<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1434681441668_10378" dir="ltr">+1. Just give a heads-up to the Admin logging in that there are other Admins already logged in and making changes.<br> </div><div id="yui_3_16_0_1_1434681441668_10277" style="font-family: times new roman, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1434681441668_10276" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1434681441668_10370" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1434681441668_10377"> <font id="yui_3_16_0_1_1434681441668_10369" face="Arial" size="2"> <b id="yui_3_16_0_1_1434681441668_10376"><span id="yui_3_16_0_1_1434681441668_10375" style="font-weight: bold;">From:</span></b> Marek Posolda <mposolda@redhat.com><br> <b id="yui_3_16_0_1_1434681441668_10374"><span id="yui_3_16_0_1_1434681441668_10373" style="font-weight: bold;">To:</span></b> Stian Thorgersen <stian@redhat.com>; Bill Burke <bburke@redhat.com> <br><b id="yui_3_16_0_1_1434681441668_10372"><span id="yui_3_16_0_1_1434681441668_10371" style="font-weight: bold;">Cc:</span></b> keycloak-dev@lists.jboss.org <br> <b id="yui_3_16_0_1_1434681441668_10368"><span id="yui_3_16_0_1_1434681441668_10367" style="font-weight: bold;">Sent:</span></b> Friday, June 19, 2015 4:40 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-dev] Simplifying realm model<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1434681441668_10275"><br>To me, it doesn't look like very big issue.<br clear="none"><br clear="none">IMO realm model is quite small and doesn't contain gazillion of objects <br clear="none">like users or userSession models. Everything in realm model can be <br clear="none">edited just by admin users and I think that many deployments have just <br clear="none">very small number of admin users (if not just one).<br clear="none"><br clear="none">With respect to all of this, the probability of concurrent edit seems to <br clear="none">be corner case. Hence I hope we can handle optimistic locking in one <br clear="none">place in the code in model and maybe just throw an exception with <br clear="none">message for the admin to retry it himself? I wouldn't do any retry logic <br clear="none">directly in the code of all rest endpoints. The increased complexity of <br clear="none">the code doesn't worth to handle the corner case IMO.<br clear="none"><br clear="none">Marek<br clear="none"><br clear="none"><br clear="none">On 18.6.2015 16:08, Stian Thorgersen wrote:<br clear="none">><br clear="none">> ----- Original Message -----<br clear="none">>> From: "Bill Burke" <<a href="mailto:bburke@redhat.com" shape="rect" ymailto="mailto:bburke@redhat.com">bburke@redhat.com</a>><br clear="none">>> To: <a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">>> Sent: Thursday, 18 June, 2015 2:47:04 PM<br clear="none">>> Subject: Re: [keycloak-dev] Simplifying realm model<br clear="none">>><br clear="none">>> This would make things easier to store custom data too. It could be<br clear="none">>> extended to places where custom data could be prevalent. For example,<br clear="none">>> credential storage.<br clear="none">>><br clear="none">>> But here are the disadvantages:<br clear="none">>><br clear="none">>> * Do we have to worry about concurrency issues more though? All you<br clear="none">>> need is 2 concurrent admins modifying different settings in the realm<br clear="none">>> for one to overwrite the other. For example, one admin could be adding<br clear="none">>> a role, another could be configuring an identity provider. Sure, these<br clear="none">>> kind of concurrency issues exist now, but they are isolated because<br clear="none">>> realm model data is in different tables. Minimally, you would need some<br clear="none">>> kind of optimistic locking scheme that provided a non-cryptic error<br clear="none">>> message when there were collisions.<br clear="none">> Yep, that's one of the bigger issues.<br clear="none">><br clear="none">> What I had in mind was to use optimistic locking and also make rest endpoints retry an operation before returning an error to the admin.<br clear="none">><br clear="none">> For example adding an identity provider would still be a separate rest endpoint, so if it fails to add it to the realm due to an optimistic locking exception it can simply retry adding it.<br clear="none">><br clear="none">>> * Admins would never be able to modify the database directly.<br clear="none">> I don't think that's a problem - in theory they could as it would just be a json doc so they could get it, change it, write it ;)<br clear="none">><br clear="none">>> On 6/18/2015 5:19 AM, Stian Thorgersen wrote:<br clear="none">>>><br clear="none">>>> ----- Original Message -----<br clear="none">>>>> From: "Marek Posolda" <<a href="mailto:mposolda@redhat.com" shape="rect" ymailto="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br clear="none">>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>>, "keycloak dev"<br clear="none">>>>> <<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br clear="none">>>>> Sent: Thursday, 18 June, 2015 10:59:42 AM<br clear="none">>>>> Subject: Re: [keycloak-dev] Simplifying realm model<br clear="none">>>>><br clear="none">>>>> +1 to go this way for realm model. For users+userSessions I would likely<br clear="none">>>>> keep it in current form due to performance reasons, but for realm model<br clear="none">>>>> I am not seeing any issue to store it in blob as realm model doesn't<br clear="none">>>>> contain big amount of data. I am seeing just advantages and much simpler<br clear="none">>>>> migration and DB maintenance, which is currently pain.<br clear="none">>>> Yep, user model is much simpler in either case and isn't such a pain. We<br clear="none">>>> could probably clean it up a bit, but would certainly keep a proper schema<br clear="none">>>> for it with many tables and such.<br clear="none">>>><br clear="none">>> --<br clear="none">>> Bill Burke<br clear="none">>> JBoss, a division of Red Hat<br clear="none">>> <a href="http://bill.burkecentral.com/" target="_blank" shape="rect">http://bill.burkecentral.com</a><br clear="none">>> _______________________________________________<br clear="none">>> keycloak-dev mailing list<br clear="none">>> <a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><div class="qtdSeparateBR"><br><br></div><div class="yqt2702698425" id="yqtfd45402"><br clear="none">>><br clear="none">> _______________________________________________<br clear="none">> keycloak-dev mailing list<br clear="none">> <a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br clear="none"><br clear="none">_______________________________________________<br clear="none">keycloak-dev mailing list<br clear="none"><a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br clear="none"></div><br><br></div> </div> </div> </div></body></html>