reproducer no group defined in OIDC user

[Dzuming]

1. Provide ent activation key
2. Run /bin/bash -e ./ror-demo-cluster/run.sh
3. login via Keycloak OIDC and extUser1:extUser1 (extUser2:extUser2 with groups works as expected)
4. There is an metadata request rejected in logs

Summary by CodeRabbit

• Chores
  • Updated Elasticsearch and Kibana to 9.3.3 and bumped ReadonlyREST plugin versions.
  • Switched plugin retrieval to API-based fetching and activated non-interactive config values.
  • Increased ReadonlyREST Kibana logging verbosity to trace.
  • Modified an authentication user’s group membership configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ee2ca4ba-b4a7-4984-940a-a60f337c570d

📥 Commits

Reviewing files that changed from the base of the PR and between b5a3c5a and 3633f1b.

📒 Files selected for processing (1)

• ror-demo-cluster/.env-showcase

🚧 Files skipped from review as they are similar to previous changes (1)

• ror-demo-cluster/.env-showcase

---

📝 Walkthrough

Walkthrough

Update .env to use Elasticsearch/Kibana 9.3.3, switch plugin retrieval to API-based Dockerfiles, bump ReadonlyREST plugin versions to 1.69.1 (set ROR_ES_VERSION=1.69.1), enable non-interactive env values, increase Kibana ROR log level to trace, and remove a Keycloak user's group memberships.

Changes

Cohort / File(s)	Summary
ES/Kibana environment ror-demo-cluster/.env-showcase	Set ES/KBN versions to 9.3.3; switch plugin install method to Dockerfile-use-ror-binaries-from-api for ES and KBN; activate previously commented non-interactive env values; bump ROR plugin vars to ROR_KBN_VERSION=1.69.1 and add/set ROR_ES_VERSION=1.69.1.
Kibana config ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml	Change readonlyrest_kbn.logLevel from info to trace.
Keycloak realm ror-demo-cluster/conf/keycloak/ror-realm.json	Remove extUser1 from groups extEndUsers and extBusinessUsers (groups list now empty); realm roles unchanged.

Sequence Diagram(s)

(Skipped — changes are configuration updates and small control-flow tweaks that do not introduce a new multi-component interaction flow warranting a sequence diagram.)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• [RORDEV-1980] Improve ror-demo-cluster sandbox: data streams, non-interactive config, and fixes #96: Edits the same .env-showcase non-interactive settings and Dockerfile selection for ROR binaries (strong overlap).
• [RORDEV-1436] Adjustments for a new required patch flag in ES ror-tools #67: Related to switching ES/KBN ROR installation to API-based installers and handling versioning logic.

Suggested reviewers

• coutoPL

Poem

🐰
A hop from eight up to nine,
Binaries fetched by API line,
Traces whisper where info slept,
A user’s group quietly swept,
Rabbit cheers — the demo’s primed! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'reproducer no group defined in OIDC user' accurately summarizes the main change—a configuration update demonstrating an OIDC user without groups, as evidenced by removing group associations from the Keycloak user while maintaining realm roles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch reproducer/RORDEV-2009

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ror-demo-cluster/.env-showcase`:
- Around line 8-14: The ROR plugin version variables (ROR_ES_VERSION /
ROR_KBN_VERSION) are incompatible with the ES/KBN versions (ES_VERSION /
KBN_VERSION) and cause download failures; update .env-showcase so the ROR
versions published for ES/KBN 9.3.3 are used or else change ES_VERSION and
KBN_VERSION to a release that supports ROR 1.68.0: edit the ES_VERSION /
KBN_VERSION or ROR_ES_VERSION / ROR_KBN_VERSION accordingly (these values are
consumed by the es-ror build args and install-ror-es-using-api.sh path), ensure
Dockerfile-use-ror-binaries-from-api still aligns with those variables, leave
ES_ROR_FILE / KBN_ROR_FILE unset if using the API Dockerfile, and verify the
chosen ROR/ES/KBN combination successfully downloads from api.beshu.tech before
merging.

In `@ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml`:
- Line 17: The config sets readonlyrest_kbn.logLevel to trace which is fine for
reproducing RORDEV-2009 but must not land in master; change this value back to a
safe level (e.g., info or warn) before merging or gate the trace setting behind
an environment-specific override (e.g., check an env var or branch flag) so that
readonlyrest_kbn.logLevel is only trace in local/dev runs and never in
production/master; reference the readonlyrest_kbn.logLevel entry in the YAML and
add a short comment explaining the temporary nature of the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dcfd2ba8-bb93-4c53-b82a-3f356afd6584

📥 Commits

Reviewing files that changed from the base of the PR and between 09822ba and b5a3c5a.

📒 Files selected for processing (3)

• ror-demo-cluster/.env-showcase
• ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml
• ror-demo-cluster/conf/keycloak/ror-realm.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Trace logging appropriate for reproducer.

Bumping readonlyrest_kbn.logLevel to trace is reasonable for this RORDEV-2009 reproducer to capture why the metadata request is rejected for extUser1. Just make sure this change is not merged to master as-is — trace is noisy and may surface sensitive auth/token data in logs in a showcase environment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml` at line 17,
The config sets readonlyrest_kbn.logLevel to trace which is fine for reproducing
RORDEV-2009 but must not land in master; change this value back to a safe level
(e.g., info or warn) before merging or gate the trace setting behind an
environment-specific override (e.g., check an env var or branch flag) so that
readonlyrest_kbn.logLevel is only trace in local/dev runs and never in
production/master; reference the readonlyrest_kbn.logLevel entry in the YAML and
add a short comment explaining the temporary nature of the change.