Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: RH-SSO-7.6.1
Affects Version/s: RH-SSO-7.6.0, RH-SSO-7.5.3
Component/s: None
Labels:
- RH-SSO
- rh-sso-release-candidate

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
RHSSO-2106
Git Pull Request:
https://gitlab.cee.redhat.com/keycloak/keycloak-prod/-/merge_requests/173

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Red Hat IT is working on introducing an API which will allow dynamic creation / deletion of service accounts in one of their realms. The realm is configured with federated user storage. They are frequently noticing the following deadlock during deletion of service accounts:

Uncaught server error: javax.persistence.OptimisticLockException: org.hibernate.exception.LockAcquisitionException: could not execute statement
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.internal.ExceptionConverterImpl.wrapLockException(ExceptionConverterImpl.java:277)
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:98)
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181)
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1654)
	at org.keycloak.keycloak-model-jpa@15.0.4.redhat-00001//org.keycloak.storage.jpa.JpaUserFederatedStorageProvider.preRemove(JpaUserFederatedStorageProvider.java:826)
	at org.keycloak.keycloak-services@15.0.4.redhat-00001//org.keycloak.storage.UserStorageManager.removeUser(UserStorageManager.java:252)
	at org.keycloak.keycloak-model-infinispan@15.0.4.redhat-00001//org.keycloak.models.cache.infinispan.UserCacheSession.removeUser(UserCacheSession.java:802)
	at org.keycloak.keycloak-model-infinispan@15.0.4.redhat-00001//org.keycloak.models.cache.infinispan.RealmCacheSession.removeClient(RealmCacheSession.java:601)
	at org.keycloak.keycloak-model-infinispan@15.0.4.redhat-00001//org.keycloak.models.cache.infinispan.RealmAdapter.removeClient(RealmAdapter.java:809)
	at org.keycloak.keycloak-services@15.0.4.redhat-00001//org.keycloak.services.managers.ClientManager.removeClient(ClientManager.java:99)
It is failing on the named queries found in JpaUserFederatedStorageProvider::preRemove. Called by UserStorageManager::removeUser.

It seems these queries are responsible for cleaning up federated user relations during deletion of a user. They think for the internally created service account user, these may not be necessary. And could help prevent deadlocks and improve performance by not querying and locking against these contentious tables.

links to

GHI#12296

mentioned on

Merge request - RHSSO-2072 [ 7.6.1] Deadlock when calling removeUser for Service Account Linked Users

Assignee:: Peter Skopek

Reporter:: Issa Gueye

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2022/06/16 3:39 PM

Updated:: 2024/04/19 1:51 PM

Resolved:: 2022/10/06 2:29 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates