In our realm, we are using permissions, but not only for Clients but also for Identity Providers, Roles and Groups.
Similar to Clients, the Permissions and Policies to IdPs, Roles and Groups are stored in a format which includes the internal UUID of the object. This is a problem, as the UUID is not known before the object is created by the cli.
Role:
Key is role id
Resource name: role.resource.<role id>
Policy name: <scope>.permission.<role id>
(interestingly, the policy name in my export does not contain the "role." segment as one might expect)
Group:
Key is group id
Resource name: group.resource.<group id>
Policy name: <scope>.permission.group.<group id>
For example, in the Cli test, there is a Resource named "client.resource.$z-fine-grained-permission-client-without-id", which is interpreted by the importer as Find a client with clientId "z-fine-grained-permission-client-without-id" and replace the variable in resource name with its internal UUID.
I am proposing to give a similar treatment to IdPs, Roles and Groups:
idp.resource.$myoidc -> Find IdP by alias and replace with internalId
role.resource.$test role -> Find role by name and replace with id
group.resource.$/test group/test subgroup -> Find group by pathand replace with id
(Unfortunately, Role and Group names may contain whitespaces.)
Problem Statement
The PR https://github.com/adorsys/keycloak-config-cli/pull/650 added support for Client Permissions, which are defined on client "realm-management" and define permissions for various clients.
In our realm, we are using permissions, but not only for Clients but also for Identity Providers, Roles and Groups.
Similar to Clients, the Permissions and Policies to IdPs, Roles and Groups are stored in a format which includes the internal UUID of the object. This is a problem, as the UUID is not known before the object is created by the cli.
I'm attaching a realm showcasing all three types of Permissions and Roles. realm-fine-grained-perms.zip
The format seems to be like this:
Identity Provider: Key is Identity Provider internalId Resource name:
idp.resource.<internalId>
Policy name:<scope>.permission.idp.<internalId>
Role: Key is role id Resource name:
role.resource.<role id>
Policy name:<scope>.permission.<role id>
(interestingly, the policy name in my export does not contain the "role." segment as one might expect)Group: Key is group id Resource name:
group.resource.<group id>
Policy name:<scope>.permission.group.<group id>
Proposed Solution
The https://github.com/adorsys/keycloak-config-cli/pull/650 solved the problem for Clients, by introducing a replacement rule for Resource names:
For example, in the Cli test, there is a Resource named "client.resource.$z-fine-grained-permission-client-without-id", which is interpreted by the importer as Find a client with clientId "z-fine-grained-permission-client-without-id" and replace the variable in resource name with its internal UUID.
I am proposing to give a similar treatment to IdPs, Roles and Groups:
idp.resource.$myoidc
-> Find IdP by alias and replace with internalIdrole.resource.$test role
-> Find role by name and replace with idgroup.resource.$/test group/test subgroup
-> Find group by pathand replace with id (Unfortunately, Role and Group names may contain whitespaces.)Environment
Additional information
No response
Acceptance Criteria
No response