Import Realm in Keycloak 18.0.0 - failed

Describe the bug

I’m using a docker image and I uploaded the realm.json in /opt/keycloak/data/import to get the nice auto import functionality. When I add now to start --import-realm I get:

2022-04-26 08:28:56,195 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
2022-04-26 08:28:56,195 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to import realm: myrealm
2022-04-26 08:28:56,195 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled

which confuses me, because

Script Upload should be removed (why is import using that?) and doesn’t work. Without the --import-realm all works fine

Reference to documentation: https://www.keycloak.org/server/importExport

Version

18.0.0

Expected behavior

To import the realms automatically from the data/import location.

Actual behavior

Gives an error

How to Reproduce?

create a dockerfile
add a realm.json to the path
build keycloak in docker file
build dockerfile
start container

Anything else?

No response

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:13 (6 by maintainers)

Top GitHub Comments

38reactions

stefanmariccommented, Apr 27, 2022

@edwint88 Is your realm declaring providers that rely on scripts such as mappers, authenticators, or policies?

I had the same issue and based on your feedback I search and found I had these policies for one of the realm clients:

"policies": [
  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  },
  { ... },
  {
    "id": "1428ae4c-b767-41b9-aaf9-bd8b0d8497e2",
    "name": "Default Permission",
    "description": "A permission that applies to the default resource type",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "config": {
      "defaultResourceType": "urn:api:resources:default",
      "applyPolicies": "[\"Default Policy\"]"
    }
  },
  {...}
]

I checked and these were not referenced anywhere else so I proceeded to delete them and it worked.

I guess it was created automatically by a previous version of KC.

For anyone else experiencing the same issue: search for "type": "js" to pin-point the root cause in the realm export file.

3reactions

edwint88commented, Apr 27, 2022

``> @edwint88 Is your realm declaring providers that rely on scripts such as mappers, authenticators, or policies?

If so, the realm configuration is now invalid and you should not be able to import. See the note here about the removal of the upload-scripts feature.

We have an Authenticator, but not a JavaScript one. It’s a simple Java SPI that we add through .jar in /opt/keycloak/providers and then, yes, configured in the realm.json. Is this affected too?

LE: thanks for the "type": "js" hint! we got a default policy - that we didn’t create it, I’ll check without that in the config.

{ "id": "cf9f7684-45c2-4bcd-89a5-38c2a41b55fd", "name": "Default Policy", "description": "A policy that grants access only for users within this realm", "type": "js", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" } }

That was the problem! So when I’ve created a dummy confidential client in 17.0.1 the Default JS policies were activated!