[keycloak-user] Assign Role Fails Just After Creating the Role
Bill Burke
bburke at redhat.com
Fri Feb 5 08:42:35 EST 2016
1.9.0.Final will have it...
On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote:
> Hi Stian,
>
> Thank you very much for looking in to the issue. We tried with around
> 6 role creations per second, and I tried switching off realm cache and
> it had negative impact on the performance of other API s.
>
> Really appreciate if you could suggest us a rough timeline for a fix
> date.
>
> Regards,
> Malmi
>
> On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
> Either don't create roles concurrently or disable cache.
>
> How frequently are you creating roles? Just wondering because if
> you do it will significantly impact the benefits of the cache as
> we invalidate a large amount of the cache when roles are
> added/removed.
>
> The problem you are seeing is most likely down to a race condition
> when the realm role list (or client role lists) are re-loaded
> after they are invalidated. I haven't had much time to look at it
> yet, so I don't know the exact cause or a solution.
>
> On 5 February 2016 at 09:57, Malmi Samarasinghe
> <malmi.suh at gmail.com <mailto:malmi.suh at gmail.com>> wrote:
>
> Hi Stian,
>
> We have this in production is there any intermediary fix that
> we can do or any workaround?
>
> Regards,
> Malmi
>
> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen
> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>
> Confirmed this bug
> https://issues.jboss.org/browse/KEYCLOAK-2458
>
> On 5 February 2016 at 06:53, Malmi Samarasinghe
> <malmi.suh at gmail.com <mailto:malmi.suh at gmail.com>> wrote:
>
> Hi Stian/Bill,
>
> I just wanted to highlight that this issue only
> occurred when realm cache enabled option is ON.
>
> Regards,
> Malmi
>
> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe
> <malmi.suh at gmail.com <mailto:malmi.suh at gmail.com>> wrote:
>
> Hi Stian
>
> I have multiple threads creating different roles.
> Basically one thread will execute all three apis
> one after another.
>
> Regards,
> Malmi
>
> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen
> <sthorger at redhat.com <mailto:sthorger at redhat.com>>
> wrote:
>
> When you say method1 is executed in multiple
> threads, do you mean one thread creates the
> role and another retrieves it? Or do you have
> multiple threads creating different roles?
>
> On 4 February 2016 at 12:31, Malmi
> Samarasinghe <malmi.suh at gmail.com
> <mailto:malmi.suh at gmail.com>> wrote:
>
> Hi Bill,
>
> Please find the work flow that we have
> implemented
> create user : POST
> : admin/realms/{realm}/users
>
> *Method1* wrapps the following API calls
> Create Realm role : POST :
> admin/realms/{realm}/roles
> Retrieve Role : GET
> : admin/realms/{realm}/roles/{roleName}
> Assign Role : POST :
> admin/realms/leapset/users/{0}/role-mappings/realm
>
> Same for the client roles as well.
>
> *Method1 *is executed in multiple threads
> and assign reams role API starts failing
> with 404 (keycloak log states role not found)
>
> Regards,
> Malmi
>
> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke
> <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Can you give me what REST invocations
> you are doing? How do you find the
> role? How do you create the role? etc...
>
> On 2/3/2016 9:45 PM, Malmi
> Samarasinghe wrote:
>> Hi Bill,
>>
>> We tried the above fix on top of
>> 1.7.0 by applying the changes from
>> the commits attached to the
>> https://issues.jboss.org/browse/KEYCLOAK-2327 and
>> deployed, and it seems to have the
>> same issue. If you have any
>> further update on this please let us
>> know.
>>
>> Regards,
>> Malmi
>>
>> On Mon, Feb 1, 2016 at 4:02 PM, Stian
>> Thorgersen <sthorger at redhat.com
>> <mailto:sthorger at redhat.com>> wrote:
>>
>> This could be related to
>> https://issues.jboss.org/browse/KEYCLOAK-2327.
>>
>>
>> It's already fixed in master, so
>> if you can try it out that would
>> be great. We should also have a
>> 1.8.1.Final release this week
>> with the fix in as well.
>>
>> On 30 January 2016 at 05:16,
>> Malmi Samarasinghe
>> <malmi.suh at gmail.com
>> <mailto:malmi.suh at gmail.com>> wrote:
>>
>> Hi Bill,
>>
>> We are using keycloak 1.7.0
>> and rdbms (mysql)
>>
>> Regards,
>> Malmi Samarasinghe
>>
>> On Jan 29, 2016 7:41 PM,
>> "Bill Burke"
>> <bburke at redhat.com
>> <mailto:bburke at redhat.com>>
>> wrote:
>>
>> Which version of
>> keycloak? RDBMS or Mongo?
>>
>> On 1/29/2016 12:35 AM,
>> Malmi Samarasinghe wrote:
>>> Hi Everyone,
>>>
>>> In my application we
>>> create retrieve and
>>> assign role subsequently
>>> and it seems that even
>>> for a small load (2-3
>>> threads) with realm
>>> cache enabled option,
>>> assign realm role call
>>> fails due to role not
>>> exist error and 404 is
>>> returned from keycloak.
>>>
>>> With the realm cache
>>> disabled option the load
>>> works fine.
>>>
>>> Please get back to me if
>>> you have any information
>>> on any other option we
>>> can follow to get this
>>> issue sorted or on what
>>> action the realm cache
>>> will be persisted to DB.
>>>
>>> Regards,
>>> Malmi
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
>
>
>
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/b0692957/attachment-0001.html
More information about the keycloak-user
mailing list