The form action RegistrationProfile has been removed in Keycloak 23.
Relevant information from the upgrading guide [1]:
> The validation of user attributes as well as creation of the user
> including all that user’s attributes is handled by
> RegistrationUserCreation form action and hence RegistrationProfile
> is not needed anymore.
[1] https://www.keycloak.org/docs/23.0.0/upgrading/#removed-registrationprofile-form-action
Co-authored-by: Kristian Klausen <kristian@klausen.dk>
In commit d31f8404c2 we changed the
terraform provider for uptimerobot. Reflect this change in the terraform
lock file and provider version declaration.
Previously we have declared explicit resources for the roles under the
root. This lead to the desired groups getting created twice, once via
toSet of the package maintainer team and once per resource under the
root.
Furthermore remove the package maintainer roles, currently we do not
need any roles to define permissions. We can simply use the groups to
easily assign users into. Those group assignments can be queries for
example by gluebuddy to act upon or queried by a saml client.
Fixes 941563f2f3
The buildbot POC wants to use Keycloak for user authentication. The
client is public, because it doesn't make sense to have a client secret,
which can't be kept under wrap anyway (it would need to be shipped with
the CLI[1]).
[1] https://gitlab.archlinux.org/foxboron/buildctl
When signing into GitLab, opting to create a new keycloak account
results in being able to sign into GitLab without setting up OTP.
Since any subsequent login will require configuring OTP, it seems
well advised to prompt for it as part of the registration process.
OpenID clients:
- 'use_refresh_tokens' set to false to preserve the values on live
- 'backchannel_logout_session_required' implicitly changed to true
for the 'grafana_openid_client' and 'openid_gitlab' clients
SAML client (GitLab):
- 'front_channel_logout' set to false to preserve the live setting
The gluebuddy client is required for gluebuddy to retrieve users and
groups membership without being able to change other keycloak data. The
realm-management roles cannot be assigned yet via keycloak as it does
not know about the roles and realm-management client.
Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.
Fixes: 7754214604 ("Rewrite get_key.py to use click instead of typer")
Add our uptimerobot to terraform so it's managed in code and we can
easily extend it. This currently only adds our to be monitored sites and
leaves the status page as is now.
Deleting resources on uptimerobot will cause terraform unable to run
see: https://github.com/louy/terraform-provider-uptimerobot/issues/82
References: #209
As our grafana now contains Loki logs, we don't want non devops to view
logs which potentially contain sensitive data. As Grafana does not have
a system to easily restrict data sources to roles we use Keycloak.
This adds a collaborative markdown editor as newly offered service which
is available via login for all Arch Linux Staff with an option to allow
anonymous edits by users (not default). Users are managed via keycloak
and require the Staff role to be allowed in, non staff keycloak users
currently will receive an internal server error due to an upstream
issue.