Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1372

[GHI#22617] kc export fails when using User Federation (LDAP) with file-based Vault enabled

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have searched existing issues
      [X] I have reproduced the issue with the latest nightly release

      Area

      import-export

      Describe the bug

      kc export fails to export users when file-based Vault is enabled, even when it’s not actually used for the bind credentials.

      A similar issue was reported on Discourse three years ago: Export/Import fails while using a vault. It still persists and I didn’t find any issue here.

      Version

      22.0.1

      Expected behavior

      kc export with users should work when LDAP federation and file-based vault is used.

      Actual behavior

      ```
      Caused by: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.RealmModel.getName()" because the return value of "org.keycloak.models.KeycloakContext.getRealm()" is null
      at org.keycloak.vault.AbstractVaultProviderFactory.getRealmName(AbstractVaultProviderFactory.java:112)
      at org.keycloak.vault.FilesPlainTextVaultProviderFactory.create(FilesPlainTextVaultProviderFactory.java:33)
      at org.keycloak.vault.FilesPlainTextVaultProviderFactory.create(FilesPlainTextVaultProviderFactory.java:18)
      ```

      Full stack trace:
      ```
      $ kc --verbose export --optimized --realm xxx --dir export
      2023-08-22 15:53:35,320 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: xxxxxxxxxxxx, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
      2023-08-22 15:53:36,703 WARN [io.quarkus.runtime.configuration.DeprecatedRuntimePropertiesRecorder] (main) The 'quarkus.http.ssl.certificate.file' config property is deprecated and should not be used anymore
      2023-08-22 15:53:36,703 WARN [io.quarkus.runtime.configuration.DeprecatedRuntimePropertiesRecorder] (main) The 'quarkus.http.ssl.certificate.key-file' config property is deprecated and should not be used anymore
      2023-08-22 15:53:36,928 WARN [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
      2023-08-22 15:53:37,580 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
      2023-08-22 15:53:37,776 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
      2023-08-22 15:53:38,607 WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
      2023-08-22 15:53:39,052 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_571654, Site name: null
      2023-08-22 15:53:39,059 INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
      2023-08-22 15:53:39,696 INFO [org.keycloak.services] (main) KC-SERVICES0034: Export of realm 'xxx' requested.
      2023-08-22 15:53:40,445 INFO [org.keycloak.exportimport.dir.DirExportProvider] (main) Exporting into directory /var/lib/keycloak/export
      2023-08-22 15:53:40,520 INFO [org.keycloak.exportimport.dir.DirExportProvider] (main) Realm 'xxx' - data exported
      2023-08-22 15:53:40,614 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (main) Creating new LDAP Store for the LDAP storage provider: 'LDAP', LDAP Configuration:

      {fullSyncPeriod=[604800], pagination=[true], startTls=[false], usersDn=[ou=people,o=xxxxx], connectionPooling=[true], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], changedSyncPeriod=[300], bindDn=[uid=idm-ro,ou=special users,o=xxxxx], usernameLDAPAttribute=[uid], lastSync=[1692712132], vendor=[rhds], uuidLDAPAttribute=[nsuniqueid], allowKerberosAuthentication=[false], connectionUrl=[ldaps://ldap.xxxxx], syncRegistrations=[false], authType=[simple], customUserSearchFilter=[(entrystatus=active)], searchScope=[2], useTruststoreSpi=[ldapsOnly], usePasswordModifyExtendedOp=[false], trustEmail=[true], userObjectClasses=[inetOrgPerson, organizationalPerson], rdnLDAPAttribute=[uid], editMode=[UNSYNCED], validatePasswordPolicy=[false], batchSizeForSync=[10000]}

      , binaryAttributes: []
      2023-08-22 15:53:40,781 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
      2023-08-22 15:53:40,782 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) Error details:: org.keycloak.models.ModelException: LDAP Queryfailed
      at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:171)
      at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:178)
      at org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUuid(LDAPStorageProvider.java:839)
      at org.keycloak.storage.ldap.LDAPStorageProvider.loadAndValidateUser(LDAPStorageProvider.java:498)
      at org.keycloak.storage.ldap.LDAPStorageProvider.validate(LDAPStorageProvider.java:173)
      at org.keycloak.storage.UserStorageManager.importValidation(UserStorageManager.java:127)
      at org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:352)
      at org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:217)
      at org.keycloak.models.jpa.JpaUserProvider.lambda$searchForUserStream$5(JpaUserProvider.java:753)
      at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
      at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
      at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1845)
      at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
      at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
      at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
      at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
      at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
      at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
      at org.keycloak.utils.ClosingStream.forEach(ClosingStream.java:128)
      at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:276)
      at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
      at java.base/java.util.stream.Streams$StreamBuilderImpl.forEachRemaining(Streams.java:411)
      at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
      at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
      at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
      at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
      at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
      at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
      at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
      at org.keycloak.exportimport.util.MultipleStepsExportProvider$2.runExportImportTask(MultipleStepsExportProvider.java:136)
      at org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:35)
      at org.keycloak.models.utils.KeycloakModelUtils.lambda$runJobInTransaction$1(KeycloakModelUtils.java:261)
      at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithResult(KeycloakModelUtils.java:383)
      at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:260)
      at org.keycloak.exportimport.util.MultipleStepsExportProvider.exportRealmImpl(MultipleStepsExportProvider.java:129)
      at org.keycloak.exportimport.util.MultipleStepsExportProvider.exportRealm(MultipleStepsExportProvider.java:85)
      at org.keycloak.exportimport.util.MultipleStepsExportProvider.exportModel(MultipleStepsExportProvider.java:58)
      at org.keycloak.exportimport.ExportImportManager.runExport(ExportImportManager.java:163)
      at org.keycloak.services.resources.KeycloakApplication.startup(KeycloakApplication.java:151)
      at org.keycloak.quarkus.runtime.integration.QuarkusLifecycleObserver.onStartupEvent(QuarkusLifecycleObserver.java:37)
      at org.keycloak.quarkus.runtime.integration.QuarkusLifecycleObserver_Observer_onStartupEvent_c9888fa6c2aa9208d4625ee9d83de6fd77e22c83.notify(Unknown Source)
      at io.quarkus.arc.impl.EventImpl$Notifier.notifyObservers(EventImpl.java:346)
      at io.quarkus.arc.impl.EventImpl$Notifier.notify(EventImpl.java:328)
      at io.quarkus.arc.impl.EventImpl.fire(EventImpl.java:82)
      at io.quarkus.arc.runtime.ArcRecorder.fireLifecycleEvent(ArcRecorder.java:155)
      at io.quarkus.arc.runtime.ArcRecorder.handleLifecycleEvents(ArcRecorder.java:106)
      at io.quarkus.deployment.steps.LifecycleEventsBuildStep$startupEvent1144526294.deploy_0(Unknown Source)
      at io.quarkus.deployment.steps.LifecycleEventsBuildStep$startupEvent1144526294.deploy(Unknown Source)
      at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
      at io.quarkus.runtime.Application.start(Application.java:101)
      at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:111)
      at io.quarkus.runtime.Quarkus.run(Quarkus.java:71)
      at org.keycloak.quarkus.runtime.KeycloakMain.start(KeycloakMain.java:98)
      at org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.run(AbstractStartCommand.java:37)
      at org.keycloak.quarkus.runtime.cli.command.AbstractExportImportCommand.run(AbstractExportImportCommand.java:47)
      at picocli.CommandLine.executeUserObject(CommandLine.java:2026)
      at picocli.CommandLine.access$1500(CommandLine.java:148)
      at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
      at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
      at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
      at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
      at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
      at picocli.CommandLine.execute(CommandLine.java:2170)
      at org.keycloak.quarkus.runtime.cli.Picocli.parseAndRun(Picocli.java:100)
      at org.keycloak.quarkus.runtime.KeycloakMain.main(KeycloakMain.java:88)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
      at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.base/java.lang.reflect.Method.invoke(Method.java:568)
      at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:61)
      at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:32)
      Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.storage.ldap.idm.query.internal.LDAPQuery@4b02dc4e
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:289)
      at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:167)
      ... 70 more
      Caused by: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.RealmModel.getName()" because the return value of "org.keycloak.models.KeycloakContext.getRealm()" is null
      at org.keycloak.vault.AbstractVaultProviderFactory.getRealmName(AbstractVaultProviderFactory.java:112)
      at org.keycloak.vault.FilesPlainTextVaultProviderFactory.create(FilesPlainTextVaultProviderFactory.java:33)
      at org.keycloak.vault.FilesPlainTextVaultProviderFactory.create(FilesPlainTextVaultProviderFactory.java:18)
      at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:177)
      at org.keycloak.services.DefaultKeycloakSession.vault(DefaultKeycloakSession.java:345)
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.getVaultSecret(LDAPContextManager.java:108)
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.createLdapContext(LDAPContextManager.java:72)
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.getLdapContext(LDAPContextManager.java:100)
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:709)
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:704)
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.lookupById(LDAPOperationManager.java:410)
      at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:261)
      ... 71 more
      ```

      How to Reproduce?

      Set up User Federation LDAP and file-based vault, run kc.sh export --dir export.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core IAM
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: