Merge pull request #3140 from pedroigor/KEYCLOAK-3390
[KEYCLOAK-3390] - Updating authorization objects doesn't invalidate cache in cluster
This commit is contained in:
commit
fd983690e2
13 changed files with 28 additions and 13 deletions
|
@ -89,6 +89,7 @@
|
||||||
<local-cache name="sessions"/>
|
<local-cache name="sessions"/>
|
||||||
<local-cache name="offlineSessions"/>
|
<local-cache name="offlineSessions"/>
|
||||||
<local-cache name="loginFailures"/>
|
<local-cache name="loginFailures"/>
|
||||||
|
<local-cache name="authorization "/>
|
||||||
<local-cache name="work"/>
|
<local-cache name="work"/>
|
||||||
</cache-container>
|
</cache-container>
|
||||||
<xsl:apply-templates select="node()|@*"/>
|
<xsl:apply-templates select="node()|@*"/>
|
||||||
|
|
|
@ -8,6 +8,7 @@ embed-server --server-config=standalone-ha.xml
|
||||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:add(mode="SYNC",owners="1")
|
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:add(mode="SYNC",owners="1")
|
||||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:add(mode="SYNC",owners="1")
|
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:add(mode="SYNC",owners="1")
|
||||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:add(mode="SYNC",owners="1")
|
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:add(mode="SYNC",owners="1")
|
||||||
|
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization:add(mode="SYNC",owners="1")
|
||||||
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:add(mode="SYNC")
|
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:add(mode="SYNC")
|
||||||
/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
|
/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
|
||||||
/subsystem=keycloak-server:add(web-context=auth)
|
/subsystem=keycloak-server:add(web-context=auth)
|
|
@ -108,7 +108,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
|
||||||
|
|
||||||
cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(true, maxEntries));
|
cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(true, maxEntries));
|
||||||
cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true);
|
cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true);
|
||||||
|
cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true);
|
||||||
logger.debugv("Using container managed Infinispan cache container, lookup={1}", cacheContainerLookup);
|
logger.debugv("Using container managed Infinispan cache container, lookup={1}", cacheContainerLookup);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
throw new RuntimeException("Failed to retrieve cache container", e);
|
throw new RuntimeException("Failed to retrieve cache container", e);
|
||||||
|
@ -161,6 +161,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
|
||||||
cacheManager.defineConfiguration(InfinispanConnectionProvider.SESSION_CACHE_NAME, sessionCacheConfiguration);
|
cacheManager.defineConfiguration(InfinispanConnectionProvider.SESSION_CACHE_NAME, sessionCacheConfiguration);
|
||||||
cacheManager.defineConfiguration(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, sessionCacheConfiguration);
|
cacheManager.defineConfiguration(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, sessionCacheConfiguration);
|
||||||
cacheManager.defineConfiguration(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, sessionCacheConfiguration);
|
cacheManager.defineConfiguration(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, sessionCacheConfiguration);
|
||||||
|
cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, sessionCacheConfiguration);
|
||||||
|
|
||||||
ConfigurationBuilder replicationConfigBuilder = new ConfigurationBuilder();
|
ConfigurationBuilder replicationConfigBuilder = new ConfigurationBuilder();
|
||||||
if (clustered) {
|
if (clustered) {
|
||||||
|
@ -178,9 +179,6 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
|
||||||
cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_NAME, getRevisionCacheConfig(false, InfinispanConnectionProvider.REALM_REVISIONS_CACHE_DEFAULT_MAX));
|
cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_NAME, getRevisionCacheConfig(false, InfinispanConnectionProvider.REALM_REVISIONS_CACHE_DEFAULT_MAX));
|
||||||
cacheManager.getCache(InfinispanConnectionProvider.REALM_CACHE_NAME, true);
|
cacheManager.getCache(InfinispanConnectionProvider.REALM_CACHE_NAME, true);
|
||||||
|
|
||||||
cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME,
|
|
||||||
new ConfigurationBuilder().eviction().type(EvictionType.COUNT).size(100).simpleCache(true).build());
|
|
||||||
|
|
||||||
long maxEntries = cacheManager.getCache(InfinispanConnectionProvider.USER_CACHE_NAME).getCacheConfiguration().eviction().maxEntries();
|
long maxEntries = cacheManager.getCache(InfinispanConnectionProvider.USER_CACHE_NAME).getCacheConfiguration().eviction().maxEntries();
|
||||||
if (maxEntries <= 0) {
|
if (maxEntries <= 0) {
|
||||||
maxEntries = InfinispanConnectionProvider.USER_REVISIONS_CACHE_DEFAULT_MAX;
|
maxEntries = InfinispanConnectionProvider.USER_REVISIONS_CACHE_DEFAULT_MAX;
|
||||||
|
|
|
@ -389,7 +389,7 @@ public class CachedPolicyStore implements PolicyStore {
|
||||||
if (this.updated == null) {
|
if (this.updated == null) {
|
||||||
this.updated = getDelegate().findById(getId());
|
this.updated = getDelegate().findById(getId());
|
||||||
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
||||||
transaction.whenCommit(() -> cache.evict(getCacheKeyForPolicy(getId())));
|
transaction.whenCommit(() -> cache.remove(getCacheKeyForPolicy(getId())));
|
||||||
}
|
}
|
||||||
|
|
||||||
return this.updated;
|
return this.updated;
|
||||||
|
|
|
@ -169,7 +169,7 @@ public class CachedResourceServerStore implements ResourceServerStore {
|
||||||
if (this.updated == null) {
|
if (this.updated == null) {
|
||||||
this.updated = getDelegate().findById(getId());
|
this.updated = getDelegate().findById(getId());
|
||||||
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
||||||
transaction.whenCommit(() -> cache.evict(getCacheKeyForResourceServer(getId())));
|
transaction.whenCommit(() -> cache.remove(getCacheKeyForResourceServer(getId())));
|
||||||
}
|
}
|
||||||
|
|
||||||
return this.updated;
|
return this.updated;
|
||||||
|
|
|
@ -270,7 +270,7 @@ public class CachedResourceStore implements ResourceStore {
|
||||||
if (this.updated == null) {
|
if (this.updated == null) {
|
||||||
this.updated = getDelegate().findById(getId());
|
this.updated = getDelegate().findById(getId());
|
||||||
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
||||||
transaction.whenCommit(() -> cache.evict(getCacheKeyForResource(getId())));
|
transaction.whenCommit(() -> cache.remove(getCacheKeyForResource(getId())));
|
||||||
}
|
}
|
||||||
|
|
||||||
return this.updated;
|
return this.updated;
|
||||||
|
|
|
@ -175,7 +175,7 @@ public class CachedScopeStore implements ScopeStore {
|
||||||
if (this.updated == null) {
|
if (this.updated == null) {
|
||||||
this.updated = getDelegate().findById(getId());
|
this.updated = getDelegate().findById(getId());
|
||||||
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
if (this.updated == null) throw new IllegalStateException("Not found in database");
|
||||||
transaction.whenCommit(() -> cache.evict(getCacheKeyForScope(getId())));
|
transaction.whenCommit(() -> cache.remove(getCacheKeyForScope(getId())));
|
||||||
}
|
}
|
||||||
|
|
||||||
return this.updated;
|
return this.updated;
|
||||||
|
|
|
@ -22,10 +22,10 @@ import org.keycloak.authorization.model.Policy;
|
||||||
import org.keycloak.authorization.model.Resource;
|
import org.keycloak.authorization.model.Resource;
|
||||||
import org.keycloak.authorization.model.ResourceServer;
|
import org.keycloak.authorization.model.ResourceServer;
|
||||||
import org.keycloak.authorization.model.Scope;
|
import org.keycloak.authorization.model.Scope;
|
||||||
import org.keycloak.models.entities.AbstractIdentifiableEntity;
|
|
||||||
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
||||||
import org.keycloak.representations.idm.authorization.Logic;
|
import org.keycloak.representations.idm.authorization.Logic;
|
||||||
|
|
||||||
|
import java.io.Serializable;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
@ -34,7 +34,9 @@ import java.util.stream.Collectors;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||||
*/
|
*/
|
||||||
public class CachedPolicy implements Policy {
|
public class CachedPolicy implements Policy, Serializable {
|
||||||
|
|
||||||
|
private static final long serialVersionUID = -144247681046298128L;
|
||||||
|
|
||||||
private String id;
|
private String id;
|
||||||
private String type;
|
private String type;
|
||||||
|
|
|
@ -22,6 +22,7 @@ import org.keycloak.authorization.model.Resource;
|
||||||
import org.keycloak.authorization.model.ResourceServer;
|
import org.keycloak.authorization.model.ResourceServer;
|
||||||
import org.keycloak.authorization.model.Scope;
|
import org.keycloak.authorization.model.Scope;
|
||||||
|
|
||||||
|
import java.io.Serializable;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
|
@ -29,7 +30,9 @@ import java.util.stream.Collectors;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||||
*/
|
*/
|
||||||
public class CachedResource implements Resource {
|
public class CachedResource implements Resource, Serializable {
|
||||||
|
|
||||||
|
private static final long serialVersionUID = -6886179034626995165L;
|
||||||
|
|
||||||
private final String id;
|
private final String id;
|
||||||
private String resourceServerId;
|
private String resourceServerId;
|
||||||
|
|
|
@ -21,10 +21,14 @@ package org.keycloak.models.authorization.infinispan.entities;
|
||||||
import org.keycloak.authorization.model.ResourceServer;
|
import org.keycloak.authorization.model.ResourceServer;
|
||||||
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
|
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
|
||||||
|
|
||||||
|
import java.io.Serializable;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||||
*/
|
*/
|
||||||
public class CachedResourceServer implements ResourceServer {
|
public class CachedResourceServer implements ResourceServer, Serializable {
|
||||||
|
|
||||||
|
private static final long serialVersionUID = 5054253390723121289L;
|
||||||
|
|
||||||
private final String id;
|
private final String id;
|
||||||
private String clientId;
|
private String clientId;
|
||||||
|
|
|
@ -21,10 +21,14 @@ package org.keycloak.models.authorization.infinispan.entities;
|
||||||
import org.keycloak.authorization.model.ResourceServer;
|
import org.keycloak.authorization.model.ResourceServer;
|
||||||
import org.keycloak.authorization.model.Scope;
|
import org.keycloak.authorization.model.Scope;
|
||||||
|
|
||||||
|
import java.io.Serializable;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||||
*/
|
*/
|
||||||
public class CachedScope implements Scope {
|
public class CachedScope implements Scope, Serializable {
|
||||||
|
|
||||||
|
private static final long serialVersionUID = -3919706923417065454L;
|
||||||
|
|
||||||
private final String id;
|
private final String id;
|
||||||
private String resourceServerId;
|
private String resourceServerId;
|
||||||
|
|
|
@ -63,6 +63,7 @@ public class KeycloakServerDeploymentProcessor implements DeploymentUnitProcesso
|
||||||
st.addDependency(cacheContainerService.append("offlineSessions"));
|
st.addDependency(cacheContainerService.append("offlineSessions"));
|
||||||
st.addDependency(cacheContainerService.append("loginFailures"));
|
st.addDependency(cacheContainerService.append("loginFailures"));
|
||||||
st.addDependency(cacheContainerService.append("work"));
|
st.addDependency(cacheContainerService.append("work"));
|
||||||
|
st.addDependency(cacheContainerService.append("authorization"));;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -95,6 +95,7 @@
|
||||||
<distributed-cache name="sessions" mode="SYNC" owners="1"/>
|
<distributed-cache name="sessions" mode="SYNC" owners="1"/>
|
||||||
<distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
|
<distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
|
||||||
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
|
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
|
||||||
|
<distributed-cache name="authorization" mode="SYNC" owners="1"/>
|
||||||
<replicated-cache name="work" mode="SYNC" />
|
<replicated-cache name="work" mode="SYNC" />
|
||||||
</cache-container>
|
</cache-container>
|
||||||
<cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
|
<cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
|
||||||
|
|
Loading…
Reference in a new issue