fix: expose bootstrap-admin-* options (#32241)

* fix: expose bootstrap-admin-* options

closes: #32176

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update quarkus/config-api/src/main/java/org/keycloak/config/BootstrapAdminOptions.java

Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
This commit is contained in:
Steven Hawkins 2024-08-21 09:52:38 -04:00 committed by GitHub
parent 6ab3b98743
commit d9a92f5de3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 206 additions and 30 deletions

View file

@ -1,35 +1,39 @@
package org.keycloak.config;
public class BootstrapAdminOptions {
public static final String DEFAULT_TEMP_ADMIN_USERNAME = "temp-admin";
public static final String DEFAULT_TEMP_ADMIN_SERVICE = DEFAULT_TEMP_ADMIN_USERNAME;
public static final int DEFAULT_TEMP_ADMIN_EXPIRATION = 120;
private static final String USED_ONLY_WHEN = " Used only when the master realm is created.";
private static final String NON_CLI = " Use a non-CLI configuration option for this option if possible.";
public static final Option<String> PASSWORD = new OptionBuilder<>("bootstrap-admin-password", String.class)
.category(OptionCategory.BOOTSTRAP_ADMIN)
.description("Bootstrap admin password")
.hidden()
.description("Temporary bootstrap admin password." + USED_ONLY_WHEN + NON_CLI)
.build();
public static final Option<String> USERNAME = new OptionBuilder<>("bootstrap-admin-username", String.class)
.category(OptionCategory.BOOTSTRAP_ADMIN)
.description("Username of the bootstrap admin")
.hidden()
.description("Temporary bootstrap admin username." + USED_ONLY_WHEN)
.defaultValue(DEFAULT_TEMP_ADMIN_USERNAME)
.build();
public static final Option<Integer> EXPIRATION = new OptionBuilder<>("bootstrap-admin-expiration", Integer.class)
.category(OptionCategory.BOOTSTRAP_ADMIN)
.description("Time in minutes for the bootstrap admin user to expire.")
.description("Time in minutes for the bootstrap admin user to expire." + USED_ONLY_WHEN)
.hidden()
.build();
public static final Option<String> CLIENT_ID = new OptionBuilder<>("bootstrap-admin-client-id", String.class)
.category(OptionCategory.BOOTSTRAP_ADMIN)
.description("Client id for the admin service")
.hidden()
.description("Client id for the temporary bootstrap admin service account." + USED_ONLY_WHEN)
.defaultValue(DEFAULT_TEMP_ADMIN_SERVICE)
.build();
public static final Option<String> CLIENT_SECRET = new OptionBuilder<>("bootstrap-admin-client-secret", String.class)
.category(OptionCategory.BOOTSTRAP_ADMIN)
.description("Client secret for the admin service")
.hidden()
.description("Client secret for the temporary bootstrap admin service account." + USED_ONLY_WHEN + NON_CLI)
.build();
}

View file

@ -18,11 +18,11 @@
package org.keycloak.quarkus.runtime.cli.command;
import org.keycloak.common.util.IoUtils;
import org.keycloak.config.BootstrapAdminOptions;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.quarkus.runtime.cli.PropertyException;
import org.keycloak.quarkus.runtime.integration.jaxrs.QuarkusKeycloakApplication;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.resources.KeycloakApplication;
import picocli.CommandLine.ArgGroup;
@ -38,7 +38,7 @@ public class BootstrapAdminService extends AbstractNonServerCommand {
static class ClientIdOptions {
@Option(names = { "--client-id" }, description = "Client id, defaults to "
+ ApplianceBootstrap.DEFAULT_TEMP_ADMIN_SERVICE)
+ BootstrapAdminOptions.DEFAULT_TEMP_ADMIN_SERVICE)
String clientId;
@Option(names = { "--client-id:env" }, description = "Environment variable name for the client id")
@ -69,7 +69,7 @@ public class BootstrapAdminService extends AbstractNonServerCommand {
clientId = clientIdOptions.clientId;
}
} else if (!bootstrap.noPrompt) {
clientId = IoUtils.readLineFromConsole("client id", ApplianceBootstrap.DEFAULT_TEMP_ADMIN_SERVICE);
clientId = IoUtils.readLineFromConsole("client id", BootstrapAdminOptions.DEFAULT_TEMP_ADMIN_SERVICE);
}
if (clientSecretEnv == null) {

View file

@ -18,11 +18,11 @@
package org.keycloak.quarkus.runtime.cli.command;
import org.keycloak.common.util.IoUtils;
import org.keycloak.config.BootstrapAdminOptions;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.quarkus.runtime.cli.PropertyException;
import org.keycloak.quarkus.runtime.integration.jaxrs.QuarkusKeycloakApplication;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.resources.KeycloakApplication;
import picocli.CommandLine.ArgGroup;
@ -38,7 +38,7 @@ public class BootstrapAdminUser extends AbstractNonServerCommand {
static class UsernameOptions {
@Option(names = { "--username" }, description = "Username of admin user, defaults to "
+ ApplianceBootstrap.DEFAULT_TEMP_ADMIN_USERNAME)
+ BootstrapAdminOptions.DEFAULT_TEMP_ADMIN_USERNAME)
String username;
@Option(names = { "--username:env" }, description = "Environment variable name for the admin username")
@ -69,7 +69,7 @@ public class BootstrapAdminUser extends AbstractNonServerCommand {
username = usernameOptions.username;
}
} else if (!bootstrap.noPrompt) {
username = IoUtils.readLineFromConsole("username", ApplianceBootstrap.DEFAULT_TEMP_ADMIN_USERNAME);
username = IoUtils.readLineFromConsole("username", BootstrapAdminOptions.DEFAULT_TEMP_ADMIN_USERNAME);
}
if (passwordEnv == null) {

View file

@ -18,6 +18,7 @@
package org.keycloak.quarkus.runtime.configuration.mappers;
import org.keycloak.config.BootstrapAdminOptions;
import org.keycloak.quarkus.runtime.cli.PropertyException;
import static org.keycloak.quarkus.runtime.configuration.Configuration.getOptionalKcValue;
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
@ -30,25 +31,36 @@ public final class BootstrapAdminPropertyMappers {
private BootstrapAdminPropertyMappers() {
}
// We prefer validators here to isEnabled so that the options show up in help
public static PropertyMapper<?>[] getMappers() {
return new PropertyMapper[]{
fromOption(BootstrapAdminOptions.USERNAME)
.paramLabel("username")
.isEnabled(BootstrapAdminPropertyMappers::isPasswordSet, PASSWORD_SET)
.validator((mapper, value) -> {
if (!isPasswordSet()) {
throw new PropertyException(mapper.getOption().getKey() + " available only when " + PASSWORD_SET);
}
})
.build(),
fromOption(BootstrapAdminOptions.PASSWORD)
.paramLabel("password")
.isMasked(true)
.build(),
fromOption(BootstrapAdminOptions.EXPIRATION)
/*fromOption(BootstrapAdminOptions.EXPIRATION)
.paramLabel("expiration")
.isEnabled(BootstrapAdminPropertyMappers::isPasswordSet, PASSWORD_SET)
.build(),
.build(),*/
fromOption(BootstrapAdminOptions.CLIENT_ID)
.paramLabel("client id")
.isEnabled(BootstrapAdminPropertyMappers::isClientSecretSet, CLIENT_SECRET_SET)
.validator((mapper, value) -> {
if (!isClientSecretSet()) {
throw new PropertyException(mapper.getOption().getKey() + " available only when " + CLIENT_SECRET_SET);
}
})
.build(),
fromOption(BootstrapAdminOptions.CLIENT_SECRET)
.paramLabel("client secret")
.isMasked(true)
.build(),
};
}

View file

@ -158,4 +158,20 @@ Export:
--users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50.
export times. Default: 50.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.

View file

@ -262,4 +262,20 @@ Export:
--users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50.
export times. Default: 50.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.

View file

@ -152,4 +152,20 @@ Import:
--file <file> Set the path to a file that will be read.
--override <true|false>
Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true.
ignored. Default: true.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.

View file

@ -256,4 +256,20 @@ Import:
--file <file> Set the path to a file that will be read.
--override <true|false>
Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true.
ignored. Default: true.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.

View file

@ -294,6 +294,22 @@ Security:
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.
Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build

View file

@ -470,6 +470,22 @@ Security:
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.
Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build

View file

@ -295,6 +295,22 @@ Security:
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

View file

@ -471,6 +471,22 @@ Security:
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

View file

@ -237,6 +237,22 @@ Truststore:
List of pkcs12 (p12 or pfx file extensions), PEM files, or directories
containing those files that will be used as a system truststore.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

View file

@ -403,6 +403,22 @@ Truststore:
List of pkcs12 (p12 or pfx file extensions), PEM files, or directories
containing those files that will be used as a system truststore.
Bootstrap Admin:
--bootstrap-admin-client-id <client id>
Client id for the temporary bootstrap admin service account. Used only when
the master realm is created. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
Client secret for the temporary bootstrap admin service account. Used only
when the master realm is created. Use a non-CLI configuration option for
this option if possible.
--bootstrap-admin-password <password>
Temporary bootstrap admin password. Used only when the master realm is
created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
Temporary bootstrap admin username. Used only when the master realm is
created. Default: temp-admin.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

View file

@ -246,7 +246,10 @@
<groupId>org.keycloak</groupId>
<artifactId>keycloak-model-storage-private</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-config-api</artifactId>
</dependency>
</dependencies>
<build>
<plugins>

View file

@ -19,6 +19,7 @@ package org.keycloak.services.managers;
import org.keycloak.Config;
import org.keycloak.common.Version;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.config.BootstrapAdminOptions;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
@ -45,10 +46,6 @@ import static org.keycloak.models.Constants.IS_TEMP_ADMIN_ATTR_NAME;
*/
public class ApplianceBootstrap {
public static final String DEFAULT_TEMP_ADMIN_USERNAME = "temp-admin";
public static final String DEFAULT_TEMP_ADMIN_SERVICE = "temp-admin";
public static final int DEFAULT_TEMP_ADMIN_EXPIRATION = 120;
private final KeycloakSession session;
public ApplianceBootstrap(KeycloakSession session) {
@ -127,7 +124,7 @@ public class ApplianceBootstrap {
RealmModel realm = session.realms().getRealmByName(Config.getAdminRealm());
session.getContext().setRealm(realm);
username = StringUtil.isBlank(username) ? DEFAULT_TEMP_ADMIN_USERNAME : username;
username = StringUtil.isBlank(username) ? BootstrapAdminOptions.DEFAULT_TEMP_ADMIN_USERNAME : username;
//expriationMinutes = expriationMinutes == null ? DEFAULT_TEMP_ADMIN_EXPIRATION : expriationMinutes;
if (initialUser && session.users().getUsersCount(realm) > 0) {
@ -165,7 +162,7 @@ public class ApplianceBootstrap {
RealmModel realm = session.realms().getRealmByName(Config.getAdminRealm());
session.getContext().setRealm(realm);
clientId = StringUtil.isBlank(clientId) ? DEFAULT_TEMP_ADMIN_SERVICE : clientId;
clientId = StringUtil.isBlank(clientId) ? BootstrapAdminOptions.DEFAULT_TEMP_ADMIN_SERVICE : clientId;
//expriationMinutes = expriationMinutes == null ? DEFAULT_TEMP_ADMIN_EXPIRATION : expriationMinutes;
ClientRepresentation adminClient = new ClientRepresentation();