Rebalancing problem while adding a new node to a domain
by tina zarrin
We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3
7 years, 7 months
Rebalancing problem while adding a new node to a domain
by Elnaz razmi
hello
please help to me about this problem:
We choose to install domain mode keycloak in our company. We have a load
balancer and three slave
nodes. It's working properly with two active node but when we want to run
the third node to
connect to load balancer, load balancer don't rebalance with new node. It
just say that node is
regestered but it don't show these lines as we can see in other node
connect process :
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for
cache work, topology CacheTopology{id=3, rebalanceId=2,
currentCH=ReplicatedConsistentHash{ns =
60, owners = (2)[master:server-one-master: 30,
srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-
site232:server-threeslave: 20, srvca61-site231:server-twoslave: 20]},
unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-
site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for
cache loginFailures, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash
{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-
site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-
site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for
cache authorization, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash
{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-
site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-
site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for
cache sessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-
site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-
site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for
cache offlineSessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-
site232:server-threeslave: 40+0]}, pendingCH=DefaultConsistentHash{ns=80,
owners = (3)
[master:server-one-master: 27+0, srvca61-site232:server-threeslave: 27+0,
srvca61-site231:server-
twoslave: 26+0]}, unionCH=null, actualMembers=[master:server-one-master,
srvca61-site232:server-
threeslave, srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for
cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for
cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for
cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for
cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for
cache sessions, topology id = 3
7 years, 7 months
Stateless Confidential Client
by Etienne Sauriol
Hi,
Is it possible to have stateless confidention client using openId and
signed JWT?
I'm using Keycloak 3.1 and a spring boot app with both spring boot adapter
and spring security adapter.
Everything works fine, but looking at requests to secured endpoints, there
is only a JSESSIONID in the cookies. No authorization bearer header or
cookies even if I added token-store: cookie in my application.yml.
I'm not sure if this is required but when trying to add in my configuration
file,
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
weird things happen.
Thanks,
Etienne
7 years, 7 months
Keycloak performance and sizing
by Oliver Steinbrecher
Hi everyone,
we're going to setup a KeyCloak infrastructure to handle identity
management for up to 4 million users. In order to handle this amount we'd
like to setup a proper infrastructure. The general idea is to create a
containerised cluster of key cloak servers connected to an highly available
db2 database. Therefore i'd like to understand what kind of data and amount
is persisted in the db. I haven't found any details about sizing a key
cloak infrastructure - i hope you can share some more details with me.
Kind Regards
Oliver
--
Mit freundlichen Grüßen
Oliver Steinbrecher
Tel.: +49-179-7409836
7 years, 7 months
Keycloak cluster configuration
by Cindy Margarita Pacheco Alvarez
I would like to know what should be the right way to configure keycloak in cluster mode. How domain.xml should be?
Thanks!
7 years, 7 months
Fw: Keycloak as stateless broker
by Leo C
Hi,
We would like to use keycloak as an identity broker in such a way that the identity collected from the identity provider are not permanently stored, so to avoid a build-up of identities stored on the broker.
Ideally, we would like:
* Keycloak, as identity broker to accept SAML assertion from one of several identity providers
* To use (custom) authentication flows to normalise or transform some of the attributes to create a new UserModel and consequentially a new SAML response back to the service provider
* To not bring the UserModel (or any other personal details to rest in the database), though we would accept storing just the unique ID of the user if we could avoid storing other attributes, whilst still propagating them back to the service provider
* Ideally to make authorisation decisions based on groups or roles during the process – and stopping the authentication if those fail
Any ideas on the best way to proceed would be most appreciated.
Leo
(p.s. this email was originally sent to keycloak-dev distort by mistake. apologies)
7 years, 7 months
Persistent user sessions
by Cindy Margarita Pacheco Alvarez
I have a problema with keycloak-2.2.1.Final. When we restart the server, we lose all active sessions. Is it possible to persist the user sessions? What should we do?
7 years, 7 months
Keycloak-mysql Docker -- 2 issues
by Jonathan D'Andries
Two issues related to running keycloak-mysql:3.0.0.Final and mysql:5.7.18
in docker-compose, but that will likely have broader impact in certain
circumstances:
Issue #1. JBoss doesn't wait for mysql to be available, and it fails to
create a connection if mysql hasn’t come up yet (no retry). This is
especially problematic if you are trying to use docker-compose since
everything likes to start around the same time:
Error:
19:18:03,553 WARN
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(ServerService Thread Pool -- 50) IJ000604: Throwable while attempting
to get a new connection: null: javax.resource.ResourceException:
IJ031084: Unable to create connection
Workaround:
- Need a custom Dockerfile to override the ENTRYPOINT definition to use
a custom docker-entrypoint-waitforit.sh. And note that because we are
changing ENTRYPOINT, we also need to redefine CMD.
Gist of the Dockerfile:
FROM jboss/keycloak-mysql:3.0.0.Final
COPY docker-entrypoint-waitforit.sh wait-for-it.sh /
ENTRYPOINT ["/docker-entrypoint-waitforit.sh”]
CMD ["-b", "0.0.0.0"]
Gist of docker-entrypoint-waitforit.sh:
#!/bin/bash
/wait-for-it.sh mysql:3306 -t 60 -- /opt/jboss/docker-entrypoint.sh $@
exit $?
For wait-for-it.sh, see: https://github.com/vishnubob/wait-for-it or see:
https://github.com/jwilder/dockerize
Docker recommends this approach:
https://docs.docker.com/compose/startup-order/
Issue #2. When running in docker-compose, JBoss cannot connect to mysql
without some extra work. This issue seems to be related to running on the
project-specific default network that is setup by docker-compose.
Note that you don’t have this issue when running independent in docker:
docker run --name mysql -e MYSQL_DATABASE=keycloak -e
MYSQL_USER=keycloak -e MYSQL_PASSWORD=password -e
MYSQL_ROOT_PASSWORD=root_password -d mysql:5.7.18
# wait 30 seconds
docker run --name keycloak-standalone-test --link mysql:mysql -e
KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e
MYSQL_DATABASE=keycloak -e MYSQL_USERNAME=keycloak -e
MYSQL_PASSWORD=password -p "8080:8080"
jboss/keycloak-mysql:3.0.0.Final
Error when running in docker-compose:
19:24:04,072 ERROR [org.jboss.as.controller.management-operation]
(ServerService Thread Pool -- 27) WFLYCTL0013: Operation ("add")
failed - address: ([
("subsystem" => "datasources"),
("data-source" => "KeycloakDS")
]) - failure description: "WFLYCTL0211: Cannot resolve expression
'jdbc:mysql://${env.MYSQL_PORT_3306_TCP_ADDR}:${env.MYSQL_PORT_3306_TCP_PORT}/${env.MYSQL_DATABASE:keycloak}'”
Workarounds:
1.
Option-1: In docker-compose.yml for the keycloak service, define these
environment variables:
- MYSQL_PORT_3306_TCP_ADDR=mysql
- MYSQL_PORT_3306_TCP_PORT=3306
2.
Option-2: run the keycloak and mysql services on the default “bridge”
network:
In the keycloak and mysql service definitions:
network_mode: bridge
Separately:
networks:
default:
external:
name: bridge
Bottom line question:
- Why does JBoss behave differently when trying to connect to mysql on
the global “bridge” network (works) vs the project-specific default network
(fails)?
Jonathan
--
Jonathan D'Andries
http://www.linkedin.com/in/jonathandandries/
7 years, 7 months
admin cli - manage client authorization settings?
by Stephane Granger
Is this supported? I haven't found documentation about this.
Basically, I am writing a script to add and configure our clients in
keycloak after keycloak installation. I am using admin cli to create the
clients and their respective roles. One of my clients is using
authorization service. I would like to be able to import a previously
exported authorization settings file. Is this possible?
Thanks,
Stephane
7 years, 7 months
