[keycloak-user] kcadm CLI for kerberos user storage API needs updating?

Ryan Slominski ryans at jlab.org
Tue Feb 13 15:48:00 EST 2018


Hi Keycloak Users,
   I figured out that single quotes are sometimes required around CLI attributes and sometimes not (doesn't seem to have anything to do with whitespace either).  I've created an issue ticket in Jira to update the documentation to reflect the new "create components" API instead of the old "create user-federation/instances" API.

Issue created:

https://issues.jboss.org/browse/KEYCLOAK-6583

And make the fix in the documentation repository.  Pull request:

https://github.com/keycloak/keycloak-documentation/pull/328

Ryan

----- Original Message -----
From: "Ryan Slominski" <ryans at jlab.org>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Wednesday, February 7, 2018 10:25:09 AM
Subject: Re: [keycloak-user] kcadm CLI for kerberos user storage API needs	updating?

I figured out why the kerberos component wasn't showing up in the web console.  I now see that realm name and realm ID are not identical by default.  It might make sense to update the CLI docs to suggest that when creating a realm you explicitly set the ID to be the same as the realm name as the web console automatically does.  That is why I was seeing the command line listing the component as part of the realm, but not visible when browsing from the web console.  The first part of my question still remains.  It seems the kcadm tool cannot be used to create or modify a user storage provider with all of the fields.  Some fields seem to cause parsing errors on the server.  Including these fields in the initial create command doesn't work.  Neither does including them in an update command:

kcadm.sh update components/my-kerberos-component-id -r demorealm -s config.kerberosRealm=["my-kerberos-realm-name"]

Also results in:

Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token

----- Original Message -----
From: "Ryan Slominski" <ryans at jlab.org>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Tuesday, February 6, 2018 2:16:32 PM
Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs	updating?

I'm following the latest CLI documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23the-2Dadmin-2Dcli&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=bT2q3wiP7nDXfTYtZfXWJkFa87aNGSVSoGm7PZ02KYI&e= ), but the section about managing Kerberos user storage providers seems to be out-of-date.  The related REST API documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs_latest_server-5Fdevelopment_index.html-23rest-2Dmanagement-2Dapi&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=Ktm4rb5xZR1h3YMxKOuhfpb3w-eh11mR7LRbXYJFTSs&e= ) points out major changes occurred after version 2.4.0.   In particular the following command no longer works:

kcadm.sh create user-federation/instances -r demorealm ...

Instead it seems it should be something like the following:

kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\
-s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"]


However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes:

-s config.keyTab=["path-to-keytab"]
-s config.kerberosRealm=["kerberos-realm-name"]
-s config.cachePolicy=["DEFAULT"]
-s config.editMode=["READ_ONLY"]
-s config.serverPrincipal=["http-principal-name"]

Including any one of them results in the server throwing the following exception:

Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token

Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web.  It DOES show up when queried from the command line with:

kcadm.sh get components -r demorealm

But oddly doesn't show up if you filter as the web does with:

kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider

Any help is appreciated.  Thanks,

Ryan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=gX1vT4iLApiLig4EggteIwULHvrU60HiyY3AdR3rGkI&e=


More information about the keycloak-user mailing list