keycloak: Import Realm in Keycloak 18.0.0 - failed

Describe the bug

I’m using a docker image and I uploaded the realm.json in /opt/keycloak/data/import to get the nice auto import functionality. When I add now to start --import-realm I get:

2022-04-26 08:28:56,195 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
2022-04-26 08:28:56,195 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to import realm: myrealm
2022-04-26 08:28:56,195 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled

which confuses me, because

Script Upload should be removed (why is import using that?) and doesn’t work. Without the --import-realm all works fine

Reference to documentation: https://www.keycloak.org/server/importExport

Version

18.0.0

Expected behavior

To import the realms automatically from the data/import location.

Actual behavior

Gives an error

How to Reproduce?

  1. create a dockerfile
  2. add a realm.json to the path
  3. build keycloak in docker file
  4. build dockerfile
  5. start container

Anything else?

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 3
  • Comments: 15 (7 by maintainers)

Commits related to this issue

Most upvoted comments

@edwint88 Is your realm declaring providers that rely on scripts such as mappers, authenticators, or policies?

I had the same issue and based on your feedback I search and found I had these policies for one of the realm clients:

"policies": [
  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  },
  { ... },
  {
    "id": "1428ae4c-b767-41b9-aaf9-bd8b0d8497e2",
    "name": "Default Permission",
    "description": "A permission that applies to the default resource type",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "config": {
      "defaultResourceType": "urn:api:resources:default",
      "applyPolicies": "[\"Default Policy\"]"
    }
  },
  {...}
]

I checked and these were not referenced anywhere else so I proceeded to delete them and it worked.

I guess it was created automatically by a previous version of KC.

For anyone else experiencing the same issue: search for "type": "js" to pin-point the root cause in the realm export file.

+68
stefanmaric on Apr 27, 2022

Replacing the Default Policy setting with the one below resolves the issue and maintains the expected behavior.

          {
            "id": "98bb844e-5524-4c42-914b-cc5121d3124d",
            "name": "Default Policy",
            "description": "A policy that grants access only for users within this realm",
            "type": "role",
            "logic": "POSITIVE",
            "decisionStrategy": "AFFIRMATIVE",
            "config": {
              "roles": "[{\"id\":\"default-roles-main\",\"required\":false}]"
            }
          }
+8
herbertscruz on Nov 24, 2022

Ah, thanks for clearing that up. But shouldn’t it be registered as a bug that when you create an export, it cannot be imported without removing this by hand (after googling for it?).

+5
ericwout-overheid on Jul 11, 2022

``> @edwint88 Is your realm declaring providers that rely on scripts such as mappers, authenticators, or policies?

If so, the realm configuration is now invalid and you should not be able to import. See the note here about the removal of the upload-scripts feature.

We have an Authenticator, but not a JavaScript one. It’s a simple Java SPI that we add through .jar in /opt/keycloak/providers and then, yes, configured in the realm.json. Is this affected too?

LE: thanks for the "type": "js" hint! we got a default policy - that we didn’t create it, I’ll check without that in the config.

{ "id": "cf9f7684-45c2-4bcd-89a5-38c2a41b55fd", "name": "Default Policy", "description": "A policy that grants access only for users within this realm", "type": "js", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" } }

That was the problem! So when I’ve created a dummy confidential client in 17.0.1 the Default JS policies were activated!

+4
edwint88 on Apr 27, 2022

shouldn’t it be registered as a bug that when you create an export, it cannot be imported without removing this by hand

I agree, this issue should be re-opened, this problem still exists in keycloak 20.0

The workaround described above seems to still work (using the quay.io/keycloak/keycloak docker image), here is a minimal, reproducible example of the issue and the workaround:

  1. Start an interactive docker container: docker run --name auth1 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=12345 -it --entrypoint=/bin/bash -p 8080:8080 quay.io/keycloak/keycloak:20.0
  2. Start the keycloak service: /opt/keycloak/bin/kc.sh start-dev
  3. From the host or another system, login to localhost:8080 after it spins up and create the realm, users, clients, etc. as one sees fit, for this example, the realm will be myrealm
  4. Stop the keycloak service (e.g. CTRL-C)
  5. Export the realm: /opt/keycloak/bin/kc.sh export --realm myrealm --users same_file --file /tmp/realm-export.json.tmp
  6. Exit the docker instance and let it stop exit
  7. Copy the exported realm out of the docker instance to a temporary file: docker cp auth1:/tmp/realm-export.json.tmp realm-export.json.tmp
  8. Copy said temporary file to an import folder: cp realm-export.json.tmp import/realm-export.json
  9. Verify import bug still exists by attempting to import said realm upon container instance spinup:
$ docker run --name auth2 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=12345 -v $(pwd)/import/:/opt/keycloak/data/import/:ro --rm quay.io/keycloak/keycloak:20.0 start-dev --import-realm
...
Unable to import realm myrealm from file /opt/keycloak/bin/../data/import/realm-export.json.: java.lang.RuntimeException: Script upload is disabled
  1. Stop the service with CTRL-C and let the docker instance exit and remove itself
  2. Remove the policies using jq to avoid editing by hand: cat realm-export.json.tmp | jq 'del(.clients[].authorizationSettings.policies)' > import/realm-export.json
  3. Verify import now works: docker run --name auth2 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=12345 -v $(pwd)/import/:/opt/keycloak/data/import/:ro --rm -p 8080:8080 quay.io/keycloak/keycloak:20.0 start-dev --import-realm
+2
qhaas on Nov 22, 2022

@edwint88 Is your realm declaring providers that rely on scripts such as mappers, authenticators, or policies?

If so, the realm configuration is now invalid and you should not be able to import. See the note here about the removal of the upload-scripts feature.

+2
pedroigor on Apr 27, 2022

@edwint88 @yangboyd I’m working on it. Can we discuss this issue at https://github.com/keycloak/keycloak/issues/16074?

+1
pedroigor on Dec 22, 2022

And also here: https://keycloak.discourse.group/t/import-realm-in-keycloak-18-0-0-failed/15166

+1
edwint88 on Apr 27, 2022

Linking this discussion I opened a few ago: https://github.com/keycloak/keycloak/discussions/11658

+1
stefanmaric on Apr 27, 2022
Read more comments on GitHub
← keycloak: HTTP 401 Unauthorized while trying to create a user
keycloak: Incorrect documentation for setting truststore for mTLS →