Setting "enabled: false" for an existing user does not actually disable the user

[chrisbsmith]

Describe the bug

I am editing an existing KeycloakUser in an attempt to disable the user's access. However, if the user is currently "enabled", setting enabled: false or removing the enabled: true fails to actually disable the user in Keycloak.

Version

16.1.0

Expected behavior

Keycloak should disable the user

Actual behavior

Once a user is "enabled", it can never be "disabled".

How to Reproduce?

Create a new "disabled" user:

cat <<EOF | kubectl -n keycloak apply -f -
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
  name: disabled-user
spec:
  user:
    username: "disabled-user"
    firstName: "Disabled"
    lastName: "Test"
    email: "disabled@example.com"
    enabled: False
    emailVerified: False
    credentials:
      - type: "password"
        value: "12345"
    realmRoles:
      - "offline_access"
    clientRoles:
      account:
        - "manage-account"
      realm-management:
        - "manage-users"
  realmSelector:
    matchLabels:
      app: example-keycloak
EOF

Open Keycloak and verify that the user is disabled

Update the user to enable it.

kubectl patch -n keycloak --type=merge keycloakuser disabled-user -p '{"spec":{"user":{"enabled":true}}}'
keycloakuser.keycloak.org/disabled-user patched

Open Keycloak and verify the user is enabled

Attempt to disable the user

kubectl patch -n keycloak --type=merge keycloakuser disabled-user -p '{"spec":{"user":{"enabled":false}}}'
keycloakuser.keycloak.org/disabled-user patched

Keycloak controller logs show it successfully reconciling the user after each patch

{"level":"info","ts":1641405498.2681048,"logger":"controller_keycloakuser","msg":"Reconciling KeycloakUser","Request.Namespace":"keycloak","Request.Name":"disabled-user"}
{"level":"info","ts":1641405498.2682028,"logger":"controller_keycloakuser","msg":"found 1 matching realm(s) for user keycloak/disabled-user"}
{"level":"info","ts":1641405498.4976873,"logger":"action_runner","msg":"(    1)    SUCCESS update user disabled-user"}

Anything else?

I followed these instructions and installed the Keycloak operator into a minikube cluster using the command line instructions.

[andreaTP]

Thanks @chrisbsmith for taking the time to submit a complete reproducer,
this issue might be related: #412

Looks like this is an actual bug in the operator, we would appreciate the contribution of a fix or try to find the time to address the issue.

[christianviana]

Hi!

Just to let you people know this is something happening also elsewhere: I'm facing this same problem here.

Christian

[stianst]

Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!