Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: RH-SSO-7.6.1
Affects Version/s: RH-SSO-7.6.0, RH-SSO-7.5.3
Component/s: None
Labels:
- RH-SSO
- rh-sso-release-candidate

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
RHSSO 7.6.1
Git Pull Request:
https://gitlab.cee.redhat.com/keycloak/keycloak-prod/-/merge_requests/173

SFDC Cases Links:
SFDC Cases Counter:

Description

Red Hat IT is working on introducing an API which will allow dynamic creation / deletion of service accounts in one of their realms. The realm is configured with federated user storage. They are frequently noticing the following deadlock during deletion of service accounts:

Uncaught server error: javax.persistence.OptimisticLockException: org.hibernate.exception.LockAcquisitionException: could not execute statement
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.internal.ExceptionConverterImpl.wrapLockException(ExceptionConverterImpl.java:277)
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:98)
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181)
	at org.hibernate@5.3.23.Final-redhat-00001//org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1654)
	at org.keycloak.keycloak-model-jpa@15.0.4.redhat-00001//org.keycloak.storage.jpa.JpaUserFederatedStorageProvider.preRemove(JpaUserFederatedStorageProvider.java:826)
	at org.keycloak.keycloak-services@15.0.4.redhat-00001//org.keycloak.storage.UserStorageManager.removeUser(UserStorageManager.java:252)
	at org.keycloak.keycloak-model-infinispan@15.0.4.redhat-00001//org.keycloak.models.cache.infinispan.UserCacheSession.removeUser(UserCacheSession.java:802)
	at org.keycloak.keycloak-model-infinispan@15.0.4.redhat-00001//org.keycloak.models.cache.infinispan.RealmCacheSession.removeClient(RealmCacheSession.java:601)
	at org.keycloak.keycloak-model-infinispan@15.0.4.redhat-00001//org.keycloak.models.cache.infinispan.RealmAdapter.removeClient(RealmAdapter.java:809)
	at org.keycloak.keycloak-services@15.0.4.redhat-00001//org.keycloak.services.managers.ClientManager.removeClient(ClientManager.java:99)
It is failing on the named queries found in JpaUserFederatedStorageProvider::preRemove. Called by UserStorageManager::removeUser.

It seems these queries are responsible for cleaning up federated user relations during deletion of a user. They think for the internally created service account user, these may not be necessary. And could help prevent deadlocks and improve performance by not querying and locking against these contentious tables.

Attachments

Issue Links

links to

GHI#12296

mentioned on

Merge request - RHSSO-2072 [ 7.6.1] Deadlock when calling removeUser for Service Account Linked Users

Activity

People

Assignee:: Peter Skopek

Reporter:: Issa Gueye

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2022/06/16 3:39 PM

Updated:: 2022/10/06 2:29 PM

Resolved:: 2022/10/06 2:29 PM