Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
data
.DS_Store
27 changes: 27 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
FROM quay.io/ecosystem-appeng/keycloak-source:latest as keycloak

FROM registry.access.redhat.com/ubi9/openjdk-11-runtime
WORKDIR /opt/keycloak/bin
ARG KEYCLOAK_VERSION=21.1.1

USER root
# COPY ca-bundle.crt /etc/pki/ca-trust/source/anchors
# RUN update-ca-trust extract
# RUN trust list --filter=ca-anchors | grep ingress -A3

RUN microdnf install -y jq
RUN mkdir -p /opt/keycloak/bin/client/lib/

COPY --from=keycloak /opt/keycloak/bin/client/keycloak-admin-cli-${KEYCLOAK_VERSION}.jar client
COPY --from=keycloak /opt/keycloak/bin/client/lib/ client/lib/
COPY --from=keycloak /opt/keycloak/bin/kcadm.sh .

COPY scripts/*.sh /opt/keycloak/bin/

RUN chmod +x /opt/keycloak/bin/Entrypoint.sh && \
chmod +x /opt/keycloak/bin/kcadm.sh && \
chmod +x /opt/keycloak/bin/user-import.sh && \
chmod +x /opt/keycloak/bin/user-export.sh

USER 185
ENTRYPOINT ["/opt/keycloak/bin/Entrypoint.sh"]
33 changes: 33 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
WORK_DIRECTORY := $(shell pwd)/data
CONTAINER_ENGINE ?= $(shell which podman >/dev/null 2>&1 && echo podman || echo docker)

help: ## Prints help for targets with comments
@grep -E '^[a-zA-Z0-9.\ _-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

build-docker: ## Build the application image using Docker
docker build -t quay.io/ecosystem-appeng/kc-exim .

build-podman: ## Build the application image using Podman
podman build -t quay.io/ecosystem-appeng/kc-exim .

build: ## build with available Container Enging
@$(CONTAINER_ENGINE) build -t quay.io/ecosystem-appeng/kc-exim .

export: ## run an export job, exports remote server users into local filesystem

@$(CONTAINER_ENGINE) run -it \
-e EXPORT_KEYCLOAK_SERVER=$(EXPORT_KEYCLOAK_SERVER) \
-e EXPORT_REALM=$(EXPORT_REALM) \
-e EXPORT_TOKEN=$(EXPORT_TOKEN) \
-v $(WORK_DIRECTORY):/home/default/kc-exim \
quay.io/ecosystem-appeng/kc-exim export

import: ## run an import job, imports local users/groups into a remote server
@$(CONTAINER_ENGINE) run -it \
-e IMPORT_KEYCLOAK_SERVER=$(IMPORT_KEYCLOAK_SERVER) \
-e IMPORT_REALM=$(IMPORT_REALM) \
-e IMPORT_TOKEN=$(IMPORT_TOKEN) \
-v $(WORK_DIRECTORY):/home/default/kc-exim/ \
quay.io/ecosystem-appeng/kc-exim import

generate-token: ## TO-DO maybe support generating token based on username/password
114 changes: 67 additions & 47 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,69 +1,89 @@
# kcum
key cloak user migrationr shell scripts
# kc-exim
KeyCloak user Export/Import tool

## about
this app contains the kcadm.sh and its dependincies script provided with the latest Keycloak distibution.
in addition a customized scripts that uses the kcadm.sh to export/import keycloak users from a server/realm into a target server/realm
it does export relevant user infor including attributes
it does export group paths
during the import, the same groups expected to pre-exist in the target server, and the newly migrated users will join the target groups according to the target server group ids, (automatically)
## Building the Image

## how to run
### Build
```
make build
```

1. clone

```

git clone git@github.com:nemerna/kcum.git
### build with Docker
```
make build-docker
```


### build with Podman
```
make build-podman
```

---
---
## Variables Used By the Application

| Environment Variables | Description |
|-------------------------- |:---------------------------------------------------------------------------------------------------------------------: |
| `EXPORT_KEYCLOAK_SERVER` | The Keycloak Server that you would like to export Users from |
| `EXPORT_REALM` | The Realm Name under the EXPORT Server you would like to export users from |
| `EXPORT_TOKEN` | A Temporary Token you need to obtain (using curl or any other method)<br>used for authenticating to the EXPORT server |
| `IMPORT_KEYCLOAK_SERVER` | The Keycloak Server that you would like to Import Users into |
| `IMPORT_REALM` | The Realm Name under the IMPORT Server you would like to IMPORT users into |
| `IMPORT_TOKEN` | A Temporary Token you need to obtain (using curl or any other method)<br>used for authenticating to the IMPORT server |

---
---

## Running The Application


### EXPORT

1. prepare variables
```
export EXPORT_KEYCLOAK_SERVER=http://localhost:2020
export EXPORT_REALM=kcm
export EXPORT_TOKEN=xxxxx
```
2. move to the project dir directory

2. start the EXPORT job
```
cd kcum
make export
```

3. add the bin to your PATH

### IMPORT

1. prepare variables
```
export PATH=$PATH:$(pwd)/bin
# export the following env variables
IMPORT_KEYCLOAK_SERVER=http://localhost:1010
IMPORT_REALM=kcm
IMPORT_TOKEN=xxxxx
```

4. export relevant env vars

2. start the IMPORT job
```
make import
```

#the work directory to proccess directory (always should be set)
export WORK_DIRECTORY=./USERMANAGER_EXPORT

# the source server url (copy from)
export IMPORT_KEYCLOAK_SERVER=https://src-server.com

# the realm of the source server (copy from)
export IMPORT_REALM=src-realm

# the client-id of the source server (copy from)
export IMPORT_CLIENT=src-client
---
---

# the client secret of the source server (copy from)
export IMPORT_SECRET=src-secret
## Help Commands

### obtaining an EXPORT_TOKEN token example

# the target server url (create in)
export EXPORT_KEYCLOAK_SERVER=https://target-server.com
```
export EXPORT_TOKEN=$(curl -X POST --location "https://$EXPORT_KEYCLOAK_SERVER/realms/$EXPORT_REALM/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&username=$USER_NAME_PLACE_HOLDER&password=$PASSWORD_PLACE_HOLDER&client_id=$CLIENT_ID_PLACE_HOLDER" | jq -r .access_token)
```

# the realm of the target server (create in)
export EXPORT_REALM=target-realm
### obtaining an IMPORT_TOKEN token example

# the client-id of the target server (create in)
export EXPORT_CLIENT=target-client
```
export IMPORT_TOKEN=$(curl -X POST --location "https://$IMPORT_KEYCLOAK_SERVER/realms/$IMPORT_REALM/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&username=$USER_NAME_PLACE_HOLDER&password=$PASSWORD_PLACE_HOLDER&client_id=$CLIENT_ID_PLACE_HOLDER" | jq -r .access_token)
```

# the client secret of the target server (create in)
export EXPORT_SECRET=target-secret

```
4. run the user manager

```
user-manager.sh [export | import | migrate]
```
**NOTE: when you export, only export parameters needed, when import then only import parameters are needed, when igrate you need to specify both export and import related variables**
Binary file removed bin/client/keycloak-admin-cli-21.1.2.jar
Binary file not shown.
Binary file not shown.
Binary file removed bin/client/lib/bcprov-jdk15on-1.70.jar
Binary file not shown.
Binary file removed bin/client/lib/keycloak-crypto-default-21.1.2.jar
Binary file not shown.
Binary file removed bin/client/lib/keycloak-crypto-fips1402-21.1.2.jar
Binary file not shown.
51 changes: 0 additions & 51 deletions bin/groups-ids-wrapper.sh

This file was deleted.

Loading