mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-07 23:50:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: adds handling for all kcadm prompts as env variables (#29430)

Browse Source 
closes: #21961

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
This commit is contained in:
Steven Hawkins
2024-06-06 09:08:23 -04:00
committed by GitHub
parent f34baf3c24
commit c7e9ee2bff
26 changed files with 95 additions and 306 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/documentation/server_admin/topics/admin-cli.adoc
+8 -3
View File
@@ -87,6 +87,10 @@ $ kcadm.sh config truststore --trustpass $PASSWORD ~/.keycloak/truststore.jks
c:\> kcadm config truststore --trustpass %PASSWORD% %HOMEPATH%\.keycloak\truststore.jks
----
=== Sensitive Options
Sensitive values, such as passwords, may be specified as command options. That is generally not recommended. There are also mechanisms by which you can be prompted for the sensitive value - by either omitting the option or providing a value or -. Finally all will have a corresponding env variable that can be used instead - check the help of the command you are running to see all possible options.
=== Authenticating
When you log in with the Admin CLI, you specify:
@@ -105,7 +109,7 @@ Two primary mechanisms are available for authentication. One mechanism uses `kca
[options="nowrap",subs="attributes+"]
----
$ kcadm.sh config credentials --server http://localhost:8080{kc_base_path} --realm master --user admin --password admin
$ kcadm.sh config credentials --server http://localhost:8080{kc_base_path} --realm master --user admin
----
This mechanism maintains an authenticated session between the `kcadm` command invocations by saving the obtained access token and its associated refresh token. It can maintain other secrets in a private configuration file. See the <<_working_with_alternative_configurations, next chapter>> for more information.
@@ -115,13 +119,14 @@ The second mechanism authenticates each command invocation for the duration of t
For example, when performing an operation, specify all the information required for authentication.
[options="nowrap",subs="attributes+"]
----
$ kcadm.sh get realms --no-config --server http://localhost:8080{kc_base_path} --realm master --user admin --password admin
$ kcadm.sh get realms --no-config --server http://localhost:8080{kc_base_path} --realm master --user admin
----
Run the `kcadm.sh help` command for more information on using the Admin CLI.
Run the `kcadm.sh config credentials --help` command for more information about starting an authenticated session.
If you do not specify the --password option (it is generally recommended to not provide passwords as part of the command), you will be prompted for a password unless one is specified as the environment variable KC_CLI_PASSWORD.
[[_working_with_alternative_configurations]]
=== Working with alternative configurations
@@ -184,7 +189,7 @@ SERVER_URI/admin/realms/TARGET_REALM/ENDPOINT
For example:
[options="nowrap",subs="attributes+"]
----
$ kcadm.sh config credentials --server http://localhost:8080{kc_base_path} --realm master --user admin --password admin
$ kcadm.sh config credentials --server http://localhost:8080{kc_base_path} --realm master --user admin
$ kcadm.sh create users -s username=testuser -s enabled=true -r demorealm
----