I implemented User storage SPI to use keycloak with an existing user DB, but I ran into this problem: when updating roles in my DB, roles in keycloak are not updated and all my attempts to fix this lead to errors, for example i try do disable the cache for User Federation, an error after disabling the cache:
21:37:46,556 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) Uncaught server error: java.lang.NullPointerException
at org.keycloak.keycloak-server-spi-private#9.0.2//org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:415)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:101)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:119)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:556)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:415)
I found a workaround to solve this problem - override the getAttribute method from the UserModel interface: workaround and then got this error:
21:42:05,659 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-3) Unique index or primary key violation: "PRIMARY_KEY_41 ON PUBLIC.FED_USER_ROLE_MAPPING(ROLE_ID, USER_ID) VALUES ('3cc65575-ba9b-4248-8601-bf4a9413cb17', 'f:cbd0e1b7-c6ed-4bd2-a4eb-b47fd8201ca8:1', 1)"; SQL statement:
insert into FED_USER_ROLE_MAPPING (REALM_ID, STORAGE_PROVIDER_ID, ROLE_ID, USER_ID) values (?, ?, ?, ?) [23505-193]
21:42:05,661 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) Uncaught server error: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement
at org.hibernate#5.3.13.Final//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:154)
at org.hibernate#5.3.13.Final//org.hibernate.query.internal.AbstractProducedQuery.list(AbstractProducedQuery.java:1515)
if i enable the cache, then on the first request of the token I get the same error as above, and on all subsequent ones I just get the token, but the roles do not match mine from DB. What i can do with it? Thanks.
Related
I have configured my spring boot application to obtain the database credentials from the vault database backend. This is working fine when I run it with the vault in 'vault for development mode'. But, now I am trying to get it to work when the vault server is running in the production mode.
I am getting below exception in the spring boot application at the context loading.
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2023-01-31 19:22:12.511 WARN 32872 --- [ Test worker] LeaseEventPublisher$LoggingErrorListener : [RequestedSecret [path='database/creds/myrole', mode=RENEW]] Lease [leaseId='database/creds/myrole/sDABdI1ZfDyYiuzZ3WUmZN9o', leaseDuration=PT5M, renewable=true] Status 400 Bad Request: failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role "v-root-myrole-o1PzAyuwybhLzZpPx1k0-1675173125" cannot be dropped because some objects depend on it (SQLSTATE 2BP01); nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request
org.springframework.vault.VaultException: Status 400 Bad Request: failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role "v-root-myrole-o1PzAyuwybhLzZpPx1k0-1675173125" cannot be dropped because some objects depend on it (SQLSTATE 2BP01); nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request
at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:63) ~[spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:391) ~[spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer.doRevokeLease(SecretLeaseContainer.java:785) [spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer.destroy(SecretLeaseContainer.java:503) [spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.beans.factory.support.DisposableBeanAdapter.destroy(DisposableBeanAdapter.java:258) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroyBean(DefaultSingletonBeanRegistry.java:571) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingleton(DefaultSingletonBeanRegistry.java:543) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingleton(DefaultListableBeanFactory.java:1072) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingletons(DefaultSingletonBeanRegistry.java:504) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingletons(DefaultListableBeanFactory.java:1065) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.destroyBeans(AbstractApplicationContext.java:1060) [spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.doClose(AbstractApplicationContext.java:1029) [spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.close(AbstractApplicationContext.java:978) [spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
...
Also I am getting below error in the vault (docker container) log as well.
2023-01-31T13:51:38.534Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/JhS1BcblrfdqHAWGnTSjTx8p error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-PMfgb1jqWGBNlXIGKM2E-1675171846\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:51:38.660Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/tX4nIeWS4tWS0bJGpMSB5uAA error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-LpuSXIp0yzV6uqQpwllS-1675171653\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:51:54.010Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/JhS1BcblrfdqHAWGnTSjTx8p error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-PMfgb1jqWGBNlXIGKM2E-1675171846\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:52:04.127Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/tX4nIeWS4tWS0bJGpMSB5uAA error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-LpuSXIp0yzV6uqQpwllS-1675171653\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:52:12.474Z [ERROR] secrets.system.system_e586bc2f: lease revocation failed: lease_id=database/creds/myrole/sDABdI1ZfDyYiuzZ3WUmZN9o error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-o1PzAyuwybhLzZpPx1k0-1675173125\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
I tried to add below policy to the default policy as well, but it didn't resolve this issue.
path "sys/leases/revoke/*" {
capabilities = ["update"]
}
Since it has this in the exception message, I tried to add read, update capabilities for "database/creds/myrole" in the default policy, and all of a sudden vault started throwing the below error as well. But, it was fixed after I removed the policy config and re-updated the password of the user from the database.
expiration: failed to revoke lease: lease_id=database/creds/myrole/tX4nIeWS4tWS0bJGpMSB5uAA error="failed to revoke entry: resp: (*logical.Response)(nil) err: error verifying connection: failed to connect to `host=host.docker.internal user=spring_user database=ax`: failed SASL auth (FATAL: password authentication failed for user \"spring_user\" (SQLSTATE 28P01))"
Appreciate if someone can help me resolve this issue, I have been trying to find a solution, but now I am confused.
The reason for the sql error was, all the roles created by the vault during the entire was available in the database. As the error mentioned, the vault is unable to drop the role as there were other objects tied to the role.
The 400 bad request error didn't come when I restarted the service after revoking privileges and dropping all the roles created by the vault.
Then adding the script below the Revocation Statement of my database backend role, helped to remove the previously created role automatically, when the lease period expired.
DROP OWNED BY "{{name}}"; REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ax_management FROM "{{name}}"; DROP ROLE "{{name}}";
I am implementing a Custom Userprovider SPI for keycloak 18.0.2 and therefore have (alongside the keycloak default PostgreSQL-DB) a MSSQL in use.
The customized Keycloak and the PostgreSQL are run via docker-container.
The problems occure on my local MacBook M1 (but the same behaviour on intel-cpu as well). When building and starting the custom keycloak container, all volumes for both containers are removed. So there is always fresh DB-container
(sidenote: As the SPI was written for WildFly and it is broken with 19.x.x, i just stepped back to 18.0.2 to get the whole process working again. Afterwards will update to 19 and adapt the SPI implementations.)
the problem ...
Keycloak will create all tables - for the default keycloak-db (PostgreSQL) - in the public schema ONLY IF i configure the connection to the MSSQL via persistence.xml. This must not be in the production setup, as this should be at least configurable by the gitlab pipeline.
If i move the connection-infos from persistence.xml to quarkus.properties (as described in here: https://github.com/keycloak/keycloak-quickstarts/tree/main/user-storage-jpa), the default DB-tables can't be created anymore...
logs in Postgre-Container:
LOG: database system is ready to accept connections
ERROR: relation "migration_model" does not exist at character 25
STATEMENT: SELECT ID, VERSION FROM MIGRATION_MODEL ORDER BY UPDATE_TIME DESC
ERROR: syntax error at end of input at character 20
STATEMENT: call current_schema
ERROR: current transaction is aborted, commands ignored until end of transaction block
STATEMENT: SELECT COUNT(*) FROM DATABASECHANGELOG
ERROR: syntax error at end of input at character 20
STATEMENT: call current_schema
ERROR: current transaction is aborted, commands ignored until end of transaction block
STATEMENT: SELECT COUNT(*) FROM DATABASECHANGELOGLOCK
ERROR: syntax error at end of input at character 20
STATEMENT: call current_schema
ERROR: current transaction is aborted, commands ignored until end of transaction block
STATEMENT: CREATE TABLE DATABASECHANGELOGLOCK (ID INT NOT NULL, "LOCKED" BOOLEAN NOT NULL, LOCKGRANTED datetime, LOCKEDBY VARCHAR(255), CONSTRAINT PK_DATABASECHANGELOGLOCK PRIMARY KEY (ID))
ERROR: syntax error at end of input at character 20
keycloak logs:
WARN [liquibase.database.DatabaseFactory] (main) Unknown database: PostgreSQL
WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying...
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
Does using the quarkus.properties overwrite some keycloak-defaults? so, when using it, keycloak acts differently than the configuration without a custom quarkus file?
I have shifted the default h2 database to Postgresql for WSO2 API Manager by following this documentation: https://apim.docs.wso2.com/en/latest/install-and-setup/setup/setting-up-databases/changing-default-databases/changing-to-postgresql/
Creating a new API on throws:
"Something went wrong while getting the Revisions!"
On server found this error
ERROR - ApiMgtDAO Failed to get API Revision deployment mapping details for api uuid: a96f7266-c340-49b6-bbe1-cb252b49860e
org.postgresql.util.PSQLException: ERROR: UNION types integer and boolean cannot be matched
Any help would be greatly appreciated... Thanks...
I'm trying to setup a cronjob for the scheduler but getting errors for non existing DB tables.
Via cli_dispatch.phpsh
/usr/local/bin/php_cli /home/www/MyAccount/html/typo3/typo3/cli_dispatch.phpsh scheduler
Oops, an error occurred: An exception occurred while executing 'SELECT `content` FROM `cf_cache_hash` WHERE (`identifier` = ?) AND (`expires` >= ?)' with params ["22b1624a39d90c5db056873686cabf4f", 1498474993]:
Table 'usr_MyAccount_1.cf_cache_hash' doesn't exist
Via Symfony Command
/usr/local/bin/php_cli /home/www/MyAccount/html/typo3/typo3/sysext/core/bin/typo3 scheduler:run
Uncaught TYPO3 Exception An exception occurred while executing 'SELECT `content` FROM `cf_extbase_object` WHERE (`identifier` = ?) AND (`expires` >= ?)' with params ["3bcc835c5d8d7866a0ce2dc41464b9a8", 1498475122]:
Table 'usr_MyAccount_1.cf_extbase_object' doesn't exist
thrown in file /html/typo3/typo3_src-8.7.2/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/AbstractMySQLDriver.php
in line 53
The "Database analyzer" says everything is OK. Am I missing something?
The problem is the APCu Cache. Since APCu doesn't work with CLI you have to disable it for CLI commands. Until now there isn't a good solution for that problem. See: https://forge.typo3.org/issues/78140
I didn't face this error before. I have a database db, that contains a table tb_name, I create a connection in iReport Designer with credentials of the db owner. Then I create new report, but the query select * from tb_name; throws the following error:
SQL problems: ERROR: permission denied for relation tb_name
Query error
Message:
net.sf.jasperreports.engine.JRException: SQL problems: ERROR: permission denied for relation tb_name Level:
SEVERE Stack Trace: SQL problems: ERROR: permission denied for relation tb_name
com.jaspersoft.ireport.designer.data.fieldsproviders.SQLFieldsProvider.getFields(SQLFieldsProvider.java:435)
com.jaspersoft.ireport.designer.connection.JDBCConnection.readFields(JDBCConnection.java:470)
com.jaspersoft.ireport.designer.wizards.ConnectionSelectionWizardPanel.validate(ConnectionSelectionWizardPanel.java:146)
org.openide.WizardDescriptor$7.run(WizardDescriptor.java:1357)
org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:572)
org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:997)
When I test connection everything's fine. What can be a reason of this error? Thanks in advance.
Please check if the user has rights to execute statements. Some database changes might have caused the user to lose query permission.