I am using admin-cli to add some pre-configurations to a keycloak 3.4.3 docker container.
One of the things that i want to do is add a certain realm role to the list of Default Realm Roles, so that this role is applied automatically when a new user is registered (using the web user registration form).
I couldn’t find anything about this in the documentation.
Any ideas on how this could be achieved using admin-cli commands?
Thanks.
I faced the same question today. Here is my solution:
echo Creating realm TEST
kcadm.sh create realms -s realm=test -s enabled=true
echo Creating Test_Default role
kcadm.sh create roles -r test -s name=test_default
echo Adding Test_Default role to the TEST realm default roles
kcadm.sh update realms/test -f - << EOF
{ "realm": "test", "enabled": true, "defaultRoles" : [ "offline_access", "uma_authorization", "test_default" ] }
EOF
As of Keycloak 18.0.0 changing the Realm Default Roles using kcadm.sh doesn't work via updating the realm's JSON, but does via composite rules.
When we create a realm (e.g. named realm-test1), Keycloak automatically creates a corresponding composite rule default-roles-realm-test1 and populates it with built-in roles offline_access and uma_authorization:
Here is how we add our own role to (and remove a role from) Realm Default Roles.
$ docker exec -ti keycloak_keycloak_1 bash
bash-4.4$ /opt/keycloak/bin/kcadm.sh create realms -s realm=realm-test1 -s enabled=true
Created new realm with id 'realm-test1'
bash-4.4$ /opt/keycloak/bin/kcadm.sh create roles -r realm-test1 -s name=role-test1
Created new role with id 'role-test1'
bash-4.4$ /opt/keycloak/bin/kcadm.sh add-roles --rname default-roles-realm-test1 --rolename role-test1 -r realm-test1
bash-4.4$ /opt/keycloak/bin/kcadm.sh remove-roles --rname default-roles-realm-test1 --rolename offline_access -r realm-test1
Hitting F5 in the browser we see that it works:
Documentation
https://www.keycloak.org/docs/latest/server_admin/#adding-realm-roles-to-a-composite-role
Related
Hi everyone I am facing some issues on solaris 11.4 implementing RBAC. I created user and role and giving profiles for the roles, but I can execute the command. I drop my RBAC Configuration below.
$useradd -m test
$passwd test
$roleadd -c "User Administrator role,User Management role local" \-m -K profiles="User Security,User Management" sec1
$passwd sec1
$usermode -R +sec1 test
I login by my new test user and my role sec1 successfully. I can create user, give password, delete user and password. The role can not add new role.
sec1#:~$ usermod -R +sec1 test
/usr/lib/passmgmt: Permission denied. Cannot set roles to sec1, requires sec1 role.
UX: usermod: ERROR: Permission denied.
UX: usermod: ERROR: Cannot update system - login cannot be modified.
How can I use usermod and rolemod for the user? If any one can help me? To which solaris profiles can have access to role related to the user?
Seems that it is some bug in usermod command while it is running from role (not user). I was succeed to delegate this privilege via user-to-user (without role)
As root user give privilege to test user directly:
/usr/sbin/usermod -K profiles="User Security,User Management" test
Also create an other user for testing
useradd -m testuseradm
Then login as test and use this privilege:
pfexec /usr/sbin/usermod -K profiles="User Security,User Management" testuseradm
Optionally you could add -K auth_profiles="User Security,User Management" to ask testuseradm to enter his password again.
The main difference of user and role - the role could not login directly. So you may create some shared user account and introduce it as role to your colleges as workaround.
I have a local test installation of keycloak 12 and unfortunately I've lost the admin password, any idea on how to reset it or reset the keycloak configuration without losing the realms ?
I already used add-user cli command to add a user but even with that one I can't access
The Keycloak's admin user is created only during the first initialization of the container image. Once it's created, the environment variable KEYCLOAK_PASSWORD has no effect. When restarting the pod you can see in the initialization logs:
16:16:35,881 WARN [org.keycloak.services] (ServerService Thread Pool -- 62) KC-SERVICES0104: Not creating user admin. It already exists.
To create a new admin user you should delete the current one in the database. Or just change the admin username to admin_bkp if you prefer. After this, just restart the container and the admin user is created again.
Connect to the database
$ kubectl exec -it keycloak-database-bd94f668c-rvmbt -- bashbash-5.1$ psql $ keycloak -U postgre -W
Delete or update the current admin user:
psql (12.10)
Type "help" for help.
keycloak=# update user_entity set "username"='admin_bkp' where "username"='admin';
UPDATE 1
Delete the application pod
$ kubectl delete pod keycloak-database-bd94f668c-rvmbt
Now you should be able to log in using the admin user passed through the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD
If you are using Keycloak Docker image, you can get admin crendential using docker inspect:
docker inspect <keycloak_container_id>
then search for Config > Env, you will find KEYCLOAK_USER and KEYCLOAK_PASSWORD.
For me, I had to find the user in the user_entity table. Then delete rows in related tables. After this, I restarted the pod, and the admin user login became the one passed through the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD.
Find the user id
select * from user_entity
Delete rows
delete from credential where user_id = '<user-id>';
delete from user_role_mapping where user_id = '<user-id>';
delete from user_entity where id = '<user-id>';
I'm trying to get keycloak set up as a helm chart requirement to run some integration tests. I can get it to bring it up and run it, but I can't figure out how to set up the realm and client I need. I've switched over to the 1.0.0 stable release that came out today:
https://github.com/kubernetes/charts/tree/master/stable/keycloak
I wanted to use the keycloak.preStartScript defined in the chart and use the /opt/jboss/keycloak/bin/kcadm.sh admin script to do this, but apparently by "pre start" they mean before the server is brought up, so kcadm.sh can't authenticate. If I leave out the keycloak.preStartScript I can shell into the keycloak container and run the kcadm.sh scripts I want to use after it's up and running, but they fail as part of the pre start script.
Here's my requirements.yaml for my chart:
dependencies:
- name: keycloak
repository: https://kubernetes-charts.storage.googleapis.com/
version: 1.0.0
Here's my values.yaml file for my chart:
keycloak:
keycloak:
persistence:
dbVendor: H2
deployPostgres: false
username: 'admin'
password: 'test'
preStartScript: |
/opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password 'test'
/opt/jboss/keycloak/bin/kcadm.sh create realms -s realm=foo -s enabled=true -o
CID=$(/opt/jboss/keycloak/bin/kcadm.sh create clients -r foo -s clientId=foo -s 'redirectUris=["http://localhost:8080/*"]' -i)
/opt/jboss/keycloak/bin/kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json
persistence:
dbVendor: H2
deployPostgres: false
Also a side annoyance is that I need to define the persistence settings in both places or it either fails or brings up postgresql in addition to keycloak
I tried this too and also hit this problem so have raised an issue. I prefer to use -Dimport with a realm .json file but your points suggest a postStartScript option would make sense so I've included both in the PR on that issue
the Keycloak chart has been updated. Have a look at these PRs:
https://github.com/kubernetes/charts/pull/5887
https://github.com/kubernetes/charts/pull/5950
Here what i tried login to server where keyclock deploy and use the below directory /keycloak/bin/
and run following command
./kcadm.sh config credentials --server https://<IP ADRESS>:8666/auth --realm master --user admin --password admin
But this command throw error.
Client secret not provided in request [unauthorized_client]
Why client information is required ? I have to do this through Admin CLI
Login into the keycloak
Create a New realm
Create User and userGroup.
So according to me in this case client secret or any such information not require but admin-cli command complaining about same.
Here is the solution of the above problem.After installation the keycloak .Keycloak will by default create few clients(account,admin-cli,broker,master-realm,security-admin-console) and in these all clients admin-cli will be come with access-type=public So if you are trying to login through keycloak u have to fire below command from /keycloak/bin directory
./kcadm.sh config credentials --server https://<IP ADDRESS>:8666/auth --realm master --user admin --password admin --client admin-cli
As i am using https you may get the below error as well
Failed to send request - sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
To overcome this issue please generate the certificate and put inside /keycloak/security/ssl folder and then fire this command
kcadm.sh config truststore --trustpass $PASSWORD ~/.keycloak/truststore.jks
Now question how to create the realm then after login through admin-cli client use below command
./kcadm.sh create realms -s realm=demorealm -s enabled=true
I'm trying to add a hardcoded claim. Following this post, I was able to create the claim partially.
How do I set:
config.jsonType.label=String
AND
config.access.token.claim=true
I was able to find the create the initial part of the hardcoded claim based on this post: Add protocol-mapper to keycloak using kcadm.sh
I figured it out. -s "config.\"access.token.claim\"=true"
kcadm create clients/6842adac-982d-4b89-88b0-22b68a332807/protocol-mappers/models -r demorealm -s name=aud1 -s protocol=openid-connect -s protocolMapper=oidc-hardcoded-claim-mapper -s "config.\"access.token.claim\"=true"