hrms-bangkok/hrms-api-org
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
hrms-api-org/scripts/KEYCLOAK_SYNC_README.md

149 lines
3.6 KiB
Markdown
Raw Blame History

# Keycloak Sync Scripts
This directory contains standalone scripts for managing Keycloak users from the CLI. These scripts are useful for maintenance, setup, and troubleshooting Keycloak synchronization.
## Prerequisites
- Node.js and TypeScript installed
- Database connection configured in `.env`
- Keycloak connection configured in `.env`
- Run with `ts-node` or compile first
## Environment Variables
Ensure these are set in your `.env` file:
```bash
# Database
DB_HOST=localhost
DB_PORT=3306
DB_NAME=your_database
DB_USER=your_user
DB_PASSWORD=your_password
# Keycloak
KC_URL=https://your-keycloak-url
KC_REALMS=your-realm
KC_SERVICE_ACCOUNT_CLIENT_ID=your-client-id
KC_SERVICE_ACCOUNT_SECRET=your-client-secret
```
## Scripts
### 1. clear-orphaned-users.ts
Deletes Keycloak users that don't exist in the database (Profile + ProfileEmployee tables). Useful for cleaning up invalid users.
**Protected usernames** (never deleted): `super_admin`, `admin_issue`
```bash
# Dry run (preview changes)
ts-node scripts/clear-orphaned-users.ts --dry-run
# Live execution
ts-node scripts/clear-orphaned-users.ts
```
**Output:**
- Total users in Keycloak
- Total users in Database
- Orphaned users found
- Deleted/Skipped/Failed counts
### 2. ensure-users.ts
Checks and creates Keycloak users for all profiles. Includes role assignment (USER role) automatically.
```bash
# Dry run (preview changes)
ts-node scripts/ensure-users.ts --dry-run
# Live execution
ts-node scripts/ensure-users.ts
# Test with limited profiles (for testing)
ts-node scripts/ensure-users.ts --dry-run --limit=10
```
**Output:**
- Total profiles processed
- Created users (new Keycloak accounts)
- Verified users (already exists)
- Skipped profiles (no citizenId)
- Failed count
### 3. sync-all.ts
Syncs all attributes to Keycloak for users with existing Keycloak IDs.
**Attributes synced:**
- `profileId`
- `orgRootDnaId`
- `orgChild1DnaId`
- `orgChild2DnaId`
- `orgChild3DnaId`
- `orgChild4DnaId`
- `empType`
- `prefix`
```bash
# Dry run (preview changes)
ts-node scripts/sync-all.ts --dry-run
# Live execution
ts-node scripts/sync-all.ts
# Test with limited profiles
ts-node scripts/sync-all.ts --dry-run --limit=10
# Adjust concurrency (default: 5)
ts-node scripts/sync-all.ts --concurrency=10
```
**Output:**
- Total profiles with Keycloak IDs
- Success/Failed counts
- Error details for failures
## Recommended Execution Order
For initial setup or full resynchronization:
1. **clear-orphaned-users** - Clean up invalid users first
```bash
npx ts-node scripts/clear-orphaned-users.ts
```
2. **ensure-users** - Create missing users and assign roles
```bash
npx ts-node scripts/ensure-users.ts
```
3. **sync-all** - Sync all attributes to Keycloak
```bash
npx ts-node scripts/sync-all.ts
```
## Tips
- Always run with `--dry-run` first to preview changes
- Use `--limit=N` for testing before running on full dataset
- Scripts process both Profile (ข้าราชการ) and ProfileEmployee (ลูกจ้าง) tables
- Only active profiles (`isLeave: false`) are processed by ensure-users
- The `USER` role is automatically assigned to new/verified users
## Troubleshooting
**Database connection error:**
- Check `.env` database variables
- Ensure database server is running
**Keycloak connection error:**
- Check `KC_URL`, `KC_REALMS` in `.env`
- Verify service account credentials
- Check network connectivity to Keycloak
**USER role not found:**
- Log in to Keycloak admin console
- Create a `USER` role in your realm
- Ensure service account has `manage-users` and `view-users` permissions
Reference in a new issue View git blame Copy permalink