Import users without upload_scripts?

Hi!

Does anybody know the recommended way to use the Export/Import functionality without also enabling the (deprecated) -Dkeycloak.profile.feature.upload_scripts functionality via extra arguments?

When reading the documentation, the instructions for importing and exporting list arguments as follows:

-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=<FILE TO IMPORT> \
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING

but no mention of the -Dkeycloak.profile.feature.upload_scripts, as it should be since it is deprecated. However, when trying to import via this manner, I get the following fatal error, and Keycloak crashes.

10:12:06,183 FATAL [org.keycloak.services] (ServerService Thread Pool -- 59) java.lang.RuntimeException: Script upload is disabled

What gives, is there a way to do this or are we required to use the script upload despite it being deprecated?

@pedroigor, maybe you or one of the other team members could shed some light?

Hi,

If the configuration you are importing has any reference to:

  • JS Script Authenticators
  • JS Script Mappers
  • JS Script Policies

You have two options:

  • Replace these references so that you actually point to JS deployments
  • Import enabling the upload_scripts feature and change to use deployments

Please, check https://issues.redhat.com/browse/KEYCLOAK-13878 for more details.

I’m using the Codecentric Helm chart for setting up, manifest as follows.
I can understand if it therefore is an issue for the Codecentric people, fixing up the Chart to allow for the second solution you mention.

Should this error be interpreted as that one of the objects imported is reliant on one of the Authenticators, Mappers or Policies you mention, since it is required?

postgresql:
  persistence:
    enabled: true
  existingSecret: keycloak-postgresql
keycloak:
  extraEnv: |
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"
  ingress:
    ...
  persistence:
    dbVendor: postgres
    deployPostgres: true
    existingSecret: keycloak-postgresql

  extraArgs: -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled \
    -Dkeycloak.profile.feature.scripts=enabled \
    -Dkeycloak.migration.action=import \
    -Dkeycloak.migration.provider=dir \
    -Dkeycloak.migration.dir=/users-import \
    -Dkeycloak.profile.features.upload_scripts 
  # Last entry is required to get it to work, but shouldn't be?

  # Extra volumes containing relevant json files
  extraVolumes: |
  ...

I think I might have found a rouge script hiding in one of my testing realms, I will test it out after removing it and see if that fixes the error.

I assume you managed to fix this, what was the script causing the error?

Having the same issue, and it’s quite a big hussle looking for the single object causing this.

I’m afraid it’s too long ago to remember, and I’ve since switched companies so I don’t have the relevant files and history available. If I’m not mistaken, I looked through the realms to be imported and either noticed and removed unneccessary imports, or extracted the things needed to clean files and imported them, but I can’t say for sure.

You could maybe try setting up a clean realm, performing an export from it and then check the diff between the new one and the one causing you troubles - depending on the size of the realm. That could at least narrow down the potential areas where things could hide, since a diff in e.g. users and clients is expected but other diffs might not be.

Thanks a lot for the reply man

In any case, you’re right, I just found the exact issue for me at least.

When generating clients with authorization, default policies and permissions are created. These point to some JS Scripts. After removing these Default items, I managed to deploy Keycloak without any issues and without the upload_scripts=enable flag.

Cheers

1 Like

@eldarj what were those default items. can you share JSON code snippets for those default items? It will help to narrow down this issue for others.