Remove administrator credentials from files once keycloak is bootstrapped #197
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hwo-wd
force-pushed
the
feature/190_remove_KEYCLOAK_ADMIN_envs
branch
from
bc12f44 to
0c99f6d
Compare
guidograzioli
added
the
minor_changes
|
I like the general mechanic of the changeset; let me review it thru |
There was a problem hiding this comment.
I left my comments; the general gist is that I'd prefer not to have a default true parameter, but just do your implemented behaviour by default. Using a custom fact (being bootstrapped or not), we can tell users to delete it on the target node to execute the false behaviour (adding the credentials to sysconfig).
mind I am not requesting changes, just discussing!
|
pushed an update with custom ansible facts; @guidograzioli please review it once more; I'd squash the commits then |
guidograzioli
approved these changes
Apr 19, 2024
| @@ -142,6 +143,15 @@ Role Variables | |||
| |`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` | | |||
|
|
|||
|
|
|||
| Role custom facts | |||
hwo-wd
force-pushed
the
feature/190_remove_KEYCLOAK_ADMIN_envs
branch
4 times, most recently
from
89d8366 to
f523bfd
Compare
…nce keycloak is bootstrapped
hwo-wd
force-pushed
the
feature/190_remove_KEYCLOAK_ADMIN_envs
branch
from
f523bfd to
289b476
Compare
thx; linter issues resolved too -> all done |
guidograzioli
changed the title
keycloak_quarkus_admin_user[_pass] once keycloak is bootstrapped
|
Nice work! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since administrator credentials are only set at the very first time keycloak is started, it is not useful nor secure to have them in the
/etc/sysconfig/keycloakenvironment vars file. This changeset modifies the behaviour during the first execution of the deployment, so that administrative credentials are applied, then purges them from configuration files and restarts the service.To force the credentials again, delete the
/etc/ansible/facts.d/keycloakfile and re-execute the playbook.Fix #190
=== original PR notes
@guidograzioli this is my take on #190:
This approach could be troublesome when the state file (
/etc/sysconfig/keycloak) contains the bootstrapped mnemonicer already, but we are switching DBs where the new DB is completely empty.But I guess this edge case would be ok favoring hiding these sensitive credentials on the long term, worst case one needs to set
keycloak_quarkus_purge_admin_credentials_after_bootstrapping=Trueand then run the playbook once more.Wdyt?