[keycloak-user] Assign Role Fails Just After Creating the Role
Malmi Samarasinghe
malmi.suh at gmail.com
Tue Mar 8 08:57:59 EST 2016
Hi All,
We have upgraded the keycloak version to 1.9.0.
I just carried out a load test on our identity server and it seems to have
reduced the failures to a great extent.
However, when I execute 50 threads per second, there are some intermittent
failures (2-3 failures for 50 threads). I further noticed that the
frequency is higher for realm roles than for client roles.
Regards,
Malmi
On Sat, Feb 6, 2016 at 8:33 AM, Malmi Samarasinghe <malmi.suh at gmail.com>
wrote:
> Many Thanks to your assistance regarding the issue.
>
> On Fri, Feb 5, 2016 at 7:12 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> 1.9.0.Final will have it...
>>
>>
>> On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote:
>>
>> Hi Stian,
>>
>> Thank you very much for looking in to the issue. We tried with around 6
>> role creations per second, and I tried switching off realm cache and it had
>> negative impact on the performance of other API s.
>>
>> Really appreciate if you could suggest us a rough timeline for a fix
>> date.
>>
>> Regards,
>> Malmi
>>
>> On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Either don't create roles concurrently or disable cache.
>>>
>>> How frequently are you creating roles? Just wondering because if you do
>>> it will significantly impact the benefits of the cache as we invalidate a
>>> large amount of the cache when roles are added/removed.
>>>
>>> The problem you are seeing is most likely down to a race condition when
>>> the realm role list (or client role lists) are re-loaded after they are
>>> invalidated. I haven't had much time to look at it yet, so I don't know the
>>> exact cause or a solution.
>>>
>>> On 5 February 2016 at 09:57, Malmi Samarasinghe < <malmi.suh at gmail.com>
>>> malmi.suh at gmail.com> wrote:
>>>
>>>> Hi Stian,
>>>>
>>>> We have this in production is there any intermediary fix that we can do
>>>> or any workaround?
>>>>
>>>> Regards,
>>>> Malmi
>>>>
>>>> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> Confirmed this bug <https://issues.jboss.org/browse/KEYCLOAK-2458>
>>>>> https://issues.jboss.org/browse/KEYCLOAK-2458
>>>>>
>>>>> On 5 February 2016 at 06:53, Malmi Samarasinghe <
>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>
>>>>>> Hi Stian/Bill,
>>>>>>
>>>>>> I just wanted to highlight that this issue only occurred when realm
>>>>>> cache enabled option is ON.
>>>>>>
>>>>>> Regards,
>>>>>> Malmi
>>>>>>
>>>>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe <
>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Stian
>>>>>>>
>>>>>>> I have multiple threads creating different roles. Basically one
>>>>>>> thread will execute all three apis one after another.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Malmi
>>>>>>>
>>>>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen <
>>>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> When you say method1 is executed in multiple threads, do you mean
>>>>>>>> one thread creates the role and another retrieves it? Or do you have
>>>>>>>> multiple threads creating different roles?
>>>>>>>>
>>>>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe <
>>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Bill,
>>>>>>>>>
>>>>>>>>> Please find the work flow that we have implemented
>>>>>>>>> create user : POST : admin/realms/{realm}/users
>>>>>>>>>
>>>>>>>>> *Method1* wrapps the following API calls
>>>>>>>>> Create Realm role : POST : admin/realms/{realm}/roles
>>>>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName}
>>>>>>>>> Assign Role : POST :
>>>>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm
>>>>>>>>>
>>>>>>>>> Same for the client roles as well.
>>>>>>>>>
>>>>>>>>> *Method1 *is executed in multiple threads and assign reams role
>>>>>>>>> API starts failing with 404 (keycloak log states role not found)
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Malmi
>>>>>>>>>
>>>>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke < <bburke at redhat.com>
>>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Can you give me what REST invocations you are doing? How do you
>>>>>>>>>> find the role? How do you create the role? etc...
>>>>>>>>>>
>>>>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Bill,
>>>>>>>>>>
>>>>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes
>>>>>>>>>> from the commits attached to the
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and
>>>>>>>>>> it seems to have the same issue. If you have any further update on this
>>>>>>>>>> please let us know.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Malmi
>>>>>>>>>>
>>>>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen <
>>>>>>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> This could be related to
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327.
>>>>>>>>>>>
>>>>>>>>>>> It's already fixed in master, so if you can try it out that
>>>>>>>>>>> would be great. We should also have a 1.8.1.Final release this week with
>>>>>>>>>>> the fix in as well.
>>>>>>>>>>>
>>>>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe <
>>>>>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Bill,
>>>>>>>>>>>>
>>>>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql)
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Malmi Samarasinghe
>>>>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < <bburke at redhat.com>
>>>>>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Which version of keycloak? RDBMS or Mongo?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Everyone,
>>>>>>>>>>>>>
>>>>>>>>>>>>> In my application we create retrieve and assign role
>>>>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with
>>>>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not
>>>>>>>>>>>>> exist error and 404 is returned from keycloak.
>>>>>>>>>>>>>
>>>>>>>>>>>>> With the realm cache disabled option the load works fine.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please get back to me if you have any information on any other
>>>>>>>>>>>>> option we can follow to get this issue sorted or on what action the realm
>>>>>>>>>>>>> cache will be persisted to DB.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>> Malmi
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Bill Burke
>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/deb6b1a9/attachment-0001.html
More information about the keycloak-user
mailing list