Does anybody know the recommended way to use the Export/Import functionality without also enabling the (deprecated) -Dkeycloak.profile.feature.upload_scripts functionality via extra arguments?
When reading the documentation, the instructions for importing and exporting list arguments as follows:
-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=<FILE TO IMPORT> \
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
but no mention of the -Dkeycloak.profile.feature.upload_scripts, as it should be since it is deprecated. However, when trying to import via this manner, I get the following fatal error, and Keycloak crashes.
10:12:06,183 FATAL [org.keycloak.services] (ServerService Thread Pool -- 59) java.lang.RuntimeException: Script upload is disabled
What gives, is there a way to do this or are we required to use the script upload despite it being deprecated?
I’m using the Codecentric Helm chart for setting up, manifest as follows.
I can understand if it therefore is an issue for the Codecentric people, fixing up the Chart to allow for the second solution you mention.
Should this error be interpreted as that one of the objects imported is reliant on one of the Authenticators, Mappers or Policies you mention, since it is required?
postgresql:
persistence:
enabled: true
existingSecret: keycloak-postgresql
keycloak:
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ingress:
...
persistence:
dbVendor: postgres
deployPostgres: true
existingSecret: keycloak-postgresql
extraArgs: -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled \
-Dkeycloak.profile.feature.scripts=enabled \
-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=dir \
-Dkeycloak.migration.dir=/users-import \
-Dkeycloak.profile.features.upload_scripts
# Last entry is required to get it to work, but shouldn't be?
# Extra volumes containing relevant json files
extraVolumes: |
...
I’m afraid it’s too long ago to remember, and I’ve since switched companies so I don’t have the relevant files and history available. If I’m not mistaken, I looked through the realms to be imported and either noticed and removed unneccessary imports, or extracted the things needed to clean files and imported them, but I can’t say for sure.
You could maybe try setting up a clean realm, performing an export from it and then check the diff between the new one and the one causing you troubles - depending on the size of the realm. That could at least narrow down the potential areas where things could hide, since a diff in e.g. users and clients is expected but other diffs might not be.
In any case, you’re right, I just found the exact issue for me at least.
When generating clients with authorization, default policies and permissions are created. These point to some JS Scripts. After removing these Default items, I managed to deploy Keycloak without any issues and without the upload_scripts=enable flag.