[keycloak-user] Assign Role Fails Just After Creating the Role

Stian Thorgersen sthorger at redhat.com
Wed Mar 9 00:55:02 EST 2016 

We have some further improvements coming in 1.9.1 which is due to be
released today. Please test with that and let us know if you still have
issues.

On 8 March 2016 at 14:57, Malmi Samarasinghe <malmi.suh at gmail.com> wrote:

> Hi All,
>
> We have upgraded the keycloak version to 1.9.0.
> I just carried out a load test on our identity server and it seems to have
> reduced the failures to a great extent.
> However, when I execute 50 threads per second, there are some intermittent
> failures (2-3 failures for 50 threads). I further noticed that the
> frequency is higher for realm roles than for client roles.
>
> Regards,
> Malmi
>
> On Sat, Feb 6, 2016 at 8:33 AM, Malmi Samarasinghe <malmi.suh at gmail.com>
> wrote:
>
>> Many Thanks to your assistance regarding the issue.
>>
>> On Fri, Feb 5, 2016 at 7:12 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> 1.9.0.Final will have it...
>>>
>>>
>>> On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote:
>>>
>>> Hi Stian,
>>>
>>> Thank you very much for looking in to the issue. We tried with around 6
>>> role creations per second, and I tried switching off realm cache and it had
>>> negative impact on the performance of other API s.
>>>
>>> Really appreciate if you could suggest us a rough timeline for a fix
>>> date.
>>>
>>> Regards,
>>> Malmi
>>>
>>> On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Either don't create roles concurrently or disable cache.
>>>>
>>>> How frequently are you creating roles? Just wondering because if you do
>>>> it will significantly impact the benefits of the cache as we invalidate a
>>>> large amount of the cache when roles are added/removed.
>>>>
>>>> The problem you are seeing is most likely down to a race condition when
>>>> the realm role list (or client role lists) are re-loaded after they are
>>>> invalidated. I haven't had much time to look at it yet, so I don't know the
>>>> exact cause or a solution.
>>>>
>>>> On 5 February 2016 at 09:57, Malmi Samarasinghe < <malmi.suh at gmail.com>
>>>> malmi.suh at gmail.com> wrote:
>>>>
>>>>> Hi Stian,
>>>>>
>>>>> We have this in production is there any intermediary fix that we can
>>>>> do or any workaround?
>>>>>
>>>>> Regards,
>>>>> Malmi
>>>>>
>>>>> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Confirmed this bug  <https://issues.jboss.org/browse/KEYCLOAK-2458>
>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2458
>>>>>>
>>>>>> On 5 February 2016 at 06:53, Malmi Samarasinghe <
>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Stian/Bill,
>>>>>>>
>>>>>>> I just wanted to highlight that this issue only occurred when realm
>>>>>>> cache enabled option is ON.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Malmi
>>>>>>>
>>>>>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe <
>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Stian
>>>>>>>>
>>>>>>>> I have multiple threads creating different roles. Basically one
>>>>>>>> thread will execute all three apis one after another.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Malmi
>>>>>>>>
>>>>>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen <
>>>>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> When you say method1 is executed in multiple threads, do you mean
>>>>>>>>> one thread creates the role and another retrieves it? Or do you have
>>>>>>>>> multiple threads creating different roles?
>>>>>>>>>
>>>>>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe <
>>>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Bill,
>>>>>>>>>>
>>>>>>>>>> Please find the work flow that we have implemented
>>>>>>>>>> create user : POST : admin/realms/{realm}/users
>>>>>>>>>>
>>>>>>>>>> *Method1* wrapps the following API calls
>>>>>>>>>> Create Realm role : POST : admin/realms/{realm}/roles
>>>>>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName}
>>>>>>>>>> Assign Role : POST :
>>>>>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm
>>>>>>>>>>
>>>>>>>>>> Same for the client roles as well.
>>>>>>>>>>
>>>>>>>>>> *Method1 *is executed in multiple threads and assign reams role
>>>>>>>>>> API starts failing with 404 (keycloak log states role not found)
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Malmi
>>>>>>>>>>
>>>>>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke < <bburke at redhat.com>
>>>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Can you give me what REST invocations you are doing? How do you
>>>>>>>>>>> find the role?  How do you create the role? etc...
>>>>>>>>>>>
>>>>>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Bill,
>>>>>>>>>>>
>>>>>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes
>>>>>>>>>>> from the commits attached to the
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and
>>>>>>>>>>> it seems to have the same issue. If you have any further update on this
>>>>>>>>>>> please let us know.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Malmi
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen <
>>>>>>>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> This could be related to
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327.
>>>>>>>>>>>>
>>>>>>>>>>>> It's already fixed in master, so if you can try it out that
>>>>>>>>>>>> would be great. We should also have a 1.8.1.Final release this week with
>>>>>>>>>>>> the fix in as well.
>>>>>>>>>>>>
>>>>>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe <
>>>>>>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Bill,
>>>>>>>>>>>>>
>>>>>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>> Malmi Samarasinghe
>>>>>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < <bburke at redhat.com>
>>>>>>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Which version of keycloak?  RDBMS or Mongo?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Everyone,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In my application we create retrieve and assign role
>>>>>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with
>>>>>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not
>>>>>>>>>>>>>> exist error and 404 is returned from keycloak.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> With the realm cache disabled option the load works fine.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please get back to me if you have any information on any
>>>>>>>>>>>>>> other option we can follow to get this issue sorted or on what action the
>>>>>>>>>>>>>> realm cache will be persisted to DB.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>> Malmi
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Bill Burke
>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/4fcc6c30/attachment-0001.html

More information about the keycloak-user mailing list