[keycloak-user] Assign Role Fails Just After Creating the Role

Bill Burke bburke at redhat.com
Fri Feb 5 08:42:35 EST 2016


1.9.0.Final will have it...

On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote:
> Hi Stian,
>
> Thank you very much for looking in to the issue. We tried with around 
> 6 role creations per second, and I tried switching off realm cache and 
> it had negative impact on the performance of other API s.
>
> Really appreciate if you could suggest us a rough timeline for a fix 
> date.
>
> Regards,
> Malmi
>
> On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>> wrote:
>
>     Either don't create roles concurrently or disable cache.
>
>     How frequently are you creating roles? Just wondering because if
>     you do it will significantly impact the benefits of the cache as
>     we invalidate a large amount of the cache when roles are
>     added/removed.
>
>     The problem you are seeing is most likely down to a race condition
>     when the realm role list (or client role lists) are re-loaded
>     after they are invalidated. I haven't had much time to look at it
>     yet, so I don't know the exact cause or a solution.
>
>     On 5 February 2016 at 09:57, Malmi Samarasinghe
>     <malmi.suh at gmail.com <mailto:malmi.suh at gmail.com>> wrote:
>
>         Hi Stian,
>
>         We have this in production is there any intermediary fix that
>         we can do or any workaround?
>
>         Regards,
>         Malmi
>
>         On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen
>         <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>
>             Confirmed this bug
>             https://issues.jboss.org/browse/KEYCLOAK-2458
>
>             On 5 February 2016 at 06:53, Malmi Samarasinghe
>             <malmi.suh at gmail.com <mailto:malmi.suh at gmail.com>> wrote:
>
>                 Hi Stian/Bill,
>
>                 I just wanted to highlight that this issue only
>                 occurred when realm cache enabled option is ON.
>
>                 Regards,
>                 Malmi
>
>                 On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe
>                 <malmi.suh at gmail.com <mailto:malmi.suh at gmail.com>> wrote:
>
>                     Hi Stian
>
>                     I have multiple threads creating different roles.
>                     Basically one thread will execute all three apis
>                     one after another.
>
>                     Regards,
>                     Malmi
>
>                     On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen
>                     <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>                     wrote:
>
>                         When you say method1 is executed in multiple
>                         threads, do you mean one thread creates the
>                         role and another retrieves it? Or do you have
>                         multiple threads creating different roles?
>
>                         On 4 February 2016 at 12:31, Malmi
>                         Samarasinghe <malmi.suh at gmail.com
>                         <mailto:malmi.suh at gmail.com>> wrote:
>
>                             Hi Bill,
>
>                             Please find the work flow that we have
>                             implemented
>                             create user : POST
>                             : admin/realms/{realm}/users
>
>                             *Method1* wrapps the following API calls
>                             Create Realm role : POST :
>                             admin/realms/{realm}/roles
>                             Retrieve Role : GET
>                             : admin/realms/{realm}/roles/{roleName}
>                             Assign Role : POST :
>                             admin/realms/leapset/users/{0}/role-mappings/realm
>
>                             Same for the client roles as well.
>
>                             *Method1 *is executed in multiple threads
>                             and assign reams role API starts failing
>                             with 404 (keycloak log states role not found)
>
>                             Regards,
>                             Malmi
>
>                             On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke
>                             <bburke at redhat.com
>                             <mailto:bburke at redhat.com>> wrote:
>
>                                 Can you give me what REST invocations
>                                 you are doing? How do you find the
>                                 role?  How do you create the role? etc...
>
>                                 On 2/3/2016 9:45 PM, Malmi
>                                 Samarasinghe wrote:
>>                                 Hi Bill,
>>
>>                                 We tried the above fix on top of
>>                                 1.7.0 by applying the changes from
>>                                 the commits attached to the
>>                                 https://issues.jboss.org/browse/KEYCLOAK-2327 and
>>                                 deployed, and it seems to have the
>>                                 same issue. If you have any
>>                                 further update on this please let us
>>                                 know.
>>
>>                                 Regards,
>>                                 Malmi
>>
>>                                 On Mon, Feb 1, 2016 at 4:02 PM, Stian
>>                                 Thorgersen <sthorger at redhat.com
>>                                 <mailto:sthorger at redhat.com>> wrote:
>>
>>                                     This could be related to
>>                                     https://issues.jboss.org/browse/KEYCLOAK-2327.
>>
>>
>>                                     It's already fixed in master, so
>>                                     if you can try it out that would
>>                                     be great. We should also have a
>>                                     1.8.1.Final release this week
>>                                     with the fix in as well.
>>
>>                                     On 30 January 2016 at 05:16,
>>                                     Malmi Samarasinghe
>>                                     <malmi.suh at gmail.com
>>                                     <mailto:malmi.suh at gmail.com>> wrote:
>>
>>                                         Hi Bill,
>>
>>                                         We are using keycloak 1.7.0
>>                                         and rdbms (mysql)
>>
>>                                         Regards,
>>                                         Malmi Samarasinghe
>>
>>                                         On Jan 29, 2016 7:41 PM,
>>                                         "Bill Burke"
>>                                         <bburke at redhat.com
>>                                         <mailto:bburke at redhat.com>>
>>                                         wrote:
>>
>>                                             Which version of
>>                                             keycloak? RDBMS or Mongo?
>>
>>                                             On 1/29/2016 12:35 AM,
>>                                             Malmi Samarasinghe wrote:
>>>                                             Hi Everyone,
>>>
>>>                                             In my application we
>>>                                             create retrieve and
>>>                                             assign role subsequently
>>>                                             and it seems that even
>>>                                             for a small load (2-3
>>>                                             threads) with realm
>>>                                             cache enabled option,
>>>                                             assign realm role call
>>>                                             fails due to role not
>>>                                             exist error and 404 is
>>>                                             returned from keycloak.
>>>
>>>                                             With the realm cache
>>>                                             disabled option the load
>>>                                             works fine.
>>>
>>>                                             Please get back to me if
>>>                                             you have any information
>>>                                             on any other option we
>>>                                             can follow to get this
>>>                                             issue sorted or on what
>>>                                             action the realm cache
>>>                                             will be persisted to DB.
>>>
>>>                                             Regards,
>>>                                             Malmi
>>>
>>>
>>>                                             _______________________________________________
>>>                                             keycloak-user mailing list
>>>                                             keycloak-user at lists.jboss.org
>>>                                             <mailto:keycloak-user at lists.jboss.org>
>>>                                             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>                                             -- 
>>                                             Bill Burke
>>                                             JBoss, a division of Red Hat
>>                                             http://bill.burkecentral.com
>>
>>
>>                                             _______________________________________________
>>                                             keycloak-user mailing list
>>                                             keycloak-user at lists.jboss.org
>>                                             <mailto:keycloak-user at lists.jboss.org>
>>                                             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>                                         _______________________________________________
>>                                         keycloak-user mailing list
>>                                         keycloak-user at lists.jboss.org
>>                                         <mailto:keycloak-user at lists.jboss.org>
>>                                         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>                                 -- 
>                                 Bill Burke
>                                 JBoss, a division of Red Hat
>                                 http://bill.burkecentral.com
>
>
>
>
>
>
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/b0692957/attachment-0001.html 


More information about the keycloak-user mailing list