tun fi akọle atilẹba pamọ HOST. Titun ti ikede ingress-nginx (> 0.22.0)
Ṣiṣẹ asia proxy-address-forwarding nipa siseto ohun ayika oniyipada PROXY_ADDRESS_FORWARDING в true yoo fun Keycloak oye ti o ti wa ni ṣiṣẹ sile a aṣoju.
O tun nilo lati mu ṣiṣẹ alalepo igba ni ingress. Keycloak nlo kaṣe Infinispan ti o pin lati tọju data ti o ni nkan ṣe pẹlu igba ìfàṣẹsí lọwọlọwọ ati igba olumulo. Awọn caches ṣiṣẹ pẹlu oniwun ẹyọkan nipasẹ aiyipada, ni awọn ọrọ miiran, igba kan pato ti wa ni ipamọ lori ipade diẹ ninu iṣupọ, ati awọn apa miiran gbọdọ beere lọwọ rẹ latọna jijin ti wọn ba nilo iraye si igba yẹn.
Ni pataki, ni ilodi si iwe-ipamọ naa, sisọpọ igba kan pẹlu kuki orukọ ko ṣiṣẹ fun wa
AUTH_SESSION_ID. Keycloak ni lupu àtúnjúwe, nitorinaa a ṣeduro yiyan orukọ kuki ti o yatọ fun igba alalepo.
Keycloak tun so orukọ ipade ti o dahun ni akọkọ si AUTH_SESSION_ID, ati pe niwọn igba ti ipade kọọkan ninu ẹya ti o wa ga julọ nlo aaye data kanna, ọkọọkan wọn a lọtọ ati ki o oto ipade idamo fun ìṣàkóso lẹkọ. O ti wa ni niyanju lati fi sinu JAVA_OPTS awọn aṣayan jboss.node.name и jboss.tx.node.id oto fun ipade kọọkan - o le, fun apẹẹrẹ, fi orukọ podu naa si. Ti o ba fi orukọ podu kan, maṣe gbagbe nipa opin ohun kikọ 23 fun awọn oniyipada jboss, nitorinaa o dara lati lo StatefulSet kuku ju Imuṣiṣẹ.
Rake miiran - ti o ba ti paarẹ podu tabi tun bẹrẹ, kaṣe rẹ ti sọnu. Ti o ba ṣe akiyesi eyi, o tọ lati ṣeto nọmba awọn oniwun kaṣe fun gbogbo awọn kaṣe si o kere ju meji, ki ẹda kaṣe kan wa. Ojutu ni lati ṣiṣe nigbati o ba bẹrẹ awọn podu, gbigbe ni liana /opt/jboss/startup-scripts ninu apoti:
Awọn akoonu Afọwọkọ
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo * Setting CACHE_OWNERS to "${env.CACHE_OWNERS}" in all cache-containers
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
run-batch
stop-embedded-serverlẹhinna ṣeto iye ti iyipada ayika CACHE_OWNERS si awọn ti a beere.
Nẹtiwọọki aladani pẹlu atilẹyin multicast IP
Ti o ba lo Weavenet bi CNI, multicast yoo ṣiṣẹ lẹsẹkẹsẹ - ati awọn apa Keycloak rẹ yoo rii ara wọn ni kete ti wọn ti ṣe ifilọlẹ.
Ti o ko ba ni atilẹyin multicast ip ninu iṣupọ Kubernetes rẹ, o le tunto JGroups lati ṣiṣẹ pẹlu awọn ilana miiran lati wa awọn apa.
Aṣayan akọkọ ni lati lo KUBE_DNSeyiti o nlo headless service lati wa awọn apa Keycloak, o kan kọja JGroups orukọ iṣẹ ti yoo lo lati wa awọn apa.
Aṣayan miiran ni lati lo ọna naa KUBE_PING, eyiti o ṣiṣẹ pẹlu API lati wa awọn apa (o nilo lati tunto serviceAccount pẹlu awọn ẹtọ list и get, ati lẹhinna tunto awọn podu lati ṣiṣẹ pẹlu eyi serviceAccount).
Ọna ti awọn JGroups wa awọn apa ti wa ni tunto nipasẹ ṣiṣeto awọn oniyipada ayika JGROUPS_DISCOVERY_PROTOCOL и JGROUPS_DISCOVERY_PROPERTIES. Fun KUBE_PING o nilo lati yan awọn podu nipa bibeere namespace и labels.
Ti o ba lo multicast ati ṣiṣe awọn iṣupọ Keycloak meji tabi diẹ sii ninu iṣupọ Kubernetes kan (jẹ ki a sọ ọkan ni aaye orukọ
production, keji -staging) - awọn apa ti iṣupọ Keycloak kan le darapọ mọ iṣupọ miiran. Rii daju lati lo adiresi multicast alailẹgbẹ kan fun iṣupọ kọọkan nipa tito awọn oniyipadajboss.default.multicast.addressиjboss.modcluster.multicast.addressвJAVA_OPTS.
Atunṣe laarin awọn ile-iṣẹ data
Ọna asopọ
Keycloak nlo ọpọlọpọ awọn iṣupọ kaṣe Infinispan lọtọ fun ile-iṣẹ data kọọkan nibiti awọn iṣupọ Keycloack ṣe pẹlu awọn apa Keycloak wa. Ṣugbọn ko si iyatọ laarin awọn apa Keycloak ni awọn ile-iṣẹ data oriṣiriṣi.
Awọn apa bọtini bọtini lo Akoj Data Java ita ita (awọn olupin Infinispan) fun ibaraẹnisọrọ laarin awọn ile-iṣẹ data. Ibaraẹnisọrọ ṣiṣẹ ni ibamu si ilana naa .
Awọn caches Infinispan gbọdọ wa ni tunto pẹlu abuda remoteStore, ki data le wa ni ipamọ latọna jijin (ni ile-iṣẹ data miiran, isunmọ. onitumọ) caches. Awọn iṣupọ infinispan lọtọ wa laarin awọn olupin JDG, ki data ti o fipamọ sori JDG1 lori aaye site1 yoo tun ṣe si JDG2 lori aaye site2.
Ati nikẹhin, olupin JDG ti n gba leti awọn olupin Keycloak ti iṣupọ rẹ nipasẹ awọn asopọ alabara, eyiti o jẹ ẹya ti Ilana HotRod. Keycloak apa lori site2 ṣe imudojuiwọn awọn caches Infinispan wọn ati igba olumulo kan pato tun wa lori awọn apa Keycloak lori site2.
Fun diẹ ninu awọn caches, o tun ṣee ṣe lati ma ṣe awọn afẹyinti ati yago fun kikọ data nipasẹ olupin Infinispan patapata. Lati ṣe eyi o nilo lati yọ eto naa kuro remote-store Kaṣe Infinispan kan pato (ninu faili naa adaduro-ha.xml), lẹhin eyi diẹ ninu awọn pato replicated-cache kii yoo tun nilo ni ẹgbẹ olupin Infinispan.
Ṣiṣeto awọn kaṣe
Awọn iru caches meji lo wa ni Keycloak:
-
Agbegbe. O wa ni atẹle si ibi ipamọ data ati ṣiṣẹ lati dinku ẹru lori aaye data, ati lati dinku airi esi. Iru kaṣe yii tọju ijọba, awọn alabara, awọn ipa, ati metadata olumulo. Iru kaṣe yii ko ṣe atunṣe, paapaa ti kaṣe jẹ apakan ti iṣupọ Keycloak kan. Ti titẹ sii ninu kaṣe ba yipada, ifiranṣẹ kan nipa iyipada ni a fi ranṣẹ si awọn olupin to ku ninu iṣupọ, lẹhin eyi a yọkuro titẹ sii lati kaṣe naa. Wo apejuwe
workWo isalẹ fun alaye alaye diẹ sii ti ilana naa. -
Ti ṣe atunṣe. Ṣiṣẹ awọn akoko olumulo, awọn ami aisinipo, ati tun ṣe abojuto awọn aṣiṣe iwọle lati ṣawari awọn igbiyanju aṣiri ọrọ igbaniwọle ati awọn ikọlu miiran. Awọn data ti o fipamọ sinu awọn kaṣe wọnyi jẹ igba diẹ, ti o fipamọ sinu Ramu nikan, ṣugbọn o le ṣe atunṣe kọja iṣupọ naa.
Infinispan caches
Awọn akoko - a Erongba ni Keycloak, lọtọ caches ti a npe ni authenticationSessions, ni a lo lati tọju data ti awọn olumulo kan pato. Awọn ibeere lati awọn caches wọnyi nigbagbogbo nilo nipasẹ ẹrọ aṣawakiri ati awọn olupin Keycloak, kii ṣe nipasẹ awọn ohun elo. Eyi ni ibi ti igbẹkẹle lori awọn akoko alalepo wa sinu ere, ati pe iru awọn kaṣe funrara wọn ko nilo lati tun ṣe, paapaa ninu ọran ti Ipo-Active-Active mode.
Awọn ami iṣe. Agbekale miiran, ti a maa n lo fun awọn oju iṣẹlẹ oriṣiriṣi nigbati, fun apẹẹrẹ, olumulo gbọdọ ṣe nkan asynchronously nipasẹ meeli. Fun apẹẹrẹ, lakoko ilana naa forget password kaṣe actionTokens ti a lo lati tọpa awọn metadata ti awọn ami ti o ni nkan ṣe - fun apẹẹrẹ, a ti lo ami kan tẹlẹ ko si le muu ṣiṣẹ lẹẹkansi. Iru kaṣe yii ni igbagbogbo nilo lati tun ṣe laarin awọn ile-iṣẹ data.
Caching ati ti ogbo ti o ti fipamọ data ṣiṣẹ lati ran lọwọ awọn fifuye lori database. Iru caching yii ṣe ilọsiwaju iṣẹ ṣiṣe, ṣugbọn ṣafikun iṣoro ti o han gbangba. Ti olupin Keycloak kan ba ṣe imudojuiwọn data, awọn olupin miiran gbọdọ wa ni ifitonileti ki wọn le ṣe imudojuiwọn data ninu awọn caches wọn. Keycloak nlo awọn caches agbegbe realms, users и authorization fun caching data lati database.
Kaṣe lọtọ tun wa work, eyiti o tun ṣe ni gbogbo awọn ile-iṣẹ data. Ara rẹ ko tọju eyikeyi data lati ibi ipamọ data, ṣugbọn n ṣiṣẹ lati firanṣẹ awọn ifiranṣẹ nipa ti ogbo data si awọn apa iṣupọ laarin awọn ile-iṣẹ data. Ni awọn ọrọ miiran, ni kete ti data ti ni imudojuiwọn, ipade Keycloak fi ifiranṣẹ ranṣẹ si awọn apa miiran ninu ile-iṣẹ data rẹ, ati awọn apa ni awọn ile-iṣẹ data miiran. Lẹhin gbigba iru ifiranṣẹ bẹẹ, ipade kọọkan n ṣalaye data ti o baamu ni awọn caches agbegbe rẹ.
Awọn akoko olumulo. Caches pẹlu awọn orukọ sessions, clientSessions, offlineSessions и offlineClientSessions, ni a maa n ṣe atunṣe laarin awọn ile-iṣẹ data ati ṣiṣẹ lati tọju data nipa awọn akoko olumulo ti o ṣiṣẹ lakoko ti olumulo n ṣiṣẹ ni ẹrọ aṣawakiri. Awọn caches wọnyi n ṣiṣẹ pẹlu awọn ibeere HTTP ṣiṣe ohun elo lati ọdọ awọn olumulo ipari, nitorinaa wọn ni nkan ṣe pẹlu awọn akoko alalepo ati pe o gbọdọ tun ṣe laarin awọn ile-iṣẹ data.
Brute agbara Idaabobo. Kaṣe loginFailures Ti a lo lati tọpa data aṣiṣe iwọle, gẹgẹbi iye igba ti olumulo kan ti tẹ ọrọ igbaniwọle ti ko tọ sii. Atunṣe ti kaṣe yii jẹ ojuṣe ti oludari. Ṣugbọn fun iṣiro deede, o tọ lati mu atunwi ṣiṣẹ laarin awọn ile-iṣẹ data. Ṣugbọn ni apa keji, ti o ko ba tun data yii ṣe, iwọ yoo mu iṣẹ ṣiṣe dara si, ati pe ti ọran yii ba dide, ẹda le ma muu ṣiṣẹ.
Nigbati o ba n yi iṣupọ Infinispan jade, o nilo lati ṣafikun awọn asọye kaṣe si faili eto naa:
<replicated-cache-configuration name="keycloak-sessions" mode="ASYNC" start="EAGER" batching="false">
</replicated-cache-configuration>
<replicated-cache name="work" configuration="keycloak-sessions" />
<replicated-cache name="sessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineSessions" configuration="keycloak-sessions" />
<replicated-cache name="actionTokens" configuration="keycloak-sessions" />
<replicated-cache name="loginFailures" configuration="keycloak-sessions" />
<replicated-cache name="clientSessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineClientSessions" configuration="keycloak-sessions" />O gbọdọ tunto ki o bẹrẹ iṣupọ Infinispan ṣaaju ki o to bẹrẹ iṣupọ Keycloak
Lẹhinna o nilo lati tunto remoteStore fun Keycloak caches. Lati ṣe eyi, iwe afọwọkọ kan to, eyiti o ṣe bakanna si ti iṣaaju, eyiti a lo lati ṣeto oniyipada naa CACHE_OWNERS, o nilo lati fipamọ si faili kan ki o si fi sii sinu iwe-itọka kan /opt/jboss/startup-scripts:
Awọn akoonu Afọwọkọ
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo *** Update infinispan subsystem ***
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=module, value=org.keycloak.keycloak-model-infinispan)
echo ** Add remote socket binding to infinispan server **
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-cache:add(host=${remote.cache.host:localhost}, port=${remote.cache.port:11222})
echo ** Update replicated-cache work element **
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=work,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache sessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=sessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache clientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=clientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineClientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineClientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache loginFailures element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=loginFailures,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache actionTokens element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
cache=actionTokens,
remote-servers=["remote-cache"],
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache authenticationSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
echo *** Update undertow subsystem ***
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
run-batch
stop-embedded-serverMaṣe gbagbe lati fi sori ẹrọ JAVA_OPTS fun awọn apa Keycloak lati ṣiṣẹ HotRod: remote.cache.host, remote.cache.port ati orukọ iṣẹ jboss.site.name.
Awọn ọna asopọ ati awọn iwe afikun
Nkan naa ni itumọ ati pese sile fun Habr nipasẹ awọn oṣiṣẹ - awọn iṣẹ aladanla, awọn iṣẹ fidio ati ikẹkọ ile-iṣẹ lati ọdọ awọn alamọja adaṣe (Kubernetes, DevOps, Docker, Ansible, Ceph, SRE)
orisun: www.habr.com