MODROLESKC-62: Spike - Should Keycloak resources be cleaned up when disabling applications w/ purge=true
The goal of the spike is to define what should be done with the Keycloak resources when the FOLIO application is disabled.
Important: The recovery or rollback operation will not be supported. This means that in the case of any errors during application disabling, administrators should take recovery actions to restore the FOLIO deployment to a consistent state.
The table below shows a list of resources and how they are affected by disabling applications with the purge
parameter set to either true
or false
. It also shows their current state after the completion of disabling the application.
The table columns:
Resources: This column lists the different types of resources, including Keycloak Authorization Resource Scopes, Keycloak Authorization Resource, Keycloak Authorization Policies, and Keycloak Realm Users.
Actions when disabling applications (purge - true): This column describes what happens to the resources when an application is disabled with the
purge
parameter set totrue
.Actions when disabling applications (purge-false): This column describes what happens to the resources when an application is disabled with the
purge
parameter set tofalse
.Current state: This column describes the current state of the resources, regardless of the
purge
parameter setting.
Resources | Actions when disabling applications (purge = true) | Actions when disabling applications (purge = false) | Current state | Changes needed |
Keycloak clients | Should be preserved | Should be preserved | Preserved | N |
Keycloak Authorization Resource Scopes | Should be preserved | Should be preserved | Preserved | N |
Keycloak Authorization Resource | All resources created for the modules listed in the application should be removed | All resources created for the modules listed in the application should be removed | Removed | N |
Keycloak Authorization Policies | Policies for users (except system users) and roles should be preserved. | Policies for users (except system users) and roles should be preserved. | Left without changes | Y |
Keycloak Authorization Permissions | All permissions for all resources created for the modules listed in the application should be removed | All permissions created for system users defined in the application should be removed | Left without changes | Y |
Keycloak Realm Roles | Should be preserved | Should be preserved | Left without changes | N |
Keycloak Realm Roles (Created for Default Roles) | Should be preserved | Should be preserved | Left without changes | N |
Keycloak Realm Users | Should be preserved | Should be preserved | Left without changes | N |
Keycloak Realm Users (Created for System Users) | Should be removed both the FOLIO user and the Keycloak User | Should be removed both the FOLIO user and the Keycloak User | Left without changes | Y |
|
|
|
|
|
Backend Capabilities | All capabilities created from the module descriptors listed in the application should be detached from the users and roles and removed | Should be preserved | Left without changes | Y |
UI Capabilities | All capabilities created from the module descriptors listed in the application should be detached from the users and roles and removed | Should be preserved | Left without changes | Y |
Backend Capability Sets | All capability sets created from the module descriptors listed in the application should be detached from the users and roles and removed | Should be preserved | Left without changes | Y |
UI Capability Sets | All capability sets created from the module descriptors listed in the application should be detached from the users and roles and removed | Should be preserved | Left without changes | Y |