-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authorization-services
Describe the bug
I implemented keycloak Authorization Settings update via exporting setting, applying my updates, and importing settings back in 24.0.4.
Now I am migrating to 26.1.4 and facing an issue that changes are not reflected to all keycloak's functionalities immediately. Keyclaok instance restart is required
Version
26.1.4
Regression
[x] The issue is a regression
Expected behavior
After adding a new policy into the config.applyPolicies of permission and applying import changes must be:
1. applied to the database - after the import record is added to the associated_policy table
2. available for reading via /dependentPolicies API
3. available for reading via /associatedPolicies API
4. included in settings export
5. taken into account during permissions evaluation (POST /realms/${realm-name}/protocol/openid-connect/token (token_endpoint from uma2-configuration) {{grant_type=urn:ietf:params:oauth:grant-type:uma-ticket; audience=
; response_mode=decision; permission=
{resource_name}#
{scope_name}}})
Actual behavior
After adding a new policy into the config.applyPolicies of permission and applying import changes are:
1. applied to the database
2. available for reading via /dependentPolicies API
3. NOT available for reading via /associatedPolicies API; old values are returned. does show permission as "Dependent permission" from the policy. Taking into account point 2 - this causes inconsistency in the UI, as permission is shown in "Dependent permission" of policy but the policy is not shown in permission
4. NOT included in settings export
5. NOT taken into account during permissions evaluation
6. maybe something else?
<img width="1751" alt="Image" src="https://github.com/user-attachments/assets/83e782a8-e437-443e-870f-aaa0f1202aab" />
How to Reproduce?
Steps to Reproduce
1. enable Authorization for any client and make sure that Authorization Settings are empty (remove all default staff)
2. create scope first
3. create two role policies: test and test2
4. create scope permission test_permission and assign scope first and policy test to it
5. export settings
6. to permission with name test_permission add test2 to config.applyPolicies
7. import setting
Setting for step 6 must be something like:
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [],
"policies": [
{
"name": "test",
"description": "",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"fetchRoles": "false",
"roles": "[
]"
}
},
{
"name": "test2",
"description": "",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"fetchRoles": "false",
"roles": "[
]"
}
},
{
"name": "test_permission",
"description": "",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config":
}
],
"scopes": [
],
"decisionStrategy": "UNANIMOUS"
}
Anything else?
After investigation, I found that the value persisted in the database
and available in /dependentPolicies as this API uses query
but is not available /associatedPolicies as it uses entityManager (same for other places when updates are not available)
If I restart keycloak server - everything works as expected.
I am not sure, but it seems like the issue is somewhere in the hibernate L2 cache.
But I didn't turn any caches on.
Note: once per few (5-7) times updates are applied as expected
- links to
