logo标签列表

不会丢失现有用户的情况下导入现有 Keycloak 领域

keycloakkeycloak-serviceskeycloak-18
4

我配置了一个Kubernetes初始化容器,它导入一个现有的Realm,并覆盖环境中已有的Realm。

我正在使用以下命令:

/opt/keycloak/bin/kc.sh import --file=/opt/keycloak/data/import/tyk-realm-export.json

我遇到的问题是,当替换现有领域时,它会删除其中所有的用户。

是否有任何方法可以导入新的领域配置,而不会失去用户?特别是,我的数据库预计将拥有数十万用户。

附注:使用 keycloak >=18.0.0

这是一个日志:

Appending additional Java properties to JAVA_OPTS: -Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
2022-06-17 10:17:30,048 INFO  [org.keycloak.common.Profile] (main) Preview feature enabled: scripts
2022-06-17 10:17:30,198 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: <MyHostname>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin: <request>, Port: -1, Proxied: true
2022-06-17 10:17:32,225 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-06-17 10:17:32,505 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2022-06-17 10:17:32,559 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2022-06-17 10:17:33,004 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.9.Final
2022-06-17 10:17:33,311 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2022-06-17 10:17:33,312 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
2022-06-17 10:17:33,599 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:33,600 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:33,600 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:33,600 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:35,614 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) sb-keycloak-bd4778849-n8jh5-3122: no members discovered after 2004 ms: creating cluster as coordinator
2022-06-17 10:17:35,636 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [sb-keycloak-bd4778849-n8jh5-3122|0] (1) [sb-keycloak-bd4778849-n8jh5-3122]
2022-06-17 10:17:35,647 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `sb-keycloak-bd4778849-n8jh5-3122`, physical addresses are `[10.2.0.74:41912]`
2022-06-17 10:17:36,678 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: sb-keycloak-bd4778849-n8jh5-3122, Site name: null
2022-06-17 10:17:37,972 INFO  [org.keycloak.services] (main) KC-SERVICES0030: Full model import requested. Strategy: OVERWRITE_EXISTING
2022-06-17 10:17:37,983 INFO  [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (main) Full importing from file /opt/keycloak/data/import/tyk-realm-export.json
2022-06-17 10:17:38,388 INFO  [org.keycloak.exportimport.util.ImportUtils] (main) Realm 'tyk' already exists. Removing it before import
2022-06-17 10:17:49,348 INFO  [org.keycloak.exportimport.util.ImportUtils] (main) Realm 'tyk' imported
2022-06-17 10:17:49,540 INFO  [org.keycloak.services] (main) KC-SERVICES0032: Import finished successfully
2022-06-17 10:17:49,832 INFO  [io.quarkus] (main) Keycloak 18.0.1 on JVM (powered by Quarkus 2.7.5.Final) started in 25.524s. Listening on: http://0.0.0.0:8080
2022-06-17 10:17:49,834 INFO  [io.quarkus] (main) Profile import_export activated. 
2022-06-17 10:17:49,834 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, smallrye-metrics, vault, vertx]
2022-06-17 10:17:49,922 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2022-06-17 10:17:50,012 INFO  [io.quarkus] (main) Keycloak stopped in 0.165s
Done
你找到这个问题的解决方案了吗? - Limon
还没有解决方案。 - Kostanos
2个回答
1

我不知道您的确切用例。

但是我要问的问题是:必须再次导入realm吗,还是只需要更新?

第一次导入realm时完全没有问题。在导入时,您必须在OVERWRITE_EXISTING和IGNORE_EXISTING两个策略之间进行选择。

然而,两者都不适合于更新您realm中特定项目的用例,比如smtp服务器设置。

假设您有三个环境:开发、发布、生产。

您的配置会不断演变并通过每个阶段运行。

如果选择了ignore_existing,将不会发生任何导入操作。

如果选择了overwrite_existing,它将会删除所有用户,因为overwrite_existing的工作方式是:删除现有的内容,完全创建一个新的realm。不用说,在生产环境中这是不可取的。

在这种情况下,您只需要通过REST-API进行更新。(请注意,此链接指向特定版本并请注意文档中指定的路径是错误的,这就是为什么它在我的CURL命令中不同的原因

例如: 假设您收到要求,Keycloak发送的电子邮件应该有一个新的“发件人”邮件。您开发它,将进行测试,然后在生产中运行。在这种情况下,您可以运行类似以下的cUrl脚本:

------------------------------
# First initialize your variables
export KEYCLOAK_HOST="http://localhost:8471"
export REALM_NAME="myrealm"
export CLIENT_SECRET="client-secret-from-your-admin-cli-user-in-the-myrealm"
export CLIENT_ID="admin-cli"


# get the token (mandatory for any action as an admin)
export TOKEN=$( \
        curl -s \
        -d "client_id=$CLIENT_ID" \
        -d "client_secret=$CLIENT_SECRET" \
        -d 'grant_type=client_credentials' \
        "$KEYCLOAK_HOST/auth/realms/$REALM_NAME/protocol/openid-connect/token" \
        | jq -j '.access_token')
        
#update your specific resource, in this case we're updating the attribute smtpServer with the according values
curl -X PUT \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json"  \
    -d '{"smtpServer" : { "replyToDisplayName" : "my Example Display Name", "starttls" : "false", "auth" : "", "port" : "12345", "host" : "my-host.local", "replyTo" : "my-new-address-requested@supermail.com", "from" : "my-new-address-requested@supermail.com", "fromDisplayName" : "", "ssl" : ""} }' \
    $KEYCLOAK_HOST/auth/admin/realms/ekc

通过这种方法,您可以更新您的领域并让它根据其阶段发展。

正如我所说,我不知道它是否解决了您的问题,但如果是,我很高兴能够帮助。

谢谢,下次需要更新时我会检查它。 - Kostanos
0
也许您可以导出两个领域,并将转储组合在一起。
1
这只是一个领域(“tyk”)。 OP的问题是导入一个已经存在于Strategy: OVERWRITE_EXISTING中的领域。此时Keycloak会删除现有的领域并重新创建它,而不是使用更新/合并机制。结果是,之前创建的所有用户现在都被删除了。 - Limon
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接