MODROLESKC-62: Spike - Should Keycloak resources be cleaned up when disabling applications w/ purge=true

The goal of the spike is to define what should be done with the Keycloak resources when the FOLIO application is disabled.

Important: The recovery or rollback operation will not be supported. This means that in the case of any errors during application disabling, administrators should take recovery actions to restore the FOLIO deployment to a consistent state.

The table below shows a list of resources and how they are affected by disabling applications with the purge parameter set to either true or false. It also shows their current state after the completion of disabling the application.

The table columns:

  • Resources: This column lists the different types of resources, including Keycloak Authorization Resource Scopes, Keycloak Authorization Resource, Keycloak Authorization Policies, and Keycloak Realm Users.

  • Actions when disabling applications (purge - true): This column describes what happens to the resources when an application is disabled with the purge parameter set to true.

  • Actions when disabling applications (purge-false): This column describes what happens to the resources when an application is disabled with the purge parameter set to false.

  • Current state: This column describes the current state of the resources, regardless of the purge parameter setting.

Resources

Actions when disabling applications (purge = true)

Actions when disabling applications (purge = false)

Current state

Changes needed

Keycloak clients

Should be preserved

Should be preserved

Preserved

N

Keycloak Authorization Resource Scopes

Should be preserved

Should be preserved

Preserved

N

Keycloak Authorization Resource

All resources created for the modules listed in the application should be removed

All resources created for the modules listed in the application should be removed

Removed

N

Keycloak Authorization Policies

Policies for users (except system users) and roles should be preserved.

Policies for users (except system users) and roles should be preserved.

Left without changes

Y

Keycloak Authorization Permissions

All permissions for all resources created for the modules listed in the application should be removed

All permissions created for system users defined in the application should be removed

Left without changes

Y

Keycloak Realm Roles

Should be preserved

Should be preserved

Left without changes

N

Keycloak Realm Roles (Created for Default Roles)

Should be preserved

Should be preserved

Left without changes

N

Keycloak Realm Users

Should be preserved

Should be preserved

Left without changes

N

Keycloak Realm Users (Created for System Users)

Should be removed both the FOLIO user and the Keycloak User

Should be removed both the FOLIO user and the Keycloak User

Left without changes

Y

 

 

 

 

 

Backend Capabilities

All capabilities created from the module descriptors listed in the application should be detached from the users and roles and removed

Should be preserved

Left without changes

Y

UI Capabilities

All capabilities created from the module descriptors listed in the application should be detached from the users and roles and removed

Should be preserved

Left without changes

Y

Backend Capability Sets

All capability sets created from the module descriptors listed in the application should be detached from the users and roles and removed

Should be preserved

Left without changes

Y

UI Capability Sets

All capability sets created from the module descriptors listed in the application should be detached from the users and roles and removed

Should be preserved

Left without changes

Y