Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14523

kcadmin.sh cannot find a group by name when adding roles to a group


    • Type: Bug
    • Status: Plan (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.0.2
    • Fix Version/s: Backlog
    • Component/s: Admin - CLI
    • Labels:
    • Docs QE Status:
    • QE Status:


      I was trying to add a client role to a group using the admin client.  The command was:

      kcadm.sh add-roles -r test --gname "My Group Name" --cclientid my-client --rolename my-client-role

      This returned and error: "Group not found for name: My Group Name

      I have about 30 groups in this realm and I confirmed that "My Group Name" is indeed one of them.  I found that this command would work for the first 2 groups in that realm, but not the others.  Looking at the code in org.keycloak.client.admin.cli.util.HttpUtil.getAttrForType(), I see that the resourceUrl is modified with the query parameters first=0, max=2. In this case, that means that only 2 groups would be returned and the search for the group by name:

      user = new LocalSearch(users).exactMatchOne(attrValue, attrName);

      will fail for everything except the first 2 groups.  I'm not sure how this ever worked since adding those query params will only ever retrieve the first 2 groups.  The only workaround is to find the group id myself and issue the original command using the group's id rather than the name.  The same thing will happen if you use --gpath rather than --gname.  

      Note: I had to pick a version so I chose the latest released version.  But I've looked back as far as 4.5.0.Final and the code is the same.


        Gliffy Diagrams


            Issue Links



                • Assignee:
                  blevine218 Brian Levine
                • Votes:
                  0 Vote for this issue
                  2 Start watching this issue


                  • Created: