Execute Keycloak API commands as 'keycloak:keycloak' user:group

treydock · Feb 20, 2025 · 616585d · 616585d
1 parent f26b6fb
commit 616585d
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -588,11 +588,13 @@ The keycloak_api type can be used to define how this module's types access the K
 
  ```puppet
 keycloak_api { 'keycloak'
-  install_dir => '/opt/keycloak',
-  server     => 'http://localhost:8080/auth',
-  realm      => 'master',
-  user       => 'admin',
-  password   => 'changeme',
+  install_dir    => '/opt/keycloak',
+  server         => 'http://localhost:8080/auth',
+  realm          => 'master',
+  user           => 'admin',
+  password       => 'changeme',
+  keycloak_user  => 'keycloak',
+  keycloak_group => 'keycloak',
 }
 ```
 

diff --git a/lib/puppet/provider/keycloak_api.rb b/lib/puppet/provider/keycloak_api.rb
@@ -16,9 +16,12 @@ class Puppet::Provider::KeycloakAPI < Puppet::Provider
   @user = nil
   @password = nil
   @use_wrapper = true
+  @keycloak_user = 'keycloak'
+  @keycloak_group = 'keycloak'
 
   class << self
-    attr_accessor :install_dir, :server, :realm, :user, :password, :use_wrapper
+    attr_accessor :install_dir, :server, :realm, :user, :password, :use_wrapper,
+                  :keycloak_user, :keycloak_group
   end
 
   def self.type_properties
@@ -107,7 +110,7 @@ def self.kcadm(action, resource, realm = nil, file = nil, fields = nil, print_id
 
     cmd.reject! { |c| c.empty? }
 
-    execute(cmd, combine: false, failonfail: true)
+    execute(cmd, combine: false, failonfail: true, uid: keycloak_user, gid: keycloak_group)
   end
 
   def kcadm(*args)

diff --git a/lib/puppet/type/keycloak_api.rb b/lib/puppet/type/keycloak_api.rb
@@ -54,6 +54,16 @@
     defaultto :false
   end
 
+  newparam(:keycloak_user) do
+    desc 'Keycloak user'
+    defaultto('keycloak')
+  end
+
+  newparam(:keycloak_group) do
+    desc 'Keycloak group'
+    defaultto('keycloak')
+  end
+
   def generate
     kcadm_types = []
     Dir[File.join(File.dirname(__FILE__), '../provider/keycloak_*/kcadm.rb')].each do |file|
@@ -68,6 +78,8 @@ def generate
       provider_class.user = self[:user]
       provider_class.password = self[:password]
       provider_class.use_wrapper = self[:use_wrapper]
+      provider_class.keycloak_user = self[:keycloak_user]
+      provider_class.keycloak_group = self[:keycloak_group]
     end
 
     []

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -20,8 +20,8 @@
   file { 'kcadm-wrapper.conf':
     ensure    => 'file',
     path      => $keycloak::wrapper_conf,
-    owner     => 'root',
-    group     => 'root',
+    owner     => $keycloak::user,
+    group     => $keycloak::group,
     mode      => '0640',
     content   => epp('keycloak/shell_vars.epp', { 'vars' => $wrapper_conf }),
     show_diff => false,
@@ -30,8 +30,8 @@
   file { 'kcadm-wrapper.sh':
     ensure    => 'file',
     path      => $keycloak::wrapper_path,
-    owner     => 'root',
-    group     => 'root',
+    owner     => $keycloak::user,
+    group     => $keycloak::group,
     mode      => '0750',
     source    => 'puppet:///modules/keycloak/kcadm-wrapper.sh',
     show_diff => false,

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -118,8 +118,8 @@
           is_expected.to contain_file('kcadm-wrapper.sh').only_with(
             ensure: 'file',
             path: "/opt/keycloak-#{version}/bin/kcadm-wrapper.sh",
-            owner: 'root',
-            group: 'root',
+            owner: 'keycloak',
+            group: 'keycloak',
             mode: '0750',
             source: 'puppet:///modules/keycloak/kcadm-wrapper.sh',
             show_diff: 'false',