Login/Register
Import realm in Keycloak:18.x
Asked Answered
Solved keycloak
S

3

18

I cannot import any realms into Keycloak 18.0.0. That's the Quarkus, and not the Wildfly distribution anymore. Documentation here says it should be pretty simple, and by mounting my exported realm.json file into /opt/keycloak/data/import/...json it actually TRIES to import it, but it ends with :

"[org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled".

Known to be removed, and the old -Dkeycloak.profile.feature.upload_scripts=enabled won't work anymore. OK. But then what's the way to do import any realms on startup? That'd be used to distribute a ready-made local stack without any handcrafting needed to launch. I could do it with running SQL commands, but that's way too hacky to my taste.

Compose file :

  cp-keycloak:
image: quay.io/keycloak/keycloak:18.0.0
environment:
  KC_DB: mysql
  KC_DB_URL: jdbc:mysql://cp-keycloak-database:3306/keycloak
  KC_DB_USERNAME: root
  KC_DB_PASSWORD: root
  KC_HOSTNAME: localhost
  KEYCLOAK_ADMIN: admin
  KEYCLOAK_ADMIN_PASSWORD: admin
ports:
  - 8082:8080
volumes:
  - ./data/local_stack/init.keycloak.json:/opt/keycloak/data/import/main-realm.json:ro
entrypoint: "/opt/keycloak/bin/kc.sh start-dev --import-realm"

The output :

cp-keycloak_1           | 2022-05-05 14:07:26,801 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
cp-keycloak_1           | 2022-05-05 14:07:26,802 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to import realm: Main-Realm
cp-keycloak_1           | 2022-05-05 14:07:26,803 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled

Thanks

Stratiform answered 5/5, 2022 at 14:19 Comment(0)
L
21

This might be caused because inside of your realm .json there is references to some configuration that is using the deprecated upload script feature.

Try to removed it, export the json and them try to imported again (this time without the upload script feature.

From the comments (credits to jfrantzius): 

See here for what you either need to remove or replace in your realm-export.json: https://github.com/keycloak/keycloak/issues/11664#issuecomment-1111062102 . We had to replace the entries, see also here https://github.com/keycloak/keycloak/discussions/12041#discussioncomment-2768768

Leontine answered 5/5, 2022 at 14:33 Comment(1)
thanks you, keycloak 20.x still create default policy point to 'Js'. Delete it in Client>authorization>policies. We now can import/export this SettingHeshum
B
5

In my case was enough to remove the empty code key from the default policy. Removing the policy as mentioned in the link from @dreamcrash made the import fail since it was required by one of my clients.

Just changed on the realm-export.json:

  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  },

for:

  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {}
  },

PD: Im using keycloak 20.0.3.

Bondwoman answered 21/2, 2023 at 9:26 Comment(0)
T
0

For me only changing the js policy to regex policy for Keycloak 24.0.4 worked and is cleaner for this Default Policy IMO.

  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  },

for:

  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "regex",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "targetContextAttributes" : "false",
      "pattern" : ".*",
      "targetClaim" : "sub"
    }
  },
Thrive answered 31/7, 2024 at 8:42 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.