Just posting this here because I don’t have a Redhat account to comment on the Jira issues.
as can be seen in these issues:
[KEYCLOAK-18682] Cannot import clients if there is a client with Authorization enabled
[KEYCLOAK-12400] Deprecating uploading scripts affects Import/Export Authorization Settings
[KEYCLOAK-14543] It is not possible to export and then import client with defualt authorization settings
Steps to reproduce the problem are really simple:
- create a client
- activate authorization on the client
- export the realm (using
[...]standalone.sh -Dkeycloak.migration.action=export [...]
) - import the realm (using the same kind of command)
Bam exception. java.lang.RuntimeException: Script upload is disabled
This is explained in the issues linked above: when you activate authorization, Keycloak creates an empty policy that is Javascript.
When you export, it exports fine.
When you import, no such luck, because script upload is disabled. So, exception.
My problem with this is an overall tool behavior. I think it’s not normal for any tool to offer export and import, and that in any situation just doing both fails, without any modification of the exported file or of the tool itself. It’s fine to restrict, but the tool should stay consistent.
My suggestions: either…
- …fail to export with scripts
- …or silently ignore scripts at export
- …or offer an explicit option to export with or without scripts ← best solution, because it fails when it should and lets the user choose knowingly
- …or offer to import without scripts
- …or import silently but without scripts, and create a default policy if needed
As it is the working is asymetrical: you can export and import and fail.