Open laskasn opened 2 years ago
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
cc @eikef @kris2kris @ndclt click here for bot help
If there is no other way to globally override that setting, could we expose the timeout setting as a parameter to the update_realm() and create_realm() functions, to help all those who maintain with this plugin large-scale distributed keycloak setups? We could make this change/addition and contribute with a PR.
Sounds like a reasonable feature.
Yes I think it's ok. Just be careful because authentication token has a short life time (1 minute for all cycle I think) and if update is very long next step (here for example) may fail
Hmm, forgot about that. However, by default, the access token in Keycloak has a 5 minute validity period. But yes, that's something which many might change to 1 minute, and then you might indeed stumble on this problem if it takes that long.
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
cc @mattock click here for bot help
cc @thomasbach-dev click here for bot help
Summary
We have various keycloak setups in standalone-ha mode, which are deployed with ansible. We use the community.general.keycloak_realm among others, to configure our realms, which in some cases fails with a message like "Could not update realm xxx. .... Connection timed out". Digging a little into the code we discovered that the failing point was here, which calls this one which is always executed with the default 10 seconds timeout. Our realms in keycloak are packed with information, so, after a realm update, keycloak needs a couple of seconds to perform various synchronization processes (internally, it invalidates the infinispan cache and refreshes from the database) which make keycloak subsequent connections to wait for that to complete. This might take a little more than 10 seconds, so, your plugin fails to execute because of that 10 sec limitation. We managed to solve the timeout problem by editing the open_url() call in the update_realm() function and setting a higher timeout value.
If there is no other way to globally override that setting, could we expose the timeout setting as a parameter to the update_realm() and create_realm() functions, to help all those who maintain with this plugin large-scale distributed keycloak setups? We could make this change/addition and contribute with a PR.
Issue Type
Bug Report
Component Name
community.general.keycloak_realm
Ansible Version
Community.general Version
Configuration
OS / Environment
Ubuntu 20.04 focal
Steps to Reproduce
Expected Results
See issue's description
Actual Results
Code of Conduct