Is it possible to export the roles added to a keycloak server instance?
I have created some composite roles on a development server which I'd like to mirror across some other instances (e.g. in an integration\development) environment.
The only thing I can think of is using the Admin API to retrieve the details of the roles and use for some sort of insert script to be run in a different environment.
Is this possible?
Keycloak 3.2.0.Final and later has a "Export" menu item in its admin console. There you can export groups and roles (global and client roles) to a JSON file.
Related
I'm trying to create a user in Keycloak admin console, but it has effective roles that should not be there. In addition to default realm roles, each user, when created, has odd Effective Roles. And I can't understand, where they come from. Even when I delete all assigned roles, effective roles just stay there.
This does not happen usually, seems like a problem with your Keycloak setup and installation.
Have you checked the default roles at realm level? Roles shown in screenshot belong to realm-management client.
If you are using master realm, I'd suggest you to create a new realm other than master and use it.
I am testing the CloudSQL IAM automatic authenticationby using IAM service account users. The goal is to deploy a backend service running in cloud with an service account (SA), which can connect onto a CloudSQL database without using password auth.
So this is what I did:
Create a cloud SQL database demo-db via gcloud console
Create a service account sa via gcloud console
Create a backend service and run it in k8s with sa as the account, with the help of cloud-sql-jdbc-socket-factory
. And make the backend service having liquibase schema migration so it can create tables
Create a IAM service account user user-sa in demo-db via gcloud console
Create a normal built-in user user-db (with a password) in demo-db via gcloud console (for my local login/psql to the db)
Deploy the backend to production, and it connected (with user-sa) and created tables in demo-db (with liquibase)
And this is a problem I have now:
When I use cloud-sql-proxy to login the demo-db locally via psql, with user user-db and the password, I realise that I cannot view or select the table created by the backend service (via user-sa).
Then how can I view the data in the database as a developer?
PS: Fow now I don't have access to user-sa or sa's secret/key files. As it is managed by our infra. I only have ownership of demo-db and I could give access right of my db to user-sa ...
I had the same issue on AWS's Postgres RDS.
You (as the backend creation service) basically have to create a role, place your deployment role (user-sa) into that role and also your app user (user-db).
Then your deployment script will have to use ALTER <OBJECT> OWNER TO <ROLE>. Now every role or user in that role will have access. You'll have to do this for functions, tables, etc
Another alternative is to set default permissions via ALTER DEFAULT PRIVILEGES, but note that those only take effect on new objects. If you add a new db role afterward and want to grant it permissions to a table that already existed, you'd still have to add explicit permissions for the new role.
* Note that in postgres, a role and user are interchangeable in commands. In my view, a role does not log in, but it can be used to hold a set of permissions. Instead of assigning permissions to individual users, assign them to a group/role, then grant the user membership to the group/role. Ensure that your inheriting permissions is allowed on the users and roles for this to work.
I'd like to limit the privileges afforded to any given user that I create via the Google Terraform provider. By default, any user created is placed in the cloudsqlsuperuser group, and any new database created has that role/group as owner. This gives any user created via the GCP console or google_sql_user Terraform resource total control over any database that is (or was) created in a similar fashion.
So far, the best we've been able to come up with is creating and altering a user via a single-run k8s job. This seems circuitous, at best, especially given that that resource must then be manually imported later if we want to manage it via Terraform.
Is there a better way to create a user that has privileges limited to a single, application-specific database?
I was puzzled by this behaviour too. Its probably not the answer you want but if you can use GCP IAM accounts the user gets created in the PostgreSQL instance with NO roles.
There are 3 types of account you can create from "gcloud sql users create" or terraform module "google_sql_user"
"CLOUD_IAM_USER", "CLOUD_IAM_SERVICE_ACCOUNT" or "BUILT_IN"
The default is the built_in type if not specified.
CLOUD_IAM_USER and CLOUD_IAM_SERVICE_ACCOUNTS get created with NO roles.
We are using these as integration with IAM is useful in lots of ways (no managing passwords at database level is a major plus esp. when used in conjunction with SQL Auth Proxy).
BUILT_IN accounts (ie old school need a postgres username and password) for some reason are granted the "cloudsqlsuperuser" role.
In the absence of being allowed the superuser role on GCP this is about as privileged as you can get so to me (and you) seems a bizarre default.
Keycloak provides some built-in roles to manage keycloak itself. These roles are defined in the realm-management client of every non-master realm. As example, I can define a user which has the permissions to manage users. But now this user can change all the roles of all the users. The user can even change the role of itself.
In our application we need a hierarchical role structure in the following way. We have a root, admin and some other specific application roles. The root role should be able to manage the keycloak customer realm as also some application specific functionality. The admin role should have the permissions to manage users and also some application specific functionality.
I have tried to model that in keycloak the following way. I have two realm roles root and admin as also some client (my-app) roles root, admin, edit and view. The realm roles are composite roles which use their counterpart in the client (root -> may-app.root, admin -> my-app.admin).
Now, the issues is that the admin user can change it's role to root. How can I restrict the permissions of the admin user to allow only to manage user or roles that are on the same level or below? Is their such built-in functionality or should I provide my own UI on top of the Keycloak REST API?
Frequently, I'm create standalone services in Bluemix. For example, Analytics for Apache Hadoop, Cloudant and DashDB.
I don't need an application to work with these services, but it seems I have to bind to an application just to get access to the VCAP_SERVICES environment variables with urls, usernames, passwords, etc.
Question: How to get VCAP_SERVICES environment variables WITHOUT binding to an application?
For many services, you will have to bind them to an app in order to get the VCAP_SERVICES credentials.
There is a service key capability which some services are starting to adopt which allows you to create and access credentials without binding to an app. Using the cf command line tool, the commands below are available to use if a service supports them:
SERVICES:
create-service-key, csk Create key for a service instance
service-keys, sk List keys for a service instance
service-key Show service key info
delete-service-key, dsk Delete a service key
The CloudFoundry docs at https://docs.cloudfoundry.org/devguide/services/service-keys.html provide more detail.
In the Bluemix UI, you would see a 'Service Credentials' option in the panel when viewing a service dashboard when a service supports this capability. Selecting this option allows you to see credentials that have been created as well as an "Add Credentials" button to create new ones.