Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: 24.0.4
Affects Version/s: None
Component/s: team/sre
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
RHBK-1409
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

infinispan

Describe the bug

We ran into an issue while configuring a Keycloak cluster that uses a remote Infinispan cluster (we are using Infinispan version 14.0.21.Final); we are using Terraform to do so, using this provider.
Please find the relevant configurations below.
Terraform:
```
terraform {
required_version = ">= 0.14.11, < 2.0.0"
required_providers

{ {code}

keycloak =

{ source = "mrparkers/keycloak" version = "4.4.0" } {code}

}
}

provider "keycloak" {
client_id = "admin-cli"
username = "foo"
password = "bar"
url = "https://localhost:8081"
base_path = "/foo"
client_timeout = 60
}

resource "keycloak_realm" "foo_realm" {
realm = "foo"
display_name = "foo realm"
enabled = true
login_with_email_allowed = true
}

resource "keycloak_authentication_flow" "foo_browser_flow" {
realm_id = keycloak_realm.foo_realm.id
alias = "foo-browser"
description = "Browser based authentication for clients"
provider_id = "basic-flow"
}

resource "keycloak_authentication_execution" "foo_browser_cookie_execution" {
realm_id = keycloak_realm.foo_realm.id
parent_flow_alias = keycloak_authentication_flow.foo_browser_flow.alias
authenticator = "auth-cookie"
requirement = "ALTERNATIVE"
}

resource "keycloak_authentication_subflow" "foo_browser_subflow_authentication"

{ depends_on = [keycloak_authentication_execution.foo_browser_cookie_execution] realm_id = keycloak_realm.foo_realm.id alias = "foo-browser-subflow-authentication" description = "foo: lorem ipsum" parent_flow_alias = keycloak_authentication_flow.foo_browser_flow.alias provider_id = "basic-flow" requirement = "ALTERNATIVE" } ``` Our setup is the following: - 3-node Keycloak cluster - 3-node Infinispan cluster - Postgres as a backend for Keycloak - Infinispan is configured with a persisting store (Postgres) Please find the configs for Keycloak and Infinispan below. Keycloak: ```<?xml version="1.0" encoding="UTF-8"?> <infinispan {code}

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd"
xmlns="urn:infinispan:config:14.0">

<cache-container name="keycloak">
<transport lock-timeout="60000"/>

<local-cache-configuration name="local-cache-cfg">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</local-cache-configuration>

<local-cache name="realms" configuration="local-cache-cfg">
<memory max-count="10000"/>
</local-cache>

<local-cache name="users" configuration="local-cache-cfg">
<memory max-count="10000"/>
</local-cache>

<local-cache name="keys" configuration="local-cache-cfg">
<expiration max-idle="3600000"/>
<memory max-count="1000"/>
</local-cache>

<local-cache name="authorization" configuration="local-cache-cfg">
<memory max-count="10000"/>
</local-cache>

<distributed-cache name="authenticationSessions" owners="2">
<expiration lifespan="-1"/>
</distributed-cache>

<distributed-cache name="sessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="sessions"
purge="false"
preload="false"
shared="true"
segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="${env.KEYCLOAK_REMOTE_ISPN_HOST}" port="${infinispan.bind.port:11222}"/>

<distributed-cache name="clientSessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="clientSessions"
purge="false"
preload="false"
shared="true"
segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="${env.KEYCLOAK_REMOTE_ISPN_HOST}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>

<distributed-cache name="offlineSessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="offlineSessions"
purge="false"
preload="false"
shared="true"
segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="${env.KEYCLOAK_REMOTE_ISPN_HOST}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>

<distributed-cache name="offlineClientSessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="offlineClientSessions"
purge="false"
preload="false"
shared="true"
segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="${env.KEYCLOAK_REMOTE_ISPN_HOST}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>

<distributed-cache name="loginFailures" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="loginFailures"
purge="false"
preload="false"
shared="true"
segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="${env.KEYCLOAK_REMOTE_ISPN_HOST}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>

<distributed-cache name="actionTokens" owners="2">
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
<memory max-count="-1"/>
<remote-store cache="actionTokens" xmlns="urn:infinispan:config:store:remote:14.0"
purge="false"
preload="false"
shared="true"
segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="${env.KEYCLOAK_REMOTE_ISPN_HOST}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>

<replicated-cache name="work">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="work"
purge="false"
preload="false"
shared="true"
segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="${env.KEYCLOAK_REMOTE_ISPN_HOST}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD}"
realm="default"/>
</authentication>
</security>
</remote-store>
</replicated-cache>
</cache-container>

</infinispan>
```
Infinispan:

```<infinispan

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:infinispan:config:14.0"
xsi:schemaLocation="urn:infinispan:config:14.0 https://infinispan.org/schemas/infinispan-config-14.0.xsd urn:infinispan:server:14.0 https://infinispan.org/schemas/infinispan-server-14.0.xsd">

<cache-container name="default" statistics="true">
<metrics gauges="true" histograms="false" />

<serialization marshaller="org.infinispan.jboss.marshalling.commons.GenericJBossMarshaller">
<allow-list>
<class>org.keycloak.cluster.infinispan.WrapperClusterEvent</class>
<regex>.*</regex>
</allow-list>
</serialization>
<transport
cluster="${infinispan.cluster.name:kcispn}"
stack="${infinispan.cluster.stack:kubernetes}"
node-name="${env.POD_NAME}"/>

<replicated-cache-configuration name="replicated-cache-cfg"
xmlns:jdbc="urn:infinispan:config:store:jdbc:14.0"
mode="SYNC"
statistics="true"
segments="256"
unreliable-return-values="false">
<encoding media-type="application/x-jboss-marshalling"/>
<transaction mode="NON_XA"
locking="OPTIMISTIC"/>
<persistence passivation="false">
<jdbc:string-keyed-jdbc-store shared="true" preload="false">
<jdbc:data-source jndi-url="jdbc/datasource"/>
<jdbc:string-keyed-table drop-on-exit="false" create-on-start="true" prefix="ispn">
<jdbc:id-column name="id" type="VARCHAR(255)"/>
<jdbc:data-column name="data" type="bytea"/>
<jdbc:timestamp-column name="ts" type="BIGINT"/>
<jdbc:segment-column name="seg" type="INT"/>
</jdbc:string-keyed-table>
</jdbc:string-keyed-jdbc-store>
</persistence>
</replicated-cache-configuration>

<distributed-cache-configuration name="distributed-cache-cfg"
xmlns:jdbc="urn:infinispan:config:store:jdbc:14.0"
mode="SYNC"
owners="2"
remote-timeout="60000"
statistics="true"
segments="256"
unreliable-return-values="false">
<encoding media-type="application/x-jboss-marshalling"/>
<locking isolation="REPEATABLE_READ"
striping="false"
acquire-timeout="10000"
concurrency-level="32"/>

<partition-handling when-split="ALLOW_READ_WRITES" />

<state-transfer enabled="true"
timeout="240000"
chunk-size="240000"
await-initial-transfer="true"/>
</distributed-cache-configuration>

<replicated-cache name="work" configuration="replicated-cache-cfg">
</replicated-cache>

<distributed-cache name="sessions" configuration="distributed-cache-cfg">
</distributed-cache>

<distributed-cache name="authenticationSessions" configuration="distributed-cache-cfg">
</distributed-cache>

<distributed-cache name="offlineSessions" configuration="distributed-cache-cfg">
</distributed-cache>

<distributed-cache name="clientSessions" configuration="distributed-cache-cfg">
</distributed-cache>

<distributed-cache name="offlineClientSessions" configuration="distributed-cache-cfg">
</distributed-cache>

<distributed-cache name="loginFailures" configuration="distributed-cache-cfg">
</distributed-cache>

<distributed-cache name="actionTokens" configuration="distributed-cache-cfg">
<memory max-count="-1">
</memory>
<expiration interval="300000" max-idle="-1"/>
</distributed-cache>

</cache-container>

<socket-bindings default-interface="public" port-offset="${infinispan.socket.binding.port-offset:0}">
<socket-binding name="default" port="${infinispan.bind.port:11222}"/>
</socket-bindings>

<data-sources>
<data-source name="KeycloakDS" jndi-name="jdbc/datasource" statistics="true">
<connection-factory driver="org.postgresql.Driver"
username="${env.DB_USERNAME}"
password="${env.DB_PASSWORD}"
url="jdbc:postgresql://${env.DB_HOSTNAME}/${env.DB_DATABASE}?ApplicationName=${env.DB_APP_NAME}"
new-connection-sql="SELECT 1" transaction-isolation="READ_COMMITTED">
</connection-factory>
<connection-pool initial-size="${env.CONN_POOL_INITIAL_SIZE}" max-size="${env.CONN_POOL_MAX_SIZE}" min-size="${env.CONN_POOL_MIN_SIZE}" background-validation="1000" idle-removal="1" blocking-timeout="1000" leak-detection="10000"/>
</data-source>
</data-sources>

<endpoints>
<endpoint socket-binding="default" security-realm="default">
<hotrod-connector name="hotrod" security-realm="default"/>
<rest-connector>
<authentication mechanisms="BASIC"/>
</rest-connector>
</endpoint>
</endpoints>
</server>

</infinispan>
```

All referenced environment variables are correctly evaluated at run time.

This is the chain of events that we get:

```
POST /admin/realms/foo-realm/authentication/flows/foo-browser-with-product-events-cookie/executions/execution -> 201 created
```

```
PUT /admin/realms/foo-realm/authentication/flows/foo-browser-with-product-events-cookie/executions -> 404 not found
```

This is the stack trace corresponding to the 404:

```
jakarta.ws.rs.NotFoundException: Illegal execution
	at org.keycloak.services.resources.admin.AuthenticationManagementResource.updateExecutions(AuthenticationManagementResource.java:721)
	at org.keycloak.services.resources.admin.AuthenticationManagementResource$quarkusrestinvoker$updateExecutions_1fb26a2fba65839d9e0fe9f9233d954e611af6dd.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1512)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)
```

When this happens, we can see a sudden increase in warning messages from Keycloak, as it is visible from the following logs:

![image|https://github.com/keycloak/keycloak/assets/17787120/0dc4f0c4-67f3-431c-84c4-2b5d28fd06c5]

```
Event object wasn't available in remote cache after event was received. Event key: 4af1c45f-a0ac-4fee-be2e-f8467e73af92
```


h3. Version

23.0.7

h3. Regression

[ ] The issue is a regression

h3. Expected behavior

The flows and subflows are created according to what is specified in the Terraform file.

h3. Actual behavior

On subsequent PUT calls, Keycloak returns a 404 error even though the resource was successfully created as the logs provided in the bug description show.

h3. How to Reproduce?

Apply the provided Terraform file on a Keycloak clustered deployment with an external Infinispan (see provided config files to configure Infinispan and Keycloak).

h3. Anything else?

If the {{work}} cache is hosted in the embedded cache or we have a single Keycloak node, the Terraform apply runs without any error. See the following config file as a reference for this case:
```
<?xml version="1.0" encoding="UTF-8"?>
<infinispan

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd"
xmlns="urn:infinispan:config:14.0">

<cache-container name="keycloak">
<transport lock-timeout="60000"/>

<local-cache-configuration name="local-cache-cfg">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</local-cache-configuration>

<local-cache name="realms" configuration="local-cache-cfg">
<memory max-count="10000"/>
</local-cache>

<local-cache name="users" configuration="local-cache-cfg">
<memory max-count="10000"/>
</local-cache>

<local-cache name="keys" configuration="local-cache-cfg">
<expiration max-idle="3600000"/>
<memory max-count="1000"/>
</local-cache>

<local-cache name="authorization" configuration="local-cache-cfg">
<memory max-count="10000"/>
</local-cache>

<distributed-cache name="authenticationSessions" owners="2">
<expiration lifespan="-1"/>
</distributed-cache>

</infinispan>
```

links to

Link to original GitHub issue

Assignee:: Unassigned

Reporter:: Pavel Vlha

Team:: Keycloak SRE

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/05/15 10:35 AM

Updated:: 2024/10/11 10:03 AM

Resolved:: 2024/05/15 10:35 AM

Details

Description

Before reporting an issue

Area

Describe the bug

Attachments

Issue Links

Activity

People

Dates