keycloak_realm: remove realm id requirement #9768
Conversation
ansibullbot
added
bug
felixfontein
added
check-before-release
changelogs/fragments/9768-keycloak_realm-remove-id-requirement.yaml
Outdated
Show resolved
Hide resolved
changelogs/fragments/9768-keycloak_realm-remove-id-requirement.yaml
Outdated
Show resolved
Hide resolved
….yaml Co-authored-by: Felix Fontein <[email protected]>
….yaml Co-authored-by: Felix Fontein <[email protected]>
| @@ -767,9 +766,6 @@ def main(): | |||
| # Process a creation | |||
| result['changed'] = True | |||
|
|
|||
| if 'id' not in desired_realm: | |||
| module.fail_json(msg='id needs to be specified when creating a new realm') | |||
There was a problem hiding this comment.
Right now you can run the module with neither id nor realm specified. That doesn't sound useful.
(Also it doesn't seem like the module actually works well if realm isn't specified?)
There was a problem hiding this comment.
realm is the unique name that is required to create a realm. I just didn't want to add it as a requirement because i thought it might break older ansible code that didn't specify it. But i checked older keycloak versions again and it seems they all require realm, so even though the module did not require it, keycloak did. So i think we could make realm a requirement, because older code that didn't specify it, should not have worked anyway.
It seems to me the proper way is to let keycloak generate the id. The module can still allow specifying it, but it shouldn't be a requirement. In the older versions i checked, the web frontend set both variables, idand realm, to the provided realm(-name). That might be where this is coming from. None of the keycloak versions i tested required the id.
I checked keycloak version 12, 15, 17 and 20. The gui in 17 was the last one that set both id and realm.
There was a problem hiding this comment.
I'm fine with making realm required. Since the module tries to determine whether a realm exists by looking for it, I don't think it really works (or ever worked) without realm anyway.
There was a problem hiding this comment.
Hi @fgruenbauer
Thanks for your contribution! It's probably nothing, but I have this one question about one of the changes there.
| @@ -778,11 +774,11 @@ def main(): | |||
|
|
|||
| # create it | |||
| kc.create_realm(desired_realm) | |||
| after_realm = kc.get_realm_by_id(desired_realm['id']) | |||
| after_realm = kc.get_realm_by_id(desired_realm['realm']) | |||
There was a problem hiding this comment.
Without checking the code for kc.get_realm_by_id(), it begets the question: will that method accept a name instead of an ID? Is there a kc.get_realm_by_name() that we should be using instead?
SUMMARY
The keycloak_realm module requires an id when creating a new realm. I think it is better to let keycloak generate the id, like when creating a realm in the GUI.
Using the module with older keycloak versions that require an id would still be possible, but it would also allow users to create realms with uuids generated by keycloak.
ISSUE TYPE
COMPONENT NAME
keycloak_realm