小贝子编程

导入Keycloak现有领域而不丢失现有用户



我配置了导入现有Realm的kubernetes init容器,并覆盖环境中已经存在的Realm。

我正在使用这个命令:

/opt/keycloak/bin/kc.sh import --file=/opt/keycloak/data/import/tyk-realm-export.json

我遇到的问题是,当现有领域被替换时,它会删除其中的所有用户。

是否有办法在不丢失用户的情况下为realm导入新的配置?特别是,我的数据库预计会有数十万用户。

PS: usingkeycloak>=18.0.0

这是一个日志:

Appending additional Java properties to JAVA_OPTS: -Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
2022-06-17 10:17:30,048 INFO  [org.keycloak.common.Profile] (main) Preview feature enabled: scripts
2022-06-17 10:17:30,198 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: <MyHostname>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin: <request>, Port: -1, Proxied: true
2022-06-17 10:17:32,225 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-06-17 10:17:32,505 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2022-06-17 10:17:32,559 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2022-06-17 10:17:33,004 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.9.Final
2022-06-17 10:17:33,311 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2022-06-17 10:17:33,312 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
2022-06-17 10:17:33,599 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:33,600 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:33,600 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:33,600 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB
2022-06-17 10:17:35,614 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) sb-keycloak-bd4778849-n8jh5-3122: no members discovered after 2004 ms: creating cluster as coordinator
2022-06-17 10:17:35,636 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [sb-keycloak-bd4778849-n8jh5-3122|0] (1) [sb-keycloak-bd4778849-n8jh5-3122]
2022-06-17 10:17:35,647 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `sb-keycloak-bd4778849-n8jh5-3122`, physical addresses are `[10.2.0.74:41912]`
2022-06-17 10:17:36,678 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: sb-keycloak-bd4778849-n8jh5-3122, Site name: null
2022-06-17 10:17:37,972 INFO  [org.keycloak.services] (main) KC-SERVICES0030: Full model import requested. Strategy: OVERWRITE_EXISTING
2022-06-17 10:17:37,983 INFO  [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (main) Full importing from file /opt/keycloak/data/import/tyk-realm-export.json
2022-06-17 10:17:38,388 INFO  [org.keycloak.exportimport.util.ImportUtils] (main) Realm 'tyk' already exists. Removing it before import
2022-06-17 10:17:49,348 INFO  [org.keycloak.exportimport.util.ImportUtils] (main) Realm 'tyk' imported
2022-06-17 10:17:49,540 INFO  [org.keycloak.services] (main) KC-SERVICES0032: Import finished successfully
2022-06-17 10:17:49,832 INFO  [io.quarkus] (main) Keycloak 18.0.1 on JVM (powered by Quarkus 2.7.5.Final) started in 25.524s. Listening on: http://0.0.0.0:8080
2022-06-17 10:17:49,834 INFO  [io.quarkus] (main) Profile import_export activated. 
2022-06-17 10:17:49,834 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, smallrye-metrics, vault, vertx]
2022-06-17 10:17:49,922 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2022-06-17 10:17:50,012 INFO  [io.quarkus] (main) Keycloak stopped in 0.165s
Done

我不知道你确切的用例。

但是我问的问题是:是强制再次导入领域还是您只需要更新?

第一次导入领域时,完全没问题。在导入时,您必须在两种策略之间进行选择:OVERWRITE_EXISTING和IGNORE_EXISTING。

但是,两者都不适合更新您的领域的特定项的用例,如smtp-server设置。

假设你有三个环境:开发、发布、生产。

您的配置在每个阶段都在发展和运行。

使用ignore_existing将不会发生导入。

使用overwrite_existing它会删除你所有的用户,因为overwrite_existing是这样工作的:删除现有的,完全创建一个新的领域。不用说,这在一个高效的环境中是不需要的。

在这种情况下,您需要的只是通过REST-API进行更新。(请注意,这个链接指向一个特定的版本,请注意文档中指定的路径是错误的,这就是为什么它在我的CURL命令

中不同的原因。)例如:假设您得到了这样的需求,即由keycloak发送的电子邮件应该有一个新的"from"邮件。您开发它,它将被测试,然后在生产中运行。在这种情况下,您可以像这样运行curl脚本:

------------------------------
# First initialize your variables
export KEYCLOAK_HOST="http://localhost:8471"
export REALM_NAME="myrealm"
export CLIENT_SECRET="client-secret-from-your-admin-cli-user-in-the-myrealm"
export CLIENT_ID="admin-cli"

# get the token (mandatory for any action as an admin)
export TOKEN=$( 
curl -s 
-d "client_id=$CLIENT_ID" 
-d "client_secret=$CLIENT_SECRET" 
-d 'grant_type=client_credentials' 
"$KEYCLOAK_HOST/auth/realms/$REALM_NAME/protocol/openid-connect/token" 
| jq -j '.access_token')

#update your specific resource, in this case we're updating the attribute smtpServer with the according values
curl -X PUT 
-H "Authorization: Bearer $TOKEN" 
-H "Content-Type: application/json"  
-d '{"smtpServer" : { "replyToDisplayName" : "my Example Display Name", "starttls" : "false", "auth" : "", "port" : "12345", "host" : "my-host.local", "replyTo" : "my-new-address-requested@supermail.com", "from" : "my-new-address-requested@supermail.com", "fromDisplayName" : "", "ssl" : ""} }' 
$KEYCLOAK_HOST/auth/admin/realms/ekc

使用这种方法,你可以更新你的领域,并让它根据它的阶段发展。

正如我所说的,我不知道这是否解决了你的问题,但如果是这样的话,我很高兴能帮上忙。

也许你可以导出两个领域并将转储缝合在一起。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium