-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
23404 improve client role listing #24012
23404 improve client role listing #24012
Conversation
First iteration on improving the situation here. I would rather use an iterative approach here rather than having a big bang rewrite also changing the admin API. The PR also tries to improve listing effective roles for a user as this also times out with many clients and it is essentially the same code. In the first iteration:
What is missing is an actual improvement to listing the available role mappings, this is as bad as before. This definitely has to look for roles that can be assigned so it has to somehow iterate over all roles. To make this efficient, this (and pagination) has to happen on the database level. This would be my next step. Other open questions:
|
fd84df3
to
7080772
Compare
The challenge with putting pagination in the database for available roles is that it also needs to contain the fine-grained permission check for assignability by the user. I'll first try to come up with something without fine-grained permissions and check if I can extend on that later. |
With fine-grained permissions, the most efficient way would be to:
Ideally, this would all happen in the database so the database can directly do the pagination. Due to the nature of the user filtering by policies, I fear this won't be possible. So I would probably go for a similar approach to how fine-grained permissions are used when searching for users: add a method To filter out roles that are already assigned, I am thinking about changing the |
I think this is fine as a starting point.
One more point with regard to shifting query logic to the DB level: I think it would be great to make sure that no unnessary entities (as clients) are loaded into the cache. Besides query performance, that seems to be another weakness of the current implementation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, just a few minor remarks.
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
Outdated
Show resolved
Hide resolved
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/model/RoleMapper.java
Outdated
Show resolved
Hide resolved
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
Outdated
Show resolved
Hide resolved
@danielFesenmeyer @thomasdarimont Thanks for your suggestions! I'll pick them up next week when I am back from vacation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @sschu for this PR! It looks good to me, just few minor comments.
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/model/RoleMapper.java
Outdated
Show resolved
Hide resolved
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
Show resolved
Hide resolved
model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java
Outdated
Show resolved
Hide resolved
model/map/src/main/java/org/keycloak/models/map/role/MapRoleProvider.java
Outdated
Show resolved
Hide resolved
Thanks for the feedback @vramik ! |
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java
Show resolved
Hide resolved
Thank you @sschu!
Good point, I think it makes sense to rename the method to
Currently the jpa storage layer is not consistent in using queries. Whether it's named queries, criteria API or even native queries at some places. If you find it convenient, e.g. to have some reuse there, then go for it. I wouldn't mind the current approach with named queries as well.
Would be the searching by client IDs required by / useful for by admin UI? Or do you mention it in sake of completeness? |
It's just the existing behaviour to search in client id and role name when searching for client roles, see keycloak/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java Line 35 in 6736f31
|
I updated the implementation so listing effective role mappings sorts correctly and available role mappings are listed using the new function from the
|
3b8ec86
to
68fe375
Compare
1 flaky test on run #9835 ↗︎Details:
|
Test | Artifacts | |
---|---|---|
Clients test > Keys tab test > Generate new keys |
Test Replay
Screenshots
|
Review all test suite changes for PR #24012 ↗︎
64010ca
to
6fe63d3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.x509.X509BrowserCRLTest#loginSuccessWithCRLSignedWithIntermediateCA3FromTruststoreKeycloak CI - FIPS IT (strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromFileKeycloak CI - FIPS IT (strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromHttpKeycloak CI - FIPS IT (strict)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @sschu! The PR looks great. I've several comments.
- I added the new search method as a default method so alternative
RoleLookupProviders
still compile. However, they will encounter a runtime exception if they don't implement the method so this might not be ideal.
I agree this is not ideal and I believe we could leave it without default implementation. @ahus1 wdyt? If it turns out we have to have a default implementation, I'd advise to return either null
or Stream.empty()
, but from my POV the best would be to not have default implementation there.
- Searching for available client roles in the
RoleLookupProvider
searches for matches in role name and client name because that's what the current API is doing to list available client roles. However, it is not consistent with what the other search functions are doing, they search in role name and role description.
True, @edewit is this desired behavior from UI point of view?
- Listing effective role mappings doesn't offer pagination (it was like that before) but the admin console actually sends a request with pagination, at least when listing roles for a user.
Interesting, could you please link here a place in code from where the admin console sends the request? I'd say this is something we should look at, probably within follow up issue, could you please create one?
- Listing effective role mappings could probably be more efficient by going to the DB directly similar to available role mappings. But it might not be that important considering that the amount of assigned roles should not be that big.
I agree, if you'd consider to make this more efficient, please do it within follow-up issue and PR.
- The way this is currently going I see a lot of code duplication searching for realm/client/all roles. I am wondering if it would be better to just have an RoleQueryType enum with values CLIENT_ROLES,REALM_ROLES,ALL since inside the code differences are minimal.
You're right, we may want to refactor / improve the code in future, would you like to create enhancement
issue for it?
server-spi/src/main/java/org/keycloak/storage/role/RoleLookupProvider.java
Outdated
Show resolved
Hide resolved
default Stream<RoleModel> searchForClientRolesStream(RealmModel realm, String search, Integer first, Integer max, Stream<String> excludedIds) { | ||
throw new UnsupportedOperationException("Not supported."); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest to reorder parameters in the method signature as first
and max
are always at the end in other providers. I've noticed that this method differs from the other one only be the order of params, should we consider a rename?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved the excludedIds parameter behind the search. I wouldn't want to rename the method as it does exactly the same thing as the others, just based on different parameters.
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
Outdated
Show resolved
Hide resolved
server-spi/src/main/java/org/keycloak/storage/role/RoleLookupProvider.java
Outdated
Show resolved
Hide resolved
server-spi/src/main/java/org/keycloak/storage/role/RoleLookupProvider.java
Outdated
Show resolved
Hide resolved
model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java
Outdated
Show resolved
Hide resolved
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
Outdated
Show resolved
Hide resolved
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
Outdated
Show resolved
Hide resolved
I agree that a default implementation only makes sense if it returns a meaningful default, and returning an exception is no meaningful default IMHO. If there is no meaningful default implementation, don't provide one as @vramik suggested. |
0ca012f
to
a2c7993
Compare
…ppings Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
a2c7993
to
d41a7da
Compare
@vramik With regards to the admin UI using pagination when listing effective role assignments: I assume this is the code but not sure, frontend isn´t my area: keycloak/js/apps/admin-ui/src/components/role-mapping/resource.ts Lines 30 to 42 in 153d1a9
|
@sschu yep that is correct |
@vramik I don't think the test failure is related to my changes. I also created the follow-up issues you asked for. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @sschu!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving as of @vramik's review. Thank you to everyone involved in this PR to make this performance improvement happen!
@edewit - could you please re-approve this PR for the UI team, as your last review is now stale after the lasted rework from the author. For the one GHA that failed due to flakiness I triggered a rerun. Thanks! |
Cool, thanks a lot everybody! |
Fixes #23404
First draft.