Skip to content

feat(pam): add KCM database import command with auto-detect and group filtering#1904

Closed
jlima8900 wants to merge 1 commit intoKeeper-Security:releasefrom
jlima8900:feat/pam-kcm-import-pr1889
Closed

feat(pam): add KCM database import command with auto-detect and group filtering#1904
jlima8900 wants to merge 1 commit intoKeeper-Security:releasefrom
jlima8900:feat/pam-kcm-import-pr1889

Conversation

@jlima8900
Copy link
Copy Markdown
Contributor

@jlima8900 jlima8900 commented Mar 28, 2026
edited
Loading

Summary

Adds pam project kcm-import — a new command that imports connections directly from a KCM/Guacamole database into Keeper PAM, and pam project kcm-cleanup to reverse imports.

Key features

  • Docker auto-detect: discovers KCM DB container, detects MySQL/PostgreSQL, resolves container IP, extracts credentials
  • Group filtering: --groups, --exclude-groups, --list-groups with wildcard support
  • Interactive pickers: gateway selection, group selection, vault password search
  • Adaptive throttling: probes server RTT, adjusts batch size/delay to avoid HTTP 403
  • 2-phase batched import: external users first, then resources with nested users
  • Gateway token capture: includes in report and vault record custom fields
  • Per-record tracking: pass/fail/skip breakdown by record type
  • Import report: vault record with copyable fields + MD file attachment
  • 150+ KCM parameter mappings: SSH, RDP, VNC, Telnet, HTTP, MySQL, PostgreSQL, Oracle, SQL Server, LDAP, K8s
  • Cleanup command: pam project kcm-cleanup

Usage

```bash

Auto-detect everything from Docker (simplest)

pam project kcm-import --docker-detect --name "My KCM Migration"

Preview without vault changes

pam project kcm-import --docker-detect --dry-run

List available connection groups

pam project kcm-import --docker-detect --list-groups

Import only specific groups (wildcard support)

pam project kcm-import --docker-detect --groups "Production*,Staging*" --name "Prod"

Exclude groups from import

pam project kcm-import --docker-detect --exclude-groups "Test*,Incomplete*"

Manual database connection with vault-stored password

pam project kcm-import --db-host 10.0.0.5 --db-type postgresql --db-password-record "KCM DB Creds" --db-ssl --name "Production KCM"

Extend an existing PAM config with new groups

pam project kcm-import --docker-detect --config "Existing Config" --groups "NewDept*"

Save JSON for review before importing

pam project kcm-import --docker-detect --output ~/kcm-review.json

Non-interactive batch mode

pam project kcm-import --docker-detect --name "Auto Import" --gateway "My GW" --yes

Size estimate without importing

pam project kcm-import --docker-detect --estimate

Clean up an import (reverse everything)

pam project kcm-cleanup --name "KCM Migration" --dry-run
pam project kcm-cleanup --name "KCM Migration" --yes
```

Security: DB passwords are never accepted as CLI arguments. Use `--db-password-record` (vault record) or respond to the interactive prompt. Dry-run output redacts all credentials.

Gateway

  • If no existing gateway is specified with `--gateway`, the command creates a new one
  • `--max-instances N` sets the gateway pool size (0 = skip pool creation)
  • In interactive mode, an online gateway picker is shown
  • The deploy command (`docker run`) is included in the report record for easy copy/paste

Import Report

After a successful import, a vault record is created at the project's top-level folder containing:

  • Copyable custom fields: `Deploy Gateway (copy & paste)` with the full docker command, Gateway Token, Config UID, Gateway UID, KSM App UID, folder names
  • KCM-Import-Report.md file attachment with the full report
  • Per-record pass/fail/skip breakdown by type (including nested users)
  • Failed/skipped records with reasons
  • Throttle statistics
  • Redacted CLI command for reproducibility

Files changed

File Change
`kcm_import.py` New — 4340 lines
`kcm_mappings.json` New — parameter mappings
`commands.py` Register kcm-import + kcm-cleanup
`base.py` / `edit.py` Minor pamUser validation
`README.md` Updated with new flags/examples
`KCM_IMPORT.md` New — quick-start guide
`test_kcm_import.py` New — 206 tests, 3779 lines

Test plan

  • 206 unit tests passing
  • E2E live import: 129 records, 0 throttles, report saved
  • E2E cleanup: records + folders + gateway + app deleted
  • Security audit: 0 critical/high
  • Code quality audit: clean
  • Docker auto-detect tested against live KCM PostgreSQL
  • Group filtering tested (216→65 resources)
  • Batch mode tested (`--yes`)

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 28, 2026
View reviewed changes
Comment thread keepercommander/commands/pam_import/kcm_import.py Outdated
Comment thread keepercommander/commands/pam_import/kcm_import.py Outdated
Comment thread keepercommander/commands/pam_import/kcm_import.py Outdated
@jlima8900 jlima8900 changed the base branch from master to release March 30, 2026 13:33
@jlima8900 jlima8900 force-pushed the feat/pam-kcm-import-pr1889 branch from 06f3429 to 690ae26 Compare March 30, 2026 13:39
@jlima8900
Copy link
Copy Markdown
Contributor Author

jlima8900 commented Mar 31, 2026
edited
Loading

Note: Credential history resolved

The branch has been squashed to a single commit (2b894b05). The previously flagged hardcoded test database password (_LIVE_DB_PASS) no longer exists in git history.

The test file now uses os.environ.get('KCM_TEST_DB_PASS', '') — no credentials in code.

@jlima8900 jlima8900 force-pushed the feat/pam-kcm-import-pr1889 branch from 80fc0ba to 2b894b0 Compare March 31, 2026 14:24
@jlima8900
Copy link
Copy Markdown
Contributor Author

jlima8900 commented Apr 2, 2026

@aaunario — ready for review. Squashed to single commit, 79 unit tests + 27 E2E tests passing, no hardcoded credentials.

@jlima8900 jlima8900 force-pushed the feat/pam-kcm-import-pr1889 branch from 09b2c10 to 96aa3e5 Compare April 2, 2026 23:32
@jlima8900 jlima8900 force-pushed the feat/pam-kcm-import-pr1889 branch 15 times, most recently from e967de6 to 8104e81 Compare April 6, 2026 10:49
@jlima8900 jlima8900 changed the title feat(pam): add KCM database connector for pam project import feat(pam): add KCM database import command with auto-detect and group filtering Apr 6, 2026
@jlima8900 jlima8900 force-pushed the feat/pam-kcm-import-pr1889 branch from 8104e81 to e98ea91 Compare April 6, 2026 10:59
@jlima8900
feat(pam): add KCM database import command with auto-detect and group…
af25290 
… filtering

Adds pam project kcm-import and pam project kcm-cleanup commands.
Imports connections directly from a KCM/Guacamole database into Keeper PAM
with Docker auto-detect, group filtering, adaptive throttling, and 150+
parameter mappings across SSH, RDP, VNC, Telnet, HTTP, MySQL, PostgreSQL,
Oracle, SQL Server, LDAP, and Kubernetes protocols.
@jlima8900 jlima8900 force-pushed the feat/pam-kcm-import-pr1889 branch from 0841913 to af25290 Compare April 8, 2026 14:16
@jlima8900
Copy link
Copy Markdown
Contributor Author

jlima8900 commented Apr 8, 2026

Closing in favor of a clean PR — same branch, squashed to single commit.

@jlima8900 jlima8900 closed this Apr 8, 2026
@jlima8900 jlima8900 mentioned this pull request Apr 10, 2026
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jlima8900 @github-advanced-security