Re: [keycloak-user] Securely setting admin passwords
by Aikeaguinea
Running in Amazon's Elastic Container Service with an autoscaling group,
which can bring up new EC2 instances to host the Dockers at any time
without manual intervention, makes it challenging to share the file via
volume or use the http URL.
So far I've had the Wildfly startup wrapped in a script that calls
add-user.sh before the server starts; we were thinking of using
something like CredStash (https://github.com/fugue/credstash) as the
source for the credentials. Then start-keycloak.sh would look something
like this:
# Container needs to know its host, for JGroups
export EXTERNAL_HOST_IP=$(curl -s
169.254.169.254/latest/meta-data/local-ipv4)
$WILDFLY_HOME/bin/add-user.sh --container -u admin -p $(credstash
get $KEYCLOAK_WILDFLY_ADMIN_PWD_KEY)
$WILDFLY_HOME/bin/add-user.sh -u admin -p $(credstash get
$KEYCLOAK_ADMIN_PWD_KEY)
# Allow graceful shutdown from `docker stop`, which issues SIGTERM.
trap "$WILDFLY_HOME/bin/stop-keycloak.sh" SIGTERM
exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml
-Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME
Still, the password is being passed in the clear on the command line,
and is visible via a process listing. Since the command is being run
inside Docker, this would ultimately expose the password in cleartext to
a docker history command.
It looks like I'm going to have to figure out how to mount the files
from a volume. Are the relevant files
standalone/configuration/keycloak-add-user.json and
standalone/configuration/mgmt-users.properties ?
Date: Wed, 17 Feb 2016 21:52:57 +0100
> From: Marek Posolda <mposolda(a)redhat.com>
> Subject: Re: [keycloak-user] Securely setting admin passwords
> To: Aikeaguinea <aikeaguinea(a)xsmail.com>,
> keycloak-user(a)lists.jboss.org
> Message-ID: <56C4DDA9.2090401(a)redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> You can create the file in some "safe" environment (your laptop) and
> then share the file with docker via volume and copy to the
> standalone/configuration of the server? The created JSON file doesn't
> contain password in plain text, but it's encoded.
>
> Also the "add-user.sh" script doesn't need server to be running.
>
> Finally, uf you don't need automated way, you can set it manually after
> first startup when going to http://localhost:8080/auth
>
> Marek
>
>
> On 17/02/16 17:09, Aikeaguinea wrote:
> > It seems the add-user.sh script for changing the admin password only
> > accepts the password as a -p command-line parameter. This would expose
> > the password in the command history, so I'd prefer not to use the
> > command in its current form.
> >
> > Is there another way to do this?
> >
> > The situation is even more complicated with Docker, since running the
> > script to change the Wildfly admin password requires restarting the
> > server, which shuts down the container. If you have an autoscaling
> > group, the container that gets brought up is not the container where you
> > changed the password, but instead the original container. This seems to
> > mean that the only way to have Keycloak run in Dockers in an autoscaling
> > group is to bake the admin passwords into the Docker image beforehand.
> > This isn't ideal; less so if the only way to add those passwords during
> > build time is to run the shell script that exposes the password on the
> > command line.
--
http://www.fastmail.com - mmm... Fastmail...
8 years, 9 months
Disabling status cookie
by Sarp Kaya
Hello,
I want my users to be able to login via API calls with our without requiring a browser. I looked at examples and found customer-app-cli, however I realised that even with manual login, the current workflow requires a browser to login. I found that every time when
http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?respo...
this page loads we get a form with a different code. In theory we should be able to just stick username and password in the body and be able to get 302 response. However when I get the curl equivalent of what browser is doing I've gotten the below:
curl 'http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY...' -H 'Cookie: KEYCLOAK_STATE_CHECKER=a2teB_8_wfAfD9VtmV0DJhqDEuM9187r58mVW24Gfrg; KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjQzMWRiM2U4LTYyMzQtNGJhNS04ODE4LWVkMDMzNWI4ZWU3MiIsImNpZCI6ImN1c3RvbWVyLXBvcnRhbC1jbGkiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtby9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9vYXV0aC9vb2IiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiYTA1MzFlNTYtZjk0Zi00NmM4LWFlNGUtNjQ4MDUyNDc2ZjEwIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJ1cm46aWV0Zjp3ZzpvYXV0aDoyLjA6b29iIn19.B5vuMj-fafRAS0gJ6m-OrU5cX0atABuWy252y5k7jr0' -H 'Origin: http://localhost:8080' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?respo...' -H 'Connection: keep-alive' --data 'username=sarp&password=pass1234&login=Log+in' -compressed
I was hoping not to use the cookies and just change the code bit with a new request to the page mentioned above and expect 302 response, however I am getting 500 responses saying error occurred instead.
I looked on admin management console, but could not really find a way to disable cookies for the given client or the realm. I am guessing that one of those cookies are encrypting something that is required and not using it simply prevents logging in successfully. So how can I disable this requirement?
Kind Regards,
Sarp Kaya
8 years, 10 months
LDAP username mapping from active directory fails
by Porfyrios Vasileiou
Hello, i created a new ldap federation in the keycloak settings and
imported all users. The thing is that the username attribute was mapped to
the ldap cn attribute whereas the username in active directory is
sAMAccountName. Therefore i changed the ldapAttribute to that.
Now when i go to my ldap settings page and click on "Synchronize" the users
fail to update and i am getting this error:
13:31:53,899 ERROR
[org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
task-25) Failed during import user from LDAP: org.keycloak.mo
dels.ModelException: User returned from LDAP has null username! Check
configuration of your LDAP mappings. Mapped username LDAP attribute: cn,
user DN
: CN=internal2 lastname,OU=DTPH,DC=dls,DC=lan, attributes from LDAP:
{whenChanged=[20160217110433.0Z], whenCreated=[20160217110433.0Z],
sAMAccountName
=[internal2], givenName=[internal2], sn=[lastname],
userAccountControl=[512], pwdLastSet=[131001806735067575]}
If u put it back to cn it works, but i want to use sAMAccountName for the
username.
Why does this happen ?
8 years, 10 months
Impersonating User via API
by Alexander Schwartz
Hello Keycloak Community,
I want to use impersonate a user via API.
The start point is a logged in user with an access token.
The goal is to have an access and refresh token of an impersonated user.
In a proof-of-concept I've used the impersonation admin API, but this
returns only cookies and redirects. When I follow the redirects I will
eventually retrieve access and refresh token.
I wonder if there is a better suited API to obtain them directly.
Thank you very much,
Alexander
--
Alexander Schwartz (alexander.schwartz(a)gmx.net)
http://www.ahus1.de
8 years, 10 months
Re: [keycloak-user] 1.8.1.Final SQL error
by Paul Blair
Yes, when I provision the environment, Terraform brings up everything at the same time. I'll have to put a delay in for starting one of the containers.
I saw a different SQL error under similar circumstances, so I'm pretty sure it's that.
From: Stian Thorgersen <sthorger(a)redhat.com<mailto:sthorger@redhat.com>>
Reply-To: "stian(a)redhat.com<mailto:stian@redhat.com>" <stian(a)redhat.com<mailto:stian@redhat.com>>
Date: Wednesday, February 17, 2016 at 2:01 AM
To: "pblair(a)clearme.com<mailto:pblair@clearme.com>" <pblair(a)clearme.com<mailto:pblair@clearme.com>>
Subject: Re: [keycloak-user] 1.8.1.Final SQL error
Did you start two Keycloak containers at the same time pointing to the same db?
On 16 Feb 2016 21:35, "Paul Blair" <pblair(a)clearme.com<mailto:pblair@clearme.com>> wrote:
This doesn't seem to have recurred. Not sure what happened there.
From: <keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of "pblair(a)clearme.com<mailto:pblair@clearme.com>" <pblair(a)clearme.com<mailto:pblair@clearme.com>>
Date: Tuesday, February 16, 2016 at 2:40 PM
To: "keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] 1.8.1.Final SQL error
I've just installed Keycloak 1.8.1.Final in a clean environment with a new Postgres database instance. I'm getting an error on startup that the column direct_grants_only does not exist on the CLIENT table. When I log in to the database I can confirm it's not there; otherwise the tables all seem to be set up, and the CLIENT table does have a direct_access_grants_enabled column. I've verified that the server is running WildFly 10.0.0.Final and that all the Keycloak jars under ./modules/system/layers/base/org/keycloak/keycloak-core/main are 1.8.1.Final. I've diffed all the config files where we made changes against older versions of Keycloak and applied them to 1.8.1.Final, and nothing seems relevant.
Also odd is that I have two Keycloak instances running in two separate Docker containers and that I only see this error in one of them. They were both created at the same time by Terraform in exactly the same way.
Any idea what this might be coming from?
17:04:30,706 INFO [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 50) Load config from /opt/jboss/wildfly/standalone/configuration/keycloak-server.json
17:04:33,048 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Updating database
17:04:43,154 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Change Set META-INF/jpa-changelog-1.2.0.Final.xml::1.2.0.Final::keycloak failed. Error: ERROR: column "direct_grants_only" does not exist
Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null]: liquibase.exception.DatabaseException: ERROR: column "direct_grants_only" does not exist
Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null]
at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122)
at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247)
at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230)
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548)
at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51)
at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73)
at liquibase.Liquibase.update(Liquibase.java:210)
at liquibase.Liquibase.update(Liquibase.java:190)
at liquibase.Liquibase.update(Liquibase.java:186)
at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61)
at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43)
at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21)
at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139)
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:82)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:408)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: org.postgresql.util.PSQLException: ERROR: column "direct_grants_only" does not exist
Position: 59
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2198)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1927)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:255)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:561)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:405)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:397)
at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198)
at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314)
... 47 more
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 10 months
Using Keycloak in AWS EC2. What are people using?
by Reed Lewis
I am setting up Keycloak (great product), and need to enable Infinispan cache clustering using another method instead of multicast since AWS does not support multicast.
I have working S3-ping, but it requires my AWS access keys to be configured in the keycloak standalone-ha.xml file which I do not want to have to do because of security reasons.
I have tried to use Native-S3-Ping, https://github.com/zalando/jgroups-native-s3-ping but cannot figure out how to get the support libraries “FILE-PING” to load
I also read about JDBC-PING which uses a shared database, which looks like a better way to do it since I am using Postgres in RDS for my datastore anyways.
What I am wondering is what are others using to work with AWS? Can I get example configurations that work well if anyone has any?
Thank you,
Reed Lewis
8 years, 10 months
KeycloakSecurityContext returns NULL using Tomcat Adapter
by LEONARDO NUNES
Hi everyone,
I have an application deployed on Tomcat 7 using the Tomcat Adapter.
When i'm logged in and I go to a non-secured URL, KeycloakSecurityContext returns null.
I deployed the same application to the Keycloak Standalone Server, there I don't have this problem.
The code below returns null when called from /movies/, and works when called from /article/
(KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
In my web.xml I have only one security-constraint securing /article/*
WEB.XML:
<security-constraint>
<web-resource-collection>
<web-resource-name>Articles</web-resource-name>
<url-pattern>/article/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 10 months
Use keycloak as I used picketlink
by Stefano Zaccaria
I want to change from picketlink to keycloak
In my ee app I use keycloack CDI to check the user roles and grant with
BasicModel.hasRole(relationshipManager, identity.getAccount(),
BasicModel.getRole(identityManager, "admin"))
or
Authorization Util.hasRole(identity, partitionManager, "admin");
in my bean methods
How can I made the same thing with Keycloak?
Thanks in advantage
--
*Stefano*
8 years, 10 months
OpenAM migration to Keycloak
by Tech @ PSYND
Hi all,
my customer and we are evaluating a migration from OpenAM to Keycloak,
did anybody here already experienced this?
Are there any bottlenecks that we should take into account before
starting the project?
Thanks!
Mauro
8 years, 10 months
Re: [keycloak-user] 1.8.1.Final SQL error
by Paul Blair
This doesn't seem to have recurred. Not sure what happened there.
From: <keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of "pblair(a)clearme.com<mailto:pblair@clearme.com>" <pblair(a)clearme.com<mailto:pblair@clearme.com>>
Date: Tuesday, February 16, 2016 at 2:40 PM
To: "keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] 1.8.1.Final SQL error
I've just installed Keycloak 1.8.1.Final in a clean environment with a new Postgres database instance. I'm getting an error on startup that the column direct_grants_only does not exist on the CLIENT table. When I log in to the database I can confirm it's not there; otherwise the tables all seem to be set up, and the CLIENT table does have a direct_access_grants_enabled column. I've verified that the server is running WildFly 10.0.0.Final and that all the Keycloak jars under ./modules/system/layers/base/org/keycloak/keycloak-core/main are 1.8.1.Final. I've diffed all the config files where we made changes against older versions of Keycloak and applied them to 1.8.1.Final, and nothing seems relevant.
Also odd is that I have two Keycloak instances running in two separate Docker containers and that I only see this error in one of them. They were both created at the same time by Terraform in exactly the same way.
Any idea what this might be coming from?
17:04:30,706 INFO [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 50) Load config from /opt/jboss/wildfly/standalone/configuration/keycloak-server.json
17:04:33,048 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Updating database
17:04:43,154 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Change Set META-INF/jpa-changelog-1.2.0.Final.xml::1.2.0.Final::keycloak failed. Error: ERROR: column "direct_grants_only" does not exist
Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null]: liquibase.exception.DatabaseException: ERROR: column "direct_grants_only" does not exist
Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null]
at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122)
at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247)
at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230)
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548)
at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51)
at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73)
at liquibase.Liquibase.update(Liquibase.java:210)
at liquibase.Liquibase.update(Liquibase.java:190)
at liquibase.Liquibase.update(Liquibase.java:186)
at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61)
at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43)
at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21)
at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139)
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:82)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:408)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: org.postgresql.util.PSQLException: ERROR: column "direct_grants_only" does not exist
Position: 59
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2198)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1927)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:255)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:561)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:405)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:397)
at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198)
at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314)
... 47 more
8 years, 10 months
