Skip to content

CH-231 refactorAPI user init #828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
filippomc merged 4 commits into from
Dec 10, 2025
Merged

CH-231 refactorAPI user init #828

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a070b17
CH-231 refactorAPI user init
filippomc Dec 9, 2025
7cb696a
chore: refactor create/update/refresh admin_api user
zoran-sinnema Dec 10, 2025
1545355
chore: start the temporary client creation on a different admin port
zoran-sinnema Dec 10, 2025
3001302
chore: refactor create/update/refresh admin_api user
zoran-sinnema Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 56 additions & 23 deletions applications/accounts/scripts/create_api_user.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,58 @@
#!/bin/bash

NAMESPACE=${CH_ACCOUNTS_REALM}
USERNAME=admin_api
PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password)

echo "Checking if API user exists..."

# Check if user already exists
if /opt/keycloak/bin/kcadm.sh get users -q "username=$USERNAME" | grep -q "$USERNAME"; then
echo "ERROR: API user $USERNAME already exists, but password is out of sync. You may need to reset it manually."
# /opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
# Removed automatic password reset as that would only work if the main admin password is unchanged from the default password
# That would create the false impression that the password is reset successfully when in fact it has not on production systems
exit 0
fi

echo "Creating API user $USERNAME"
set -e
# create the user and reload keycloak
/opt/keycloak/bin/kcadm.sh create users -s "username=$USERNAME" -s enabled=True
/opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
/opt/keycloak/bin/kcadm.sh add-roles --uusername "$USERNAME" --rolename admin

echo "API user created successfully"

API_USERNAME="admin_api"
API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "")

echo "create_api_user: waiting for Keycloak to start..."
Copy link

Copilot AI Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Corrected spelling: 'create_api_user' should use consistent formatting as 'Creating API user' elsewhere in the script.

Suggested change
echo "create_api_user: waiting for Keycloak to start..."
echo "Creating API user: waiting for Keycloak to start..."

Copilot uses AI. Check for mistakes.

# Wait for Keycloak to be ready - just give it some time to start up
sleep 120s

echo "Attempting authentication..."

# First, try to authenticate as admin_api
if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080 \
--realm master \
--user "$API_USERNAME" \
--password "$API_PASSWORD" 2>/dev/null; then
echo "Successfully authenticated as $API_USERNAME"
echo "Startup scripts not needed (admin_api user already exists)"
else
echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..."

# Authenticate as bootstrap admin to create admin_api user
if ! /opt/keycloak/bin/kcadm.sh config credentials \
Copy link
Contributor

@zsinnema zsinnema Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical: this still doesn't work when the bootstap user password is changed. Let me think of an automated way to set the api admin user's password

Copy link
Contributor

@zsinnema zsinnema Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@filippomc I think this will do the job:

kc.sh bootstrap-admin service --client-id=tmp_client --client-secret:env=KC_BOOTSTRAP_ADMIN_USERNAME
kcadm.sh config credentials --server http://localhost:8080 --realm master --client tmp_client --secret ${KC_BOOTSTRAP_ADMIN_USERNAME}

kcadm.sh create users -s "username=${API_USERNAME}" -s enabled=True
kcadm.sh set-password --username "${API_USERNAME}" --new-password "${API_PASSWORD}"

client_id=$(kcadm.sh get clients -r master -q "clientId=tmp_client"|grep \"id\"|cut -d ":" -f 2|tr -d '", ')
kcadm.sh delete clients/${client_id}

explanation:

  1. create a temporary service account
  2. create the api user and set the password
  3. remove the temporary service account

Copy link
Contributor

@zsinnema zsinnema Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@filippomc wdyt of my last commit?

--server http://localhost:8080 \
--realm master \
--user "$KC_BOOTSTRAP_ADMIN_USERNAME" \
--password "$KC_BOOTSTRAP_ADMIN_PASSWORD"; then
echo "ERROR: Failed to authenticate as bootstrap admin. You must manually create the ${API_USERNAME} with password from the secret api_user_password."
echo "Continuing without running startup scripts..."
exit 0
fi

echo "Successfully authenticated as bootstrap admin"

echo "Checking if API user exists..."

# Check if user already exists
if /opt/keycloak/bin/kcadm.sh get users -q "username=$API_USERNAME" | grep -q "$API_USERNAME"; then
echo "ERROR: API user $API_USERNAME already exists, but password is out of sync. You may need to reset it manually."
# /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD"
# Removed automatic password reset as that would only work if the main admin password is unchanged from the default password
# That would create the false impression that the password is reset successfully when in fact it has not on production systems
exit 0
fi

echo "Creating API user $API_USERNAME"
set -e
# create the user and reload keycloak
/opt/keycloak/bin/kcadm.sh create users -s "username=$API_USERNAME" -s enabled=True
/opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD"
/opt/keycloak/bin/kcadm.sh add-roles --uusername "$API_USERNAME" --rolename admin

echo "API user created successfully"
fi

43 changes: 4 additions & 39 deletions applications/accounts/scripts/kc-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,51 +2,16 @@

/opt/keycloak/bin/kc.sh $@ &

API_USERNAME="admin_api"
API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "")

echo "Waiting for Keycloak to start..."

# Wait for Keycloak to be ready - just give it some time to start up
sleep 120s

echo "Attempting authentication..."

# First, try to authenticate as admin_api
if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080 \
--realm master \
--user "$API_USERNAME" \
--password "$API_PASSWORD" 2>/dev/null; then
echo "Successfully authenticated as $API_USERNAME"
echo "Startup scripts not needed (admin_api user already exists)"
else
echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..."

# Authenticate as bootstrap admin to create admin_api user
if ! /opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080 \
--realm master \
--user "$KC_BOOTSTRAP_ADMIN_USERNAME" \
--password "$KC_BOOTSTRAP_ADMIN_PASSWORD"; then
echo "ERROR: Failed to authenticate as bootstrap admin. Check KC_BOOTSTRAP_ADMIN credentials."
echo "Continuing without running startup scripts..."
wait
exit 0
fi

echo "Successfully authenticated as bootstrap admin"

# Run startup scripts to create admin_api user
for script in /opt/keycloak/startup-scripts/*.sh;
# Run startup scripts to create admin_api user
Copy link

Copilot AI Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Corrected spelling in comment: 'create' should be 'creates' or rephrase to 'creation of admin_api user'.

Suggested change
# Run startup scripts to create admin_api user
# Run startup scripts to create the admin_api user

Copilot uses AI. Check for mistakes.
for script in /opt/keycloak/startup-scripts/*.sh;
do
echo "Running startup script: $script"
if bash "$script"; then
echo "Successfully executed $script"
else
echo "Warning: $script failed with exit code $?"
fi
done
fi
fi
done

wait
Loading