[keycloak-user] Assign Role Fails Just After Creating the Role

Malmi Samarasinghe malmi.suh at gmail.com
Fri Feb 5 22:03:38 EST 2016


Many Thanks to your assistance regarding the issue.

On Fri, Feb 5, 2016 at 7:12 PM, Bill Burke <bburke at redhat.com> wrote:

> 1.9.0.Final will have it...
>
>
> On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote:
>
> Hi Stian,
>
> Thank you very much for looking in to the issue. We tried with around 6
> role creations per second, and I tried switching off realm cache and it had
> negative impact on the performance of other API s.
>
> Really appreciate if you could suggest us a rough timeline for a fix date.
>
> Regards,
> Malmi
>
> On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Either don't create roles concurrently or disable cache.
>>
>> How frequently are you creating roles? Just wondering because if you do
>> it will significantly impact the benefits of the cache as we invalidate a
>> large amount of the cache when roles are added/removed.
>>
>> The problem you are seeing is most likely down to a race condition when
>> the realm role list (or client role lists) are re-loaded after they are
>> invalidated. I haven't had much time to look at it yet, so I don't know the
>> exact cause or a solution.
>>
>> On 5 February 2016 at 09:57, Malmi Samarasinghe < <malmi.suh at gmail.com>
>> malmi.suh at gmail.com> wrote:
>>
>>> Hi Stian,
>>>
>>> We have this in production is there any intermediary fix that we can do
>>> or any workaround?
>>>
>>> Regards,
>>> Malmi
>>>
>>> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Confirmed this bug  <https://issues.jboss.org/browse/KEYCLOAK-2458>
>>>> https://issues.jboss.org/browse/KEYCLOAK-2458
>>>>
>>>> On 5 February 2016 at 06:53, Malmi Samarasinghe < <malmi.suh at gmail.com>
>>>> malmi.suh at gmail.com> wrote:
>>>>
>>>>> Hi Stian/Bill,
>>>>>
>>>>> I just wanted to highlight that this issue only occurred when realm
>>>>> cache enabled option is ON.
>>>>>
>>>>> Regards,
>>>>> Malmi
>>>>>
>>>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe <
>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>
>>>>>> Hi Stian
>>>>>>
>>>>>> I have multiple threads creating different roles. Basically one
>>>>>> thread will execute all three apis one after another.
>>>>>>
>>>>>> Regards,
>>>>>> Malmi
>>>>>>
>>>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen <
>>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>>
>>>>>>> When you say method1 is executed in multiple threads, do you mean
>>>>>>> one thread creates the role and another retrieves it? Or do you have
>>>>>>> multiple threads creating different roles?
>>>>>>>
>>>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe <
>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Bill,
>>>>>>>>
>>>>>>>> Please find the work flow that we have implemented
>>>>>>>> create user : POST : admin/realms/{realm}/users
>>>>>>>>
>>>>>>>> *Method1* wrapps the following API calls
>>>>>>>> Create Realm role : POST : admin/realms/{realm}/roles
>>>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName}
>>>>>>>> Assign Role : POST :
>>>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm
>>>>>>>>
>>>>>>>> Same for the client roles as well.
>>>>>>>>
>>>>>>>> *Method1 *is executed in multiple threads and assign reams role
>>>>>>>> API starts failing with 404 (keycloak log states role not found)
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Malmi
>>>>>>>>
>>>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke < <bburke at redhat.com>
>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Can you give me what REST invocations you are doing? How do you
>>>>>>>>> find the role?  How do you create the role? etc...
>>>>>>>>>
>>>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote:
>>>>>>>>>
>>>>>>>>> Hi Bill,
>>>>>>>>>
>>>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes
>>>>>>>>> from the commits attached to the
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and
>>>>>>>>> it seems to have the same issue. If you have any further update on this
>>>>>>>>> please let us know.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Malmi
>>>>>>>>>
>>>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen <
>>>>>>>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> This could be related to
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2327>
>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327.
>>>>>>>>>>
>>>>>>>>>> It's already fixed in master, so if you can try it out that would
>>>>>>>>>> be great. We should also have a 1.8.1.Final release this week with the fix
>>>>>>>>>> in as well.
>>>>>>>>>>
>>>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe <
>>>>>>>>>> <malmi.suh at gmail.com>malmi.suh at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Bill,
>>>>>>>>>>>
>>>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql)
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Malmi Samarasinghe
>>>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < <bburke at redhat.com>
>>>>>>>>>>> bburke at redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Which version of keycloak?  RDBMS or Mongo?
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Everyone,
>>>>>>>>>>>>
>>>>>>>>>>>> In my application we create retrieve and assign role
>>>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with
>>>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not
>>>>>>>>>>>> exist error and 404 is returned from keycloak.
>>>>>>>>>>>>
>>>>>>>>>>>> With the realm cache disabled option the load works fine.
>>>>>>>>>>>>
>>>>>>>>>>>> Please get back to me if you have any information on any other
>>>>>>>>>>>> option we can follow to get this issue sorted or on what action the realm
>>>>>>>>>>>> cache will be persisted to DB.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Malmi
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Bill Burke
>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160206/4c1e25c7/attachment-0001.html 


More information about the keycloak-user mailing list