Elytron *-key-store resources should offer operations instead of alias resource, at least ldap-key-store should. The reason is the same like for identity resource of Elytron modifiable realms, see WFCORE-2691 or related mailing thread on wildfly-dev.

bstansbe@redhat.com commented on WFCORE-2691 and JBEAP-9547:

The management kernel requires that a Resource object exists for any address against which an operation is executed. Those Resource objects need to be reachable from the parent Resource object (i.e. /subsystem=elytron/ldap-realm=ldapRealm)

That might be a big problem for these resources each of which represents an item in an external system, since navigating through the resource tree can mean needing to identify all possible resources, which means remote calls and possibly massive numbers of children.

For example, imagine this:

/subsystem=elytron/ldap-realm=ldapRealm:read-children-names(child-type=identity)

This is a Blocker issue, because the management API of this subsystem has to be correct. We can't ship with large potential design problems.

Setting priority to blocker, like for JBEAP-9547. The issue also brings some changes to EAP7-203 related tests.