[keycloak-user] Assign Role Fails Just After Creating the Role
Stian Thorgersen
sthorger at redhat.com
Fri Feb 5 04:50:04 EST 2016
Either don't create roles concurrently or disable cache.
How frequently are you creating roles? Just wondering because if you do it
will significantly impact the benefits of the cache as we invalidate a
large amount of the cache when roles are added/removed.
The problem you are seeing is most likely down to a race condition when the
realm role list (or client role lists) are re-loaded after they are
invalidated. I haven't had much time to look at it yet, so I don't know the
exact cause or a solution.
On 5 February 2016 at 09:57, Malmi Samarasinghe <malmi.suh at gmail.com> wrote:
> Hi Stian,
>
> We have this in production is there any intermediary fix that we can do or
> any workaround?
>
> Regards,
> Malmi
>
> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Confirmed this bug https://issues.jboss.org/browse/KEYCLOAK-2458
>>
>> On 5 February 2016 at 06:53, Malmi Samarasinghe <malmi.suh at gmail.com>
>> wrote:
>>
>>> Hi Stian/Bill,
>>>
>>> I just wanted to highlight that this issue only occurred when realm
>>> cache enabled option is ON.
>>>
>>> Regards,
>>> Malmi
>>>
>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe <malmi.suh at gmail.com>
>>> wrote:
>>>
>>>> Hi Stian
>>>>
>>>> I have multiple threads creating different roles. Basically one thread
>>>> will execute all three apis one after another.
>>>>
>>>> Regards,
>>>> Malmi
>>>>
>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> When you say method1 is executed in multiple threads, do you mean one
>>>>> thread creates the role and another retrieves it? Or do you have multiple
>>>>> threads creating different roles?
>>>>>
>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe <malmi.suh at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Bill,
>>>>>>
>>>>>> Please find the work flow that we have implemented
>>>>>> create user : POST : admin/realms/{realm}/users
>>>>>>
>>>>>> *Method1* wrapps the following API calls
>>>>>> Create Realm role : POST : admin/realms/{realm}/roles
>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName}
>>>>>> Assign Role : POST :
>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm
>>>>>>
>>>>>> Same for the client roles as well.
>>>>>>
>>>>>> *Method1 *is executed in multiple threads and assign reams role API
>>>>>> starts failing with 404 (keycloak log states role not found)
>>>>>>
>>>>>> Regards,
>>>>>> Malmi
>>>>>>
>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke <bburke at redhat.com> wrote:
>>>>>>
>>>>>>> Can you give me what REST invocations you are doing? How do you find
>>>>>>> the role? How do you create the role? etc...
>>>>>>>
>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote:
>>>>>>>
>>>>>>> Hi Bill,
>>>>>>>
>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes from
>>>>>>> the commits attached to the
>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it
>>>>>>> seems to have the same issue. If you have any further update on this please
>>>>>>> let us know.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Malmi
>>>>>>>
>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> This could be related to
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327.
>>>>>>>>
>>>>>>>> It's already fixed in master, so if you can try it out that would
>>>>>>>> be great. We should also have a 1.8.1.Final release this week with the fix
>>>>>>>> in as well.
>>>>>>>>
>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe <
>>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Bill,
>>>>>>>>>
>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql)
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Malmi Samarasinghe
>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < <bburke at redhat.com>
>>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Which version of keycloak? RDBMS or Mongo?
>>>>>>>>>>
>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Everyone,
>>>>>>>>>>
>>>>>>>>>> In my application we create retrieve and assign role subsequently
>>>>>>>>>> and it seems that even for a small load (2-3 threads) with realm cache
>>>>>>>>>> enabled option, assign realm role call fails due to role not exist error
>>>>>>>>>> and 404 is returned from keycloak.
>>>>>>>>>>
>>>>>>>>>> With the realm cache disabled option the load works fine.
>>>>>>>>>>
>>>>>>>>>> Please get back to me if you have any information on any other
>>>>>>>>>> option we can follow to get this issue sorted or on what action the realm
>>>>>>>>>> cache will be persisted to DB.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Malmi
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Bill Burke
>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/2b9b0406/attachment-0001.html
More information about the keycloak-user
mailing list