[keycloak-user] kcadm CLI for kerberos user storage API needs updating?

[Ryan Slominski]

I'm following the latest CLI documentation (http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli), but the section about managing Kerberos user storage providers seems to be out-of-date.  The related REST API documentation (http://www.keycloak.org/docs/latest/server_development/index.html#rest-management-api) points out major changes occurred after version 2.4.0.   In particular the following command no longer works:

kcadm.sh create user-federation/instances -r demorealm ...

Instead it seems it should be something like the following:

kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\
-s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"]


However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes:

-s config.keyTab=["path-to-keytab"]
-s config.kerberosRealm=["kerberos-realm-name"]
-s config.cachePolicy=["DEFAULT"]
-s config.editMode=["READ_ONLY"]
-s config.serverPrincipal=["http-principal-name"]

Including any one of them results in the server throwing the following exception:

Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token

Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web.  It DOES show up when queried from the command line with:

kcadm.sh get components -r demorealm

But oddly doesn't show up if you filter as the web does with:

kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider

Any help is appreciated.  Thanks,

Ryan