Search code examples
keycloakkeycloak-admin-cli

Not able to create composite role from json file

Here's the JSON with the role description:

      {
    "id": "<role-id>",
    "name": "<role-name>",
    "composite": true,
    "composites": {
      "client": {
        "realm-management": [
          "realm-admin",
          "manage-identity-providers",
          "view-users",
          "view-clients",
          "query-users",
          "manage-authorization",
          "view-events",
          "manage-users",
          "manage-events",
          "view-identity-providers",
          "view-authorization",
          "query-groups",
          "query-realms",
          "query-clients",
          "impersonation",
          "create-client",
          "view-realm",
          "manage-clients",
          "manage-realm"
        ]
      }
    },
    "clientRole": false,
    "containerId": "<realm-id>",
    "attributes": {}
  }

Even though it's created in Keycloak, when I run kcadm.sh get roles/<role-name>, it says, it's not a composite. Digging a bit deeper, I found the following error in Keycloak logs:

ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-15) Uncaught server error: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of `org.keycloak.representations.idm.RoleRepresentation$Composites` (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('client')

So I guess, the problem dwells somewhere under the "composites" field. The file I showed I get via export, so it has to be valid

UPD The command I use to create the role is kcadm.sh create roles -s name=<role-name> -r <realm-name> -f role.json

Solution

  • You can do it by first creating a .json (let us named role.json) with the following content:

    {
  "roles": {
    "realm": [
      {
        "name": "<ROLE_NAME>",
        "composite": true,
        "composites": {
          "client": {
            "realm-management": [
              "realm-admin",
              "view-events",
              "manage-clients",
              "create-client",
              "manage-realm",
              "view-users",
              "manage-identity-providers",
              "manage-users",
              "query-users",
              "view-clients",
              "query-realms",
              "view-authorization",
              "view-realm",
              "query-groups",
              "impersonation",
              "manage-events",
              "manage-authorization",
              "query-clients",
              "view-identity-providers"
            ]
          }
        },
        "clientRole": false,
        "containerId": "Realm",
        "attributes": {}
      }
    ]
  }
}

    and then call ./kcadm.sh create partialImport -r <REALM_NAME> -s ifResourceExists=FAIL -o -f role.json