[PR #8785/ac302eb7 backport][stable-9] keycloak_user_federation: set krbPrincipalAttribute
to ''
if unset in kc responses
#8892
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a backport of PR #8785 as merged into main (ac302eb).
SUMMARY
Issue:
The
keycloak_user_federation
module always detects a change in check mode if the parameterkrbPrincipalAttribute
is set to''
. The empty string is a valid value:community.general/plugins/modules/keycloak_user_federation.py
Line 354 in 96d5e6e
Keycloak completely removes the parameter
krbPrincipalAttribute
if it is set to''
. So subsequent check runs always detect a change. In a normal run the module would always make an update (its the same change check), but compare the before and after responses afterwards, in both of which the parameter is not present. In the check diff this is already fixed by setting''
in the sanitize function if the parameter is not present (see 8320).Proposed solution:
Normalize the keycloak responses (before and after) by setting
krbPrincipalAttribute = ''
if the parameter is not present in the response.ISSUE TYPE
COMPONENT NAME
keycloak_user_federation
ADDITIONAL INFORMATION
krbPrincipalAttribute = ''
for the module