How to assign a client role of a built-in client to a user?

ckazimie commented 2 weeks ago

I am trying to assign a client role: manage-realm of the built-in client realm-management to a user that I have defined, however I cannot...

What is the proper way? I try to use Roles manifest:

apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: Roles
metadata:
  name: test-roles
spec:
  forProvider:
    realmId: myrealm
    roleIdsRefs:
      - name: manage-realm
    userIdRef:
      name: testuser
  providerConfigRef:
    name: keycloak

Breee commented 2 weeks ago

Greetings,

there are different ways to do this. You could either reference the builtin role by it's UUID or you use the function / composition we wrote:

https://gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects

Which allows you to do something like that:

# Example for Master Realm
apiVersion: keycloak.crossplane.io/v1alpha1
kind: XBuiltinObjects
metadata:
  name: keycloak-builtin-clients-master
spec:
  providerConfigName: keycloak-provider-config
  providerSecretName: keycloak-credentials
  realm: master
  builtinClients: 
    - account
    - account-console
    - admin-cli
    - broker
    - master-realm
    - security-admin-console
  builtinRealmRoles:
    - offline_access
    - uma_authorization
    - admin
    - create-realm

and import everything you need as Observe Only resource into your cluster.
Then you can just reference them by name as you did before with roleIdsRefs

b509 commented 1 week ago

Hi Breee,

Used your function (thank you for it!) but am facing the issue that no clients were imported even though the composition flags as ready and synced. From your provided example I only changed the keycloak URL to point to my in-cluster-url

> kubectl describe xbuiltinobjects.keycloak.crossplane.io
Name:         keycloak-builtin-clients-master
Namespace:
Labels:       crossplane.io/composite=keycloak-builtin-clients-master
Annotations:  <none>
API Version:  keycloak.crossplane.io/v1alpha1
Kind:         XBuiltinObjects
Metadata:
  Creation Timestamp:  2024-07-09T16:03:09Z
  Finalizers:
    composite.apiextensions.crossplane.io
  Generation:        4
  Resource Version:  153138
  UID:               132e66b2-826d-46bf-8fdc-319ec39fd5bf
Spec:
  Builtin Clients:
    account
    account-console
    admin-cli
    broker
    master-realm
    security-admin-console
  Builtin Realm Roles:
    offline_access
    uma_authorization
    admin
    create-realm
  Composition Ref:
    Name:  keycloak-builtin-objects
  Composition Revision Ref:
    Name:                     keycloak-builtin-objects-57f2cc5
  Composition Update Policy:  Automatic
  Provider Config Name:       keycloak-provider-config
  Provider Secret Name:       keycloak-credentials
  Realm:                      master
  Resource Refs:
Status:
  Conditions:
    Last Transition Time:  2024-07-09T16:04:53Z
    Reason:                ReconcileSuccess
    Status:                True
    Type:                  Synced
    Last Transition Time:  2024-07-09T16:04:53Z
    Reason:                Available
    Status:                True
    Type:                  Ready
Events:
  Type     Reason             Age                   From                                                             Message
  ----     ------             ----                  ----                                                             -------
  Normal   SelectComposition  20m                   defined/compositeresourcedefinition.apiextensions.crossplane.io  Successfully selected composition: keycloak-builtin-objects
  Normal   SelectComposition  20m                   defined/compositeresourcedefinition.apiextensions.crossplane.io  Selected composition revision: keycloak-builtin-objects-57f2cc5
  Warning  ComposeResources   19m (x2 over 19m)     defined/compositeresourcedefinition.apiextensions.crossplane.io  cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects": cannot run Function "function-keycloak-builtin-objects": rpc error: code = Unavailable desc = last resolver error: dns: A record lookup error: lookup function-keycloak-builtin-objects.crossplane-system on 10.43.0.10:53: server misbehaving
  Warning  ComposeResources   19m (x7 over 20m)     defined/compositeresourcedefinition.apiextensions.crossplane.io  cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects": cannot run Function "function-keycloak-builtin-objects": rpc error: code = Unavailable desc = last resolver error: produced zero addresses
  Normal   ComposeResources   3m57s (x17 over 19m)  defined/compositeresourcedefinition.apiextensions.crossplane.io  Successfully composed resources

but

> kubectl get clients.openidclient.keycloak.crossplane.io 
No resources found

Any pointer what I could try/did wrong?

Breee commented 1 week ago

What does the function log? / how does your connection config look like?
Also: make sure to use the latest versions

b509 commented 1 week ago

{"tag": "", "level": "error", "filename": "fn.py", "lineno": 221, "ts": 1720590740.901584, "msg": "Could not find matching secret for providerSecretName: keycloak-credentials"}
Thanks for the hint, hadn't realized that the function was a new pod. Could you adapt the example maybe? The secret is called keycloak-credentials-one, but later referenced by keycloak-credentials

However now I have this log in the builtin-objects function

{"tag": "", "level": "info", "filename": "fn.py", "lineno": 203, "ts": 1720593736.9110928, "msg": "Running function"}
││ Traceback (most recent call last):
││ File "src/python/grpcio/grpc/_cython/_cygrpc/aio/server.pyx.pxi", line 729, in grpc._cython.cygrpc._handle_exceptions
││ File "src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi", line 185, in _send_error_status_from_server
││ File "src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi", line 99, in execute_batch
││ grpc._cython.cygrpc.ExecuteBatchError: Failed "execute_batch": (<grpc._cython.cygrpc.SendInitialMetadataOperation object at 0x7f26d34972e0>, <grpc._cytho

Connection details for test env:

apiVersion: v1
kind: Secret
metadata:
  name: keycloak-credentials
  namespace: crossplane-system
  labels:
    type: provider-credentials
type: Opaque
stringData:
  credentials: |
    {
      "client_id":"admin-cli",
      "username": "admin",
      "password": "admin",
      "url": "http://keycloak-keycloakx-http.default.svc.cluster.local:8080",
      "base_path": "/auth",
      "realm": "master"
    }

Version of the functions are:

function-keycloak-builtin-objects:v1.0.0
xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3

b509 commented 17 hours ago

@Breee do you have any idea what could be the cause of the grpc call failing?

Breee commented 17 hours ago

hey man, i will look into it soon. Can you also send me the full composition / XR please ?
Also: can you please describe on the XR, it should also log something in its events

b509 commented 11 hours ago

Nice, question from you to get me on the right track. The XR logged a timeout, which made me have another look at the connection details in the provider-credentials and seems like I had the wrong port.

In case anybody has similar troubles in the future: This is the event in the XR which was logged upon executing kubectl describe xbuiltinobjects.keycloak.crossplane.io

Warning  ComposeResources  4m50s (x281 over 5h7m)  defined/compositeresourcedefinition.apiextensions.crossplane.io  cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects": cannot run Function "function-keycloak-builtin-objects": rpc error: code = DeadlineExceeded desc = Deadline Exceeded

Thank you for the support. Great feature!

crossplane-contrib / provider-keycloak

How to assign a client role of a built-in client to a user? #129