New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not return groups associated with organizations from the Admin Gro… #29046
Do not return groups associated with organizations from the Admin Gro… #29046
Conversation
4303ea5
to
78b469a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @martin-kanis for this PR.
I've noticed there is no description on the issue which would provide more clarity what should be the scope of this task. When I read #28133 's description there are following points related to groups
- These groups should not be manageable by the Group API
- Make sure the group name used and its format are reserved and can not be set to regular groups
- Any attribute set to groups by the organization provider should be read only for both users and administrators
Does this PR aim to solve the first point or will there be a follow-ups?
@pedroigor Could you please confirm what operations on groups associated with organizations in group API should be prevented?
@vramik @martin-kanis The goal is to block managing the group associated with an organization. The way we are doing this here seems to be too much and we don't want so drastic changes to groups now. As discussed, let's move forward by blocking accessing those groups via REST so that we have fewer changes to groups (and potentially making it worse) while still blocking them from being managed by the Groups API. We have an entire epic to deal with reviewing groups and their API anyways. |
ed6a1ea
to
7e6cd94
Compare
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromHttpKeycloak CI - FIPS IT (non-strict)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
5045645
to
d3d2905
Compare
d3d2905
to
c0728c7
Compare
services/src/main/java/org/keycloak/services/resources/admin/GroupResource.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/services/resources/admin/RoleMapperResource.java
Outdated
Show resolved
Hide resolved
services/src/main/java/org/keycloak/services/resources/admin/ClientRoleMappingsResource.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testExternalExchangeCreateNewUserUsingMappers
org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testExternalExchange
org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testAccountLinkNoTokenStore
org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation
org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient
|
c0728c7
to
ad9f4a3
Compare
ad9f4a3
to
05cfed8
Compare
b6b4acc
to
32b355d
Compare
… APIs Closes keycloak#28734 Signed-off-by: Martin Kanis <mkanis@redhat.com>
32b355d
to
f96927a
Compare
…up API
Closes #28734