[keycloak-user] Assign Role Fails Just After Creating the Role

Malmi Samarasinghe malmi.suh at gmail.com
Fri Feb 5 07:50:47 EST 2016


Hi Stian,

Thank you very much for looking in to the issue. We tried with around 6
role creations per second, and I tried switching off realm cache and it had
negative impact on the performance of other API s.

Really appreciate if you could suggest us a rough timeline for a fix date.

Regards,
Malmi

On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Either don't create roles concurrently or disable cache.
>
> How frequently are you creating roles? Just wondering because if you do it
> will significantly impact the benefits of the cache as we invalidate a
> large amount of the cache when roles are added/removed.
>
> The problem you are seeing is most likely down to a race condition when
> the realm role list (or client role lists) are re-loaded after they are
> invalidated. I haven't had much time to look at it yet, so I don't know the
> exact cause or a solution.
>
> On 5 February 2016 at 09:57, Malmi Samarasinghe <malmi.suh at gmail.com>
> wrote:
>
>> Hi Stian,
>>
>> We have this in production is there any intermediary fix that we can do
>> or any workaround?
>>
>> Regards,
>> Malmi
>>
>> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Confirmed this bug https://issues.jboss.org/browse/KEYCLOAK-2458
>>>
>>> On 5 February 2016 at 06:53, Malmi Samarasinghe <malmi.suh at gmail.com>
>>> wrote:
>>>
>>>> Hi Stian/Bill,
>>>>
>>>> I just wanted to highlight that this issue only occurred when realm
>>>> cache enabled option is ON.
>>>>
>>>> Regards,
>>>> Malmi
>>>>
>>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe <malmi.suh at gmail.com
>>>> > wrote:
>>>>
>>>>> Hi Stian
>>>>>
>>>>> I have multiple threads creating different roles. Basically one thread
>>>>> will execute all three apis one after another.
>>>>>
>>>>> Regards,
>>>>> Malmi
>>>>>
>>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> When you say method1 is executed in multiple threads, do you mean one
>>>>>> thread creates the role and another retrieves it? Or do you have multiple
>>>>>> threads creating different roles?
>>>>>>
>>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe <malmi.suh at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Bill,
>>>>>>>
>>>>>>> Please find the work flow that we have implemented
>>>>>>> create user : POST : admin/realms/{realm}/users
>>>>>>>
>>>>>>> *Method1* wrapps the following API calls
>>>>>>> Create Realm role : POST : admin/realms/{realm}/roles
>>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName}
>>>>>>> Assign Role : POST :
>>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm
>>>>>>>
>>>>>>> Same for the client roles as well.
>>>>>>>
>>>>>>> *Method1 *is executed in multiple threads and assign reams role API
>>>>>>> starts failing with 404 (keycloak log states role not found)
>>>>>>>
>>>>>>> Regards,
>>>>>>> Malmi
>>>>>>>
>>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke <bburke at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Can you give me what REST invocations you are doing? How do you
>>>>>>>> find the role?  How do you create the role? etc...
>>>>>>>>
>>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote:
>>>>>>>>
>>>>>>>> Hi Bill,
>>>>>>>>
>>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes from
>>>>>>>> the commits attached to the
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it
>>>>>>>> seems to have the same issue. If you have any further update on this please
>>>>>>>> let us know.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Malmi
>>>>>>>>
>>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> This could be related to
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327.
>>>>>>>>>
>>>>>>>>> It's already fixed in master, so if you can try it out that would
>>>>>>>>> be great. We should also have a 1.8.1.Final release this week with the fix
>>>>>>>>> in as well.
>>>>>>>>>
>>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe <
>>>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Bill,
>>>>>>>>>>
>>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql)
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Malmi Samarasinghe
>>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < <bburke at redhat.com>
>>>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Which version of keycloak?  RDBMS or Mongo?
>>>>>>>>>>>
>>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Everyone,
>>>>>>>>>>>
>>>>>>>>>>> In my application we create retrieve and assign role
>>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with
>>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not
>>>>>>>>>>> exist error and 404 is returned from keycloak.
>>>>>>>>>>>
>>>>>>>>>>> With the realm cache disabled option the load works fine.
>>>>>>>>>>>
>>>>>>>>>>> Please get back to me if you have any information on any other
>>>>>>>>>>> option we can follow to get this issue sorted or on what action the realm
>>>>>>>>>>> cache will be persisted to DB.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Malmi
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Bill Burke
>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/b43a2b64/attachment.html 


More information about the keycloak-user mailing list