TL; DR: kuzoba nencazelo ye-Keycloak, uhlelo lokulawula ukufinyelela komthombo ovulekile, ukuhlaziywa kwesakhiwo sangaphakathi, imininingwane yokumisa.
Isingeniso Nemibono Ebalulekile
Kulesi sihloko, sizobona imibono eyisisekelo okufanele siyikhumbule lapho kuthunyelwa iqoqo le-Keycloak phezulu kwe-Kubernetes.
Uma ufuna ukwazi okwengeziwe nge-Keycloak, bheka izixhumanisi ekugcineni kwesihloko. Ukuze ugxile kakhulu ekusebenzeni, ungafunda ngemojula esebenzisa imibono esemqoka yalesi sihloko (umhlahlandlela wokuqalisa ukhona, le ndatshana izohlinzeka ngokubukezwa kwedivayisi nezilungiselelo, cishe. umhumushi).
I-Keycloak iwuhlelo olubanzi olubhalwe ku-Java futhi olwakhelwe phezu kweseva yohlelo lokusebenza . Ngamafuphi, kuwuhlaka lokugunyaza olunikeza abasebenzisi bohlelo lokusebenza umfelandawonye kanye ne-SSO (ukungena ngemvume okukodwa) amakhono.
Sikumema ukuthi ufunde lesi sikhulu noma ukuze uthole ukuqonda okuningiliziwe.
Kwethulwa Keycloak
I-Keycloak idinga imithombo emibili yedatha eqhubekayo ukuze iqalise:
- Isizindalwazi esisetshenziselwa ukugcina idatha esunguliwe, njengemininingwane yomsebenzisi
- I-Datagrid cache, esetshenziselwa ukugcina idatha kusizindalwazi, kanye nokugcina imethadatha ethile yesikhashana neshintsha njalo, njengezikhathi zomsebenzisi. Kwenziwa , okuvame ukushesha kakhulu kunesizindalwazi. Kodwa kunoma yikuphi, idatha elondolozwe ku-Infinispan i-ephemeral - futhi ayidingi ukugcinwa noma yikuphi lapho iqoqo liqalwa kabusha.
I-Keycloak isebenza ngezindlela ezine ezihlukene:
- Okujwayelekile - inqubo eyodwa futhi eyodwa kuphela, elungiselelwe ngefayela ezimele.xml
- Iqoqo elivamile (inketho yokutholakala okuphezulu) - zonke izinqubo kufanele zisebenzise ukucushwa okufanayo, okumele kuvumelaniswe ngesandla. Izilungiselelo zigcinwa kufayela ezimele-ha.xml, ngaphezu kwalokho udinga ukwenza ukufinyelela okwabiwe kusizindalwazi kanye nesilinganisi somthwalo.
- Iqoqo lesizinda β ukuqala iqoqo ngemodi evamile ngokushesha kuba umsebenzi ojwayelekile futhi oyisicefe njengoba iqoqo likhula, njengoba ngaso sonke isikhathi lapho ukucushwa kushintsha, zonke izinguquko kufanele zenziwe endaweni ngayinye yeqoqo. Imodi yokusebenza yesizinda ixazulula le nkinga ngokusetha indawo ethile yesitoreji esabiwe kanye nokushicilela ukucushwa. Lezi zilungiselelo zigcinwa kufayela domain.xml
- Ukuphindaphinda phakathi kwezikhungo zedatha β uma ufuna ukusebenzisa i-Keycloak eqoqweni lezikhungo zedatha ezimbalwa, ezikhathini eziningi ezindaweni ezihlukene zendawo. Kule nketho, isikhungo sedatha ngasinye sizoba neqoqo laso lamaseva e-Keycloak.
Kulesi sihloko sizocabangela ngokuningiliziwe inketho yesibili, okungukuthi iqoqo elivamile, futhi sizophinde sithinte kancane esihlokweni sokuphindaphinda phakathi kwezikhungo zedatha, njengoba kunengqondo ukusebenzisa lezi zinketho ezimbili ku-Kubernetes. Ngenhlanhla, ku-Kubernetes ayikho inkinga ngokuvumelanisa izilungiselelo zama-pods amaningana (ama-Keycloak nodes), ngakho-ke. iqoqo lesizinda Ngeke kube nzima kakhulu ukukwenza.
Sicela futhi uqaphele ukuthi igama iqoqo ngoba ingxenye esele ye-athikili izosebenza kuphela eqenjini lama-Keycloak node asebenza ndawonye, ββasikho isidingo sokubhekisela kuqoqo le-Kubernetes.
Iqoqo le-Keycloak evamile
Ukuze usebenzise i-Keycloak kule modi udinga:
- lungisa isizindalwazi esabiwe sangaphandle
- faka isilinganisi somthwalo
- ube nenethiwekhi yangaphakathi enosekelo lwe-IP multicast
Ngeke sixoxe ngokumisa isizindalwazi sangaphandle, ngoba akuyona inhloso yalesi sihloko. Ake sicabange ukuthi kunesizindalwazi esisebenzayo ndawana thize - futhi sinendawo yokuxhumana kuyo. Sizomane sengeze le datha kokuguquguqukayo kwemvelo.
Ukuze uqonde kangcono ukuthi i-Keycloak isebenza kanjani kuqoqo le-faillover (HA), kubalulekile ukwazi ukuthi konke kuncike kangakanani emandleni e-Wildfly okuhlanganisa.
I-Wildfly isebenzisa amasistimu angaphansi ambalwa, amanye awo asetshenziswa njengesilinganisi somthwalo, amanye ngokubekezelela amaphutha. Isilinganisi somthwalo siqinisekisa ukutholakala kohlelo lokusebenza lapho i-cluster node ilayishwe kakhulu, futhi ukubekezelela iphutha kuqinisekisa ukutholakala kohlelo lokusebenza noma amanye ama-cluster node ehluleka. Amanye alawa masistimu angaphansi:
-
mod_cluster: Isebenza ngokubambisana ne-Apache njengesilinganisi somthwalo we-HTTP, incike ekusakazeni okuningi kwe-TCP ukuze kutholwe abasingathi ngokuzenzakalela. Ingashintshwa ngokulinganisa kwangaphandle. -
infinispan: Inqolobane esabalalisiwe kusetshenziswa iziteshi ze-JGroups njengesendlalelo sezokuthutha. Ukwengeza, ingasebenzisa iphrothokholi ye-HotRod ukuxhumana neqoqo langaphandle le-Infinispan ukuvumelanisa okuqukethwe kwenqolobane. -
jgroups: Ihlinzeka ngosekelo lokuxhumana kweqembu ngamasevisi atholakala kakhulu asekelwe eziteshini ze-JGroups. Amapayipi aqanjwe ngamagama avumela izimo zohlelo lokusebenza kuqoqo ukuthi zixhunywe emaqenjini ukuze ukuxhumana kube nezimpawu ezifana nokuthembeka, ukuhleleka, nokuzwela ukwehluleka.
Layisha Isilinganisi
Lapho ufaka ibhalansi njengesilawuli se-ingress kuqoqo le-Kubernetes, kubalulekile ukugcina izinto ezilandelayo engqondweni:
I-Keycloak ithatha ukuthi ikheli elikude leklayenti elixhuma nge-HTTP kuseva yokuqinisekisa ikheli le-IP langempela lekhompyutha yeklayenti. Izilungiselelo zebhalansi ne-ingress kufanele zisethe izihloko ze-HTTP ngendlela efanele X-Forwarded-For ΠΈ X-Forwarded-Proto, futhi ugcine nesihloko sokuqala HOST. Inguqulo yakamuva ingress-nginx (>0.22.0)
Yenza ifulegi lisebenze proxy-address-forwarding ngokusetha i-variable yemvelo PROXY_ADDRESS_FORWARDING Π² true inika u-Keycloak ukuqonda ukuthi isebenza ngemuva kommeleli.
Udinga futhi ukunika amandla izikhathi ezinamathelayo ekungeneni. I-Keycloak isebenzisa inqolobane ye-Infinispan esabalalisiwe ukuze igcine idatha ehlotshaniswa neseshini yamanje yokuqinisekisa kanye neseshini yomsebenzisi. Izinqolobane zisebenza nomnikazi oyedwa ngokuzenzakalelayo, ngamanye amazwi, leyo seshini ethile igcinwa endaweni ethile ku-cluster, futhi amanye ama-node kufanele ayibuze bekude uma bedinga ukufinyelela kuleyo seshini.
Ngokukhethekile, ngokuphambene nemibhalo, ukunamathisela iseshini ngegama lekhukhi akuzange kusisebenzele
AUTH_SESSION_ID. I-Keycloak ineluphu yokuqondisa kabusha, ngakho-ke sincoma ukukhetha igama lekhukhi elehlukile leseshini enamathelayo.
I-Keycloak iphinda inamathisele igama lenodi ephendule kuqala kuyo AUTH_SESSION_ID, futhi njengoba inodi ngayinye enguqulweni etholakala kakhulu isebenzisa isizindalwazi esifanayo, ngayinye yazo isihlonzi se-node esihlukile nesihlukile sokuphatha okwenziwayo. Kunconywa ukufaka JAVA_OPTS nemingcele jboss.node.name ΠΈ jboss.tx.node.id ehlukile ku-node ngayinye - ungakwazi, isibonelo, ukubeka igama le-pod. Uma ufaka igama le-pod, ungakhohlwa mayelana nomkhawulo wezinhlamvu ezingu-23 zokuguquguquka kwe-jboss, ngakho-ke kungcono ukusebenzisa i-StatefulSet kuno-Deployment.
Enye ireki - uma i-pod isusiwe noma iqalwa kabusha, i-cache yayo iyalahleka. Ukucabangela lokhu, kufanelekile ukubeka inombolo yabanikazi be-cache kuwo wonke ama-cache okungenani amabili, ukuze ikhophi yenqolobane ihlale. Isixazululo wukugijima lapho uqala i-pod, ibeka ohlwini lwemibhalo /opt/jboss/startup-scripts esitsheni:
Okuqukethwe Kweskripthi
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo * Setting CACHE_OWNERS to "${env.CACHE_OWNERS}" in all cache-containers
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:1})
run-batch
stop-embedded-serverbese usetha inani lokuguquguquka kwemvelo CACHE_OWNERS kokudingekayo.
Inethiwekhi eyimfihlo enosekelo lwe-IP multicast
Uma usebenzisa i-Weavenet njenge-CNI, i-multicast izosebenza ngokushesha - futhi amanodi akho e-Keycloak azobonana ngokushesha nje lapho eqaliswa.
Uma ungenakho ukwesekwa kwe-ip multicast kuqoqo lakho le-Kubernetes, ungamisa i-JGroups ukuze isebenze nezinye izimiso eziyisisekelo ukuze uthole ama-node.
Inketho yokuqala ukusebenzisa KUBE_DNSesebenzisa headless service ukuze uthole ama-Keycloak nodes, umane udlule ku-JGroups igama lensizakalo ezosetshenziswa ukuthola ama-node.
Enye inketho ukusebenzisa indlela KUBE_PING, esebenza ne-API ukucinga ama-node (udinga ukulungisa serviceAccount ngamalungelo list ΠΈ get, bese ulungisa ama-pods ukuze asebenze nalokhu serviceAccount).
Indlela ama-JGroups athola ngayo ama-node ilungiswa ngokubeka okuguquguqukayo kwendawo JGROUPS_DISCOVERY_PROTOCOL ΠΈ JGROUPS_DISCOVERY_PROPERTIES. Ngoba KUBE_PING udinga ukukhetha ama-pods ngokubuza namespace ΠΈ labels.
οΈ Uma usebenzisa i-multicast futhi usebenzisa amaqoqo e-Keycloak amabili noma ngaphezulu kuqoqo elilodwa le-Kubernetes (ake sithi elilodwa endaweni yegama
production, owesibili -staging) - amanodi eqoqo elilodwa le-Keycloak angajoyina elinye iqoqo. Qiniseka ukuthi usebenzisa ikheli elihlukile lokusakaza okuningi ngeqoqo ngalinye ngokusetha okuguquguqukayojboss.default.multicast.addressΠΈjboss.modcluster.multicast.addressΠ²JAVA_OPTS.
Ukuphindaphinda phakathi kwezikhungo zedatha
Ukuxhumana
I-Keycloak isebenzisa amaqoqo enqolobane e-Infinispan ahlukene esikhungo ngasinye sedatha lapho amaqoqo e-Keycloak enziwe ama-Keycloak node atholakala khona. Kodwa awukho umehluko phakathi kwama-Keycloak nodes ezikhungweni zedatha ezahlukene.
Ama-keycloak node asebenzisa i-Java Data Grid yangaphandle (amaseva e-Infinispan) ekuxhumaneni phakathi kwezikhungo zedatha. Ukuxhumana kusebenza ngokuvumelana nephrothokholi .
Izinqolobane ze-Infinispan kufanele zilungiselelwe kanye nesibaluli remoteStore, ukuze idatha igcinwe kude (kwesinye isikhungo sedatha, cishe. umhumushi) izinqolobane. Kunamaqoqo ahlukene we-infinispan phakathi kwamaseva e-JDG, ukuze idatha egcinwe ku-JDG1 esizeni site1 izophindwa ku-JDG2 esizeni site2.
Futhi ekugcineni, iseva etholayo ye-JDG yazisa amaseva we-Keycloak ngeqoqo lawo ngoxhumo lwamakhasimende, okuyisici sephrothokholi ye-HotRod. Amanodi wezikhiye avuliwe site2 buyekeza izinqolobane zabo ze-Infinispan futhi iseshini ethile yomsebenzisi iyatholakala futhi kumanodi we-Keycloak ku- site2.
Kwezinye izinqolobane, kuyenzeka futhi ukuthi ungenzi izipele futhi ugweme ukubhala idatha ngeseva ye-Infinispan ngokuphelele. Ukuze wenze lokhu udinga ukususa izilungiselelo remote-store i-cache ethile ye-Infinispan (efayelini ezimele-ha.xml), emva kwalokho okunye okuqondile replicated-cache futhi ngeke zisadingeka ohlangothini lweseva ye-Infinispan.
Ukusetha izinqolobane
Kunezinhlobo ezimbili zama-caches ku-Keycloak:
-
Indawo. Itholakala eduze kwesizindalwazi futhi isebenzela ukunciphisa umthwalo kusizindalwazi, kanye nokunciphisa ukubambezeleka kwempendulo. Lolu hlobo lwenqolobane lugcina indawo, amaklayenti, izindima, kanye nemethadatha yomsebenzisi. Lolu hlobo lwenqolobane aluphindwaphindwa, ngisho noma inqolobane iyingxenye yeqoqo le-Keycloak. Uma okufakiwe kunqolobane kushintsha, umlayezo mayelana noshintsho uthunyelwa kumaseva asele ku-cluster, emva kwalokho okufakiwe kuyakhishwa kunqolobane. Bona incazelo
workBheka ngezansi ukuze uthole incazelo enemininingwane eyengeziwe yenqubo. -
Kuphindwaphindwa. Icubungula izikhathi zabasebenzisi, amathokheni angaxhunyiwe ku-inthanethi, futhi iphinde igade amaphutha okungena ukuze kutholwe imizamo yobugebengu bokweba imininingwane ebucayi nokunye ukuhlasela. Idatha egcinwe kulezi zinqolobane ingeyesikhashana, igcinwe kuphela ku-RAM, kodwa ingaphindaphindwa kuqoqo lonkana.
Infinispan inqolobane
Amaseshini - umqondo ku-Keycloak, i-caches ehlukene ebizwa ngokuthi authenticationSessions, zisetshenziselwa ukugcina idatha yabasebenzisi abathile. Izicelo ezisuka kulawa manqolobane ngokuvamile zidingeka isiphequluli namaseva we-Keycloak, hhayi izinhlelo zokusebenza. Yilapho ukuncika kumaseshini anamathelayo kuqala khona, futhi izinqolobane ezinjalo ngokwazo azidingi ukuphindwa, ngisho nasezimeni zemodi esebenzayo.
Isenzo Amathokheni. Omunye umqondo, ovame ukusetshenziselwa izimo ezahlukahlukene lapho, ngokwesibonelo, umsebenzisi kufanele enze okuthile ngendlela engavumelanisi ngeposi. Ngokwesibonelo, ngesikhathi inqubo forget password isilondolozi actionTokens esetshenziselwa ukulandelela imethadatha yamathokheni ahlotshaniswayo - isibonelo, ithokheni isivele isetshenzisiwe futhi ngeke iphinde isebenze futhi. Lolu hlobo lwenqolobane ngokuvamile ludinga ukuphindaphindwa phakathi kwezikhungo zedatha.
Ukugcinwa kunqolobane nokuguga kwedatha egciniwe isebenza ukukhulula umthwalo ku-database. Lolu hlobo lokugcinwa kwesikhashana luthuthukisa ukusebenza, kodwa lwengeza inkinga esobala. Uma iseva ye-Keycloak eyodwa ibuyekeza idatha, ezinye iziphakeli kufanele zaziswe ukuze zikwazi ukubuyekeza idatha ezinqolobaneni zazo. I-Keycloak isebenzisa inqolobane yasendaweni realms, users ΠΈ authorization ukuze uthole idatha yenqolobane evela kusizindalwazi.
Kukhona futhi inqolobane ehlukile work, ephindwa kuzo zonke izikhungo zedatha. Yona ngokwayo ayigcini noma iyiphi idatha evela ku-database, kodwa ikhonza ukuthumela imilayezo mayelana nokuguga kwedatha kuma-cluster nodes phakathi kwezikhungo zedatha. Ngamanye amazwi, ngokushesha nje lapho idatha ibuyekezwa, i-Keycloak node ithumela umlayezo kwamanye ama-node esikhungweni sayo sedatha, kanye nama-node kwezinye izikhungo zedatha. Ngemva kokuthola umlayezo onjalo, inodi ngayinye isula idatha ehambisanayo kuzinqolobane zayo zendawo.
Izikhathi zomsebenzisi. Izinqolobane ezinamagama sessions, clientSessions, offlineSessions ΠΈ offlineClientSessions, ngokuvamile ziphindaphindwa phakathi kwezikhungo zedatha futhi zisebenzela ukugcina idatha mayelana nezikhathi zomsebenzisi ezisebenzayo ngenkathi umsebenzisi esebenza esipheqululini. Lezi zinqolobane zisebenza nokucubungula izicelo ze-HTTP ezisuka kubasebenzisi bokugcina, ngakho zihlotshaniswa nezikhathi ezinamathelayo futhi kufanele ziphindaphindwe phakathi kwezikhungo zedatha.
I-Brute force protection. Inqolobane loginFailures Isetshenziselwa ukulandelela idatha yephutha lokungena, njengokuthi zingakhi izikhathi umsebenzisi afake iphasiwedi engalungile. Ukuphindaphinda kwale cache kuwumsebenzi womlawuli. Kodwa ukuze kubalwe okunembile, kufanelekile ukuvula ukuphindaphinda phakathi kwezikhungo zedatha. Kodwa ngakolunye uhlangothi, uma ungaphindi le datha, uzothuthukisa ukusebenza, futhi uma le nkinga ivela, ukuphindaphinda kungase kungenziwa kusebenze.
Lapho ukhipha iqoqo le-Infinispan, udinga ukwengeza izincazelo zenqolobane kufayela lezilungiselelo:
<replicated-cache-configuration name="keycloak-sessions" mode="ASYNC" start="EAGER" batching="false">
</replicated-cache-configuration>
<replicated-cache name="work" configuration="keycloak-sessions" />
<replicated-cache name="sessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineSessions" configuration="keycloak-sessions" />
<replicated-cache name="actionTokens" configuration="keycloak-sessions" />
<replicated-cache name="loginFailures" configuration="keycloak-sessions" />
<replicated-cache name="clientSessions" configuration="keycloak-sessions" />
<replicated-cache name="offlineClientSessions" configuration="keycloak-sessions" />Kufanele ulungiselele futhi uqale iqoqo le-Infinispan ngaphambi kokuqala iqoqo le-Keycloak
Bese udinga ukumisa remoteStore ngezinqolobane ze-Keycloak. Ukuze wenze lokhu, iskripthi sanele, esenziwe ngokufanayo nangaphambili, esisetshenziselwa ukusetha ukuguquguquka CACHE_OWNERS, udinga ukuligcina efayeleni bese ulibeka kuhla lwemibhalo /opt/jboss/startup-scripts:
Okuqukethwe Kweskripthi
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo *** Update infinispan subsystem ***
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=module, value=org.keycloak.keycloak-model-infinispan)
echo ** Add remote socket binding to infinispan server **
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-cache:add(host=${remote.cache.host:localhost}, port=${remote.cache.port:11222})
echo ** Update replicated-cache work element **
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=work,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache sessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=sessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache clientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=clientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineClientSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=offlineClientSessions,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache loginFailures element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
remote-servers=["remote-cache"],
cache=loginFailures,
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache actionTokens element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=remote:add(
passivation=false,
fetch-state=false,
purge=false,
preload=false,
shared=true,
cache=actionTokens,
remote-servers=["remote-cache"],
properties={
rawValues=true,
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory,
protocolVersion=${keycloak.connectionsInfinispan.hotrodProtocolVersion}
}
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache authenticationSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
echo *** Update undertow subsystem ***
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
run-batch
stop-embedded-serverUngakhohlwa ukufaka JAVA_OPTS ukuze amanodi e-Keycloak asebenzise i-HotRod: remote.cache.host, remote.cache.port kanye negama lesevisi jboss.site.name.
Izixhumanisi kanye nemibhalo eyengeziwe
Isihloko sahunyushwa futhi salungiselelwa uHabr ngabasebenzi - izifundo ezijulile, izifundo zevidiyo kanye nokuqeqeshwa kwebhizinisi okuvela kochwepheshe (Kubernetes, DevOps, Docker, Ansible, Ceph, SRE)
Source: www.habr.com