java.nio.file.AccessDeniedException: /opt/keycloak/bin/../data/import/realm.json

hohwille commented 2 months ago

Describe the bug

When using withRealmImportFile the realm file is copied into the container and then on startup imported by keycloak. However, the copying uses default file attributes. As it turns out this works for local development defaults but fails in our CI with this error:

INFO  [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (main) Full importing from file /opt/keycloak/bin/../data/import/realm.json
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: java.nio.file.AccessDeniedException: /opt/keycloak/bin/../data/import/realm.json
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /opt/keycloak/bin/../data/import/realm.json

It took me a long time to be able to debug into the container inside the CI server what is really tricky but I figured that the file permissions are wrong:

bash-5.1$ cd /opt/keycloak/data/import/
bash-5.1$ ls -la
total 84
drwxr-xr-x 2 root     root  4096 Apr 25 07:31 .
drwxrwxr-x 1 keycloak root  4096 Apr 25 07:31 ..
-rw---x--T 1 root     root 76050 Apr 22 17:00 realm.json

IMHO there are several problems:

keycloak container itself is following some anti-pattern running as a dedicated keycloak user but the default user for copying files in root. A lot of suck problems could be prevented, if keycloak would run as root.
IMHO the umask of the OS is applied here and on CI this is more restrictive so there are no read permissions for the keycloak user.

Solution suggestion: So in your code where you create the MountableFile https://github.com/dasniko/testcontainers-keycloak/blob/3bf421ac8cf50eaeb1fc978444e2bc3506f38116/src/main/java/dasniko/testcontainers/keycloak/ExtendableKeycloakContainer.java#L194 you should provide the file permissions as 0777 to the MountableFile static factory method (be aware of the leading zero that in Java is used for octal notation causing a lot of confusion as 0777 != 777).

Version

3.3.0

Expected behavior

Keycloak will startup and not raise AccessDeniedException

Actual behavior

Keycloak causes this error and then immediately exists without starting up:

INFO  [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (main) Full importing from file /opt/keycloak/bin/../data/import/realm.json
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: java.nio.file.AccessDeniedException: /opt/keycloak/bin/../data/import/realm.json
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /opt/keycloak/bin/../data/import/realm.json

How to Reproduce?

Good question. Probably test on a linux OS and change your system default umask to something like 077 (umask 077).

Relevant log output

INFO  [org.keycloak.exportimport.singlefile.SingleFileImportProvider] (main) Full importing from file /opt/keycloak/bin/../data/import/realm.json
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: java.nio.file.AccessDeniedException: /opt/keycloak/bin/../data/import/realm.json
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /opt/keycloak/bin/../data/import/realm.json

Anything else?

No response

dasniko commented 2 months ago

@hohwille see #139 Does this solve your issue?

You are always welcome to also submit a PR with your suggested changes!

dasniko commented 2 months ago

But a 644 should also be sufficient. WDYT?

dasniko / testcontainers-keycloak