Hello,
Can any one describe for me the process of initialization data in Keycloak via scripts in cluster MOSIP, because by executing keycloak-init it doesn’t work.
Thanks
To ensure proper execution, please verify that the Keycloak service is active and operational prior to running the ./keycloak-init.sh script. Additionally, if any errors were encountered during the execution of the script, could you kindly provide us with details regarding the observed error?
@sanchi-singh24
I’m facing the same error , below are the logs, for some reason in the middle of initializing keycloak throws HTTP 401 Unauthorized.
Creating mappers for mosip-prereg-client client
Creating client mosip-creser-idpass-client
Exists, updating mosip-creser-idpass-client
Creating mappers for mosip-creser-idpass-client client
Creating client mosip-syncdata-client
Exists, updating mosip-syncdata-client
Creating mappers for mosip-syncdata-client client
Creating client mpartner-default-auth
Exists, updating mpartner-default-auth
Creating mappers for mpartner-default-auth client
Creating Mapper langCode
Mapper langCode Exists already exists; SKIPPING;
Creating client mosip-idrepo-client
Exists, updating mosip-idrepo-client
Creating mappers for mosip-idrepo-client client
Creating client mpartner-default-print
Exists, updating mpartner-default-print
Creating mappers for mpartner-default-print client
Creating client mpartner-default-digitalcard
Exists, updating mpartner-default-digitalcard
Traceback (most recent call last):
File “/home/mosip/keycloak_init.py”, line 148, in create_client
self.keycloak_admin.create_client(payload, skip_exists=False) # If exists, update. So don’t skip
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/keycloak_admin.py”, line 909, in create_client
return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[201], skip_exists=skip_exists)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/exceptions.py”, line 106, in raise_error_from_response
raise error(error_message=message,
keycloak.exceptions.KeycloakGetError: 409: b’{“errorMessage”:“Client mpartner-default-digitalcard already exists”}’
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/home/mosip/keycloak_init.py”, line 423, in main
ks.create_client(realm, client[‘name’], secret, client[‘saroles’])
File “/home/mosip/keycloak_init.py”, line 152, in create_client
client_id = self.keycloak_admin.get_client_id(client)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/keycloak_admin.py”, line 848, in get_client_id
clients = self.get_clients()
^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/keycloak_admin.py”, line 821, in get_clients
return raise_error_from_response(data_raw, KeycloakGetError)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/exceptions.py”, line 106, in raise_error_from_response
raise error(error_message=message,
keycloak.exceptions.KeycloakAuthenticationError: 401: b’{“error”:“HTTP 401 Unauthorized”}’
I will surely ask @syed.salman to look into the logs and provide you with a solution.
Best Regards,
Team MOSIP
Kindly share the full logs from the keycloak-init pod. Additionally, verify if the keycloak admin login credentials are correct.
keycloak-init.job.yml
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: admin-password
name: keycloak
@syed.salman Full logs below as you asked. When I login keycloak I can see the mosip realm created and clients inside. Could it be a credential issue if some clients are created by the script?
NAME READY STATUS RESTARTS AGE
keycloak-init-82hk5 0/1 Error 0 8m3s
keycloak-init-9f7jq 0/1 Error 0 6m51s
keycloak-init-kxxhj 0/1 Error 0 2m12s
keycloak-init-t7xqv 0/1 Error 0 5m36s
keycloak-init-vkhw6 0/1 Error 0 4m3s
Create realms :
Create realms : mosip
Exists, updating mosip
Create roles for realm mosip
Creating role Default for realm mosip
Creating role ABIS_PARTNER for realm mosip
Creating role SDK_PARTNER for realm mosip
Creating role AUTH for realm mosip
Creating role AUTH_PARTNER for realm mosip
Creating role BIOMETRIC_READ for realm mosip
Creating role CENTRAL_ADMIN for realm mosip
Creating role CENTRAL_APPROVER for realm mosip
Creating role CREATE_SHARE for realm mosip
Creating role CREDENTIAL_ISSUANCE for realm mosip
Creating role CREDENTIAL_PARTNER for realm mosip
Creating role CREDENTIAL_REQUEST for realm mosip
Creating role DATA_READ for realm mosip
Creating role DEVICE_PROVIDER for realm mosip
Creating role DOCUMENT_READ for realm mosip
Creating role FTM_PROVIDER for realm mosip
Creating role GLOBAL_ADMIN for realm mosip
Creating role ID_AUTHENTICATION for realm mosip
Creating role ID_REPOSITORY for realm mosip
Creating role INDIVIDUAL for realm mosip
Creating role KEY_MAKER for realm mosip
Creating role MASTERDATA_ADMIN for realm mosip
Creating role METADATA_READ for realm mosip
Creating role MISP for realm mosip
Creating role MISP_PARTNER for realm mosip
Creating role offline_access for realm mosip
Creating role ONLINE_VERIFICATION_PARTNER for realm mosip
Creating role PARTNER for realm mosip
Creating role PARTNER_ADMIN for realm mosip
Creating role PARTNERMANAGER for realm mosip
Creating role PMS_ADMIN for realm mosip
Creating role PMS_USER for realm mosip
Creating role POLICYMANAGER for realm mosip
Creating role PREREG for realm mosip
Creating role PRE_REGISTRATION for realm mosip
Creating role PRE_REGISTRATION_ADMIN for realm mosip
Creating role PRINT_PARTNER for realm mosip
Creating role PUBLISH_ACTIVATE_ID_ALL_INDIVIDUAL for realm mosip
Creating role PUBLISH_ANONYMOUS_PROFILE_GENERAL for realm mosip
Creating role PUBLISH_APIKEY_APPROVED_GENERAL for realm mosip
Creating role PUBLISH_APIKEY_UPDATED_GENERAL for realm mosip
Creating role PUBLISH_AUTHENTICATION_TRANSACTION_STATUS_GENERAL for realm mosip
Creating role PUBLISH_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL for realm mosip
Creating role PUBLISH_AUTH_TYPE_STATUS_UPDATE_ALL_INDIVIDUAL for realm mosip
Creating role PUBLISH_CA_CERTIFICATE_UPLOADED_GENERAL for realm mosip
Creating role PUBLISH_CREDENTIAL_ISSUED_ALL_INDIVIDUAL for realm mosip
Creating role PUBLISH_CREDENTIAL_STATUS_UPDATE_GENERAL for realm mosip
Creating role PUBLISH_DEACTIVATE_ID_ALL_INDIVIDUAL for realm mosip
Creating role PUBLISH_IDA_FRAUD_ANALYTICS_GENERAL for realm mosip
Creating role PUBLISH_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL for realm mosip
Creating role PUBLISH_MASTERDATA_TITLES_GENERAL for realm mosip
Creating role PUBLISH_MISP_LICENSE_GENERATED_GENERAL for realm mosip
Creating role PUBLISH_MISP_LICENSE_UPDATED_GENERAL for realm mosip
Creating role PUBLISH_MOSIP_HOTLIST_GENERAL for realm mosip
Creating role PUBLISH_PARTNER_UPDATED_GENERAL for realm mosip
Creating role PUBLISH_POLICY_UPDATED_GENERAL for realm mosip
Creating role PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL for realm mosip
Creating role PUBLISH_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL for realm mosip
Creating role PUBLISH_REMOVE_ID_ALL_INDIVIDUAL for realm mosip
Creating role PUBLISH_VID_CRED_STATUS_UPDATE_GENERAL for realm mosip
Creating role REGISTRATION_ADMIN for realm mosip
Creating role REGISTRATION_OFFICER for realm mosip
Creating role REGISTRATION_OPERATOR for realm mosip
Creating role REGISTRATION_PROCESSOR for realm mosip
Creating role REGISTRATION_SUPERVISOR for realm mosip
Creating role RESIDENT for realm mosip
Creating role SUBSCRIBE_ACTIVATE_ID_INDIVIDUAL for realm mosip
Creating role SUBSCRIBE_APIKEY_APPROVED_GENERAL for realm mosip
Creating role SUBSCRIBE_APIKEY_UPDATED_GENERAL for realm mosip
Creating role SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_ACK_GENERAL for realm mosip
Creating role SUBSCRIBE_AUTH_TYPE_STATUS_UPDATE_INDIVIDUAL for realm mosip
Creating role SUBSCRIBE_CA_CERTIFICATE_UPLOADED_GENERAL for realm mosip
Creating role SUBSCRIBE_CREDENTIAL_ISSUED_INDIVIDUAL for realm mosip
Creating role SUBSCRIBE_CREDENTIAL_STATUS_UPDATE_GENERAL for realm mosip
Creating role SUBSCRIBE_DEACTIVATE_ID_INDIVIDUAL for realm mosip
Creating role SUBSCRIBE_MASTERDATA_IDAUTHENTICATION_TEMPLATES_GENERAL for realm mosip
Creating role SUBSCRIBE_MASTERDATA_TITLES_GENERAL for realm mosip
Creating role SUBSCRIBE_MISP_LICENSE_GENERATED_GENERAL for realm mosip
Creating role SUBSCRIBE_MISP_LICENSE_UPDATED_GENERAL for realm mosip
Creating role SUBSCRIBE_MOSIP_HOTLIST_GENERAL for realm mosip
Creating role SUBSCRIBE_PARTNER_UPDATED_GENERAL for realm mosip
Creating role SUBSCRIBE_POLICY_UPDATED_GENERAL for realm mosip
Creating role SUBSCRIBE_REMOVE_ID_INDIVIDUAL for realm mosip
Creating role SUBSCRIBE_VID_CRED_STATUS_UPDATE_GENERAL for realm mosip
Creating role uma_authorization for realm mosip
Creating role ZONAL_ADMIN for realm mosip
Creating role ZONAL_APPROVER for realm mosip
Creating role HOTLIST_ADMIN for realm mosip
Creating role SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_COMPLETED_EVENT_GENERAL for realm mosip
Creating role SUBSCRIBE_REGISTRATION_PROCESSOR_WORKFLOW_PAUSED_FOR_ADDITIONAL_INFO_EVENT_GENERAL for realm mosip
Creating role SUBSCRIBE_IDENTITY_CREATED_GENERAL for realm mosip
Creating role SUBSCRIBE_IDENTITY_UPDATED_GENERAL for realm mosip
Creating role PUBLISH_OIDC_CLIENT_CREATED_GENERAL for realm mosip
Creating role PUBLISH_OIDC_CLIENT_UPDATED_GENERAL for realm mosip
Creating role SUBSCRIBE_OIDC_CLIENT_CREATED_GENERAL for realm mosip
Creating role SUBSCRIBE_OIDC_CLIENT_UPDATED_GENERAL for realm mosip
Create client scopes for realm mosip
Creating client scope “add_oidc_client” for realm mosip
Exists, updating “add_oidc_client”
Creating client scope “update_oidc_client” for realm mosip
Exists, updating “update_oidc_client”
Creating client scope “get_certificate” for realm mosip
Exists, updating “get_certificate”
Creating client scope “upload_certificate” for realm mosip
Exists, updating “upload_certificate”
Creating client scope “individual_id” for realm mosip
Exists, updating “individual_id”
Creating client scope “ida_token” for realm mosip
Exists, updating “ida_token”
Creating client scope “send_binding_otp” for realm mosip
Exists, updating “send_binding_otp”
Creating client scope “wallet_binding” for realm mosip
Exists, updating “wallet_binding”
Create clients for realm mosip
Creating client mosip-abis-client
Exists, updating mosip-abis-client
Creating mappers for mosip-abis-client client
Creating client mosip-admin-client
Exists, updating mosip-admin-client
Creating mappers for mosip-admin-client client
Creating client mosip-admin-services-client
Exists, updating mosip-admin-services-client
Creating mappers for mosip-admin-services-client client
Creating client mosip-auth-client
Exists, updating mosip-auth-client
Creating mappers for mosip-auth-client client
Creating client mosip-crereq-client
Exists, updating mosip-crereq-client
Creating mappers for mosip-crereq-client client
Creating client mosip-creser-client
Exists, updating mosip-creser-client
Creating mappers for mosip-creser-client client
Creating client mosip-creser-idpass-client
Exists, updating mosip-creser-idpass-client
Creating mappers for mosip-creser-idpass-client client
Creating client mosip-datsha-client
Exists, updating mosip-datsha-client
Creating mappers for mosip-datsha-client client
Creating client mosip-ida-client
Exists, updating mosip-ida-client
Creating mappers for mosip-ida-client client
Creating client mosip-misp-client
Exists, updating mosip-misp-client
Creating mappers for mosip-misp-client client
Creating client mosip-partner-client
Exists, updating mosip-partner-client
Creating mappers for mosip-partner-client client
Creating Mapper phoneNumber
Mapper phoneNumber Exists already exists; SKIPPING;
Creating Mapper organizationName
Mapper organizationName Exists already exists; SKIPPING;
Creating Mapper partnerType
Mapper partnerType Exists already exists; SKIPPING;
Creating Mapper addressTest
Mapper addressTest Exists already exists; SKIPPING;
Creating client mosip-partnermanager-client
Exists, updating mosip-partnermanager-client
Creating mappers for mosip-partnermanager-client client
Creating client mosip-pms-client
Exists, updating mosip-pms-client
Creating mappers for mosip-pms-client client
Creating Mapper phoneNumber
Mapper phoneNumber Exists already exists; SKIPPING;
Creating Mapper organizationName
Mapper organizationName Exists already exists; SKIPPING;
Creating Mapper partnerType
Mapper partnerType Exists already exists; SKIPPING;
Creating Mapper addressTest
Mapper addressTest Exists already exists; SKIPPING;
Assigning client scopes for mosip-pms-client client
Assigning client scope “update_oidc_client” for mosip-pms-client client
Assigning client scope “add_oidc_client” for mosip-pms-client client
Assigning client scope “get_certificate” for mosip-pms-client client
Assigning client scope “upload_certificate” for mosip-pms-client client
Creating client mosip-policymanager-client
Exists, updating mosip-policymanager-client
Creating mappers for mosip-policymanager-client client
Creating client mosip-reg-client
Exists, updating mosip-reg-client
Creating mappers for mosip-reg-client client
Creating client mosip-regproc-client
Exists, updating mosip-regproc-client
Creating mappers for mosip-regproc-client client
Creating client mpartner-default-mobile
Exists, updating mpartner-default-mobile
Creating mappers for mpartner-default-mobile client
Assigning client scopes for mpartner-default-mobile client
Assigning client scope “send_binding_otp” for mpartner-default-mobile client
Assigning client scope “wallet_binding” for mpartner-default-mobile client
Creating client mosip-resident-client
Exists, updating mosip-resident-client
Creating mappers for mosip-resident-client client
Assigning client scopes for mosip-resident-client client
Assigning client scope “individual_id” for mosip-resident-client client
Assigning client scope “ida_token” for mosip-resident-client client
Creating client mosip-prereg-client
Exists, updating mosip-prereg-client
Creating mappers for mosip-prereg-client client
Creating client mosip-creser-idpass-client
Exists, updating mosip-creser-idpass-client
Traceback (most recent call last):
File “/home/mosip/keycloak_init.py”, line 148, in create_client
self.keycloak_admin.create_client(payload, skip_exists=False) # If exists, update. So don’t skip
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/keycloak_admin.py”, line 909, in create_client
return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[201], skip_exists=skip_exists)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/exceptions.py”, line 106, in raise_error_from_response
raise error(error_message=message,
keycloak.exceptions.KeycloakGetError: 409: b’{“errorMessage”:“Client mosip-creser-idpass-client already exists”}’
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/home/mosip/keycloak_init.py”, line 423, in main
ks.create_client(realm, client[‘name’], secret, client[‘saroles’])
File “/home/mosip/keycloak_init.py”, line 153, in create_client
self.keycloak_admin.update_client(client_id, payload)
File “/usr/local/lib/python3.11/site-packages/keycloak/keycloak_admin.py”, line 923, in update_client
return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[204])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/site-packages/keycloak/exceptions.py”, line 106, in raise_error_from_response
raise error(error_message=message,
keycloak.exceptions.KeycloakAuthenticationError: 401: b’{“error”:“HTTP 401 Unauthorized”}’
Kindly rerun the keycloak-init using a new, clean keycloak instance. If the issue persists, we should schedule a call to investigate and address the issue.
Please share the keycloak-init Docker image and the keycloak-init configuration map named keycloak-init-configuration, which includes the input.yaml file list.
Did you try re-run keycloak-init using a new clean keycloak instance?
If after trying still the issue is there @syed.salman can connect with you over call and help you debug and get a resolution faster.
Best Regards,
Team MOSIP
@sanchi-singh24
I can not re-run keycloak-init again until I can get the cluster up again. before when I used latest rke version v1.4.10 the cluster was up but now with the version you provided me (v1.3.10) the cluster is not up.
It is being tracked here : MOSIP v3 On-Prem set up issues - #7 by yahlife_nation
Yes I’m open to jumping on a call with @syed.salman to help me out on this.
Let’s schedule a call tomorrow for this based on the availability of @syed.salman to expedite the process.
Best Regards,
Team MOSIP
Can we connect over a call at 3:30 P.M. today @syed.salman would be available during that time?
If it’s possible from your end please share an invite from your end on this thread and we will join.
Best Regards,
Team MOSIP