search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
814 stars 1.49k forks source link

Cannot override default timeout setting for open_url() in update_realm() in community.general.keycloak_realm #4168

Open laskasn opened 2 years ago

laskasn commented 2 years ago

Summary

We have various keycloak setups in standalone-ha mode, which are deployed with ansible. We use the community.general.keycloak_realm among others, to configure our realms, which in some cases fails with a message like "Could not update realm xxx. .... Connection timed out". Digging a little into the code we discovered that the failing point was here, which calls this one which is always executed with the default 10 seconds timeout. Our realms in keycloak are packed with information, so, after a realm update, keycloak needs a couple of seconds to perform various synchronization processes (internally, it invalidates the infinispan cache and refreshes from the database) which make keycloak subsequent connections to wait for that to complete. This might take a little more than 10 seconds, so, your plugin fails to execute because of that 10 sec limitation. We managed to solve the timeout problem by editing the open_url() call in the update_realm() function and setting a higher timeout value.
If there is no other way to globally override that setting, could we expose the timeout setting as a parameter to the update_realm() and create_realm() functions, to help all those who maintain with this plugin large-scale distributed keycloak setups? We could make this change/addition and contribute with a PR.

Issue Type

Bug Report

Component Name

community.general.keycloak_realm

Ansible Version

$ ansible --version

Community.general Version

Collection        Version
----------------- -------
community.general 4.4.0

Configuration

OS / Environment

Ubuntu 20.04 focal

Steps to Reproduce

See issue's description

Expected Results

See issue's description

Actual Results

Code of Conduct

ansibullbot commented 2 years ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 2 years ago

cc @eikef @kris2kris @ndclt click here for bot help

felixfontein commented 2 years ago

If there is no other way to globally override that setting, could we expose the timeout setting as a parameter to the update_realm() and create_realm() functions, to help all those who maintain with this plugin large-scale distributed keycloak setups? We could make this change/addition and contribute with a PR.

Sounds like a reasonable feature.

kris2kris commented 2 years ago

Yes I think it's ok. Just be careful because authentication token has a short life time (1 minute for all cycle I think) and if update is very long next step (here for example) may fail

laskasn commented 2 years ago

Hmm, forgot about that. However, by default, the access token in Keycloak has a 5 minute validity period. But yes, that's something which many might change to 1 minute, and then you might indeed stumble on this problem if it takes that long.

ansibullbot commented 1 year ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

cc @mattock click here for bot help

ansibullbot commented 1 month ago

cc @thomasbach-dev click here for bot help