keycloak-operator icon indicating copy to clipboard operation
keycloak-operator copied to clipboard
verified publisher icon keycloak

Setting "enabled: false" for an existing user does not actually disable the user

Open chrisbsmith opened this issue 3 years ago • 2 comments

Describe the bug

I am editing an existing KeycloakUser in an attempt to disable the user's access. However, if the user is currently "enabled", setting enabled: false or removing the enabled: true fails to actually disable the user in Keycloak.

Version

16.1.0

Expected behavior

Keycloak should disable the user

Actual behavior

Once a user is "enabled", it can never be "disabled".

How to Reproduce?

Create a new "disabled" user:

cat <<EOF | kubectl -n keycloak apply -f -
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
  name: disabled-user
spec:
  user:
    username: "disabled-user"
    firstName: "Disabled"
    lastName: "Test"
    email: "[email protected]"
    enabled: False
    emailVerified: False
    credentials:
      - type: "password"
        value: "12345"
    realmRoles:
      - "offline_access"
    clientRoles:
      account:
        - "manage-account"
      realm-management:
        - "manage-users"
  realmSelector:
    matchLabels:
      app: example-keycloak
EOF

Open Keycloak and verify that the user is disabled image

Update the user to enable it.

kubectl patch -n keycloak --type=merge keycloakuser disabled-user -p '{"spec":{"user":{"enabled":true}}}'
keycloakuser.keycloak.org/disabled-user patched

Open Keycloak and verify the user is enabled image

Attempt to disable the user

kubectl patch -n keycloak --type=merge keycloakuser disabled-user -p '{"spec":{"user":{"enabled":false}}}'
keycloakuser.keycloak.org/disabled-user patched

image

Keycloak controller logs show it successfully reconciling the user after each patch

{"level":"info","ts":1641405498.2681048,"logger":"controller_keycloakuser","msg":"Reconciling KeycloakUser","Request.Namespace":"keycloak","Request.Name":"disabled-user"}
{"level":"info","ts":1641405498.2682028,"logger":"controller_keycloakuser","msg":"found 1 matching realm(s) for user keycloak/disabled-user"}
{"level":"info","ts":1641405498.4976873,"logger":"action_runner","msg":"(    1)    SUCCESS update user disabled-user"}

Anything else?

I followed these instructions and installed the Keycloak operator into a minikube cluster using the command line instructions.

chrisbsmith avatar Jan 05 '22 18:01 chrisbsmith

Thanks @chrisbsmith for taking the time to submit a complete reproducer, this issue might be related: https://github.com/keycloak/keycloak-operator/issues/412

Looks like this is an actual bug in the operator, we would appreciate the contribution of a fix or try to find the time to address the issue.

andreaTP avatar Jan 13 '22 16:01 andreaTP

Hi!

Just to let you people know this is something happening also elsewhere: I'm facing this same problem here.

Christian

christianviana avatar Jan 20 '22 17:01 christianviana

Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!

stianst avatar Nov 16 '22 08:11 stianst