KEYCLOAK-3410 Ease creating user with initial roles via REST #3120
Conversation
thomasdarimont
force-pushed
the
issue/KEYCLOAK-3410-ease-creating-user-with-roles-via-rest
branch
3 times, most recently
from
cbe95ad
to
822d9ca
Compare
|
We'll need tests added to the new testsuite: Also, I'm not 100% sure convinced we should return the roles on get user. This could be expensive if there are a lot of roles. What we could do is to add a "fields" query parameter that allows expanding certain fields, but have them not fetched by default. For example: /users/sdfasfdr?fields=realmRoles,clientRoles What do you think? |
|
Thanks for the feedback. I wonder when it would make sense to fetch only a part of the roles of a user... So I'd rather return the full roles information and care about the performance problem if it really shows up. |
thomasdarimont
force-pushed
the
issue/KEYCLOAK-3410-ease-creating-user-with-roles-via-rest
branch
from
822d9ca
to
82a0451
Compare
|
It's not about fetching part of the roles, it's about fetching all or nothing. In terms of the admin console this doesn't solve anything as the admin console still does the separate fetch. Sure that can be fixed. However, we have large amount of people using the rest apis directly. If you need to fetch users to do bulk changes to a large number of users this could slow things down considerably. Consider the fact that not all users are in the cache as they haven't logged-in for a while, or they did so on another node. |
|
Okay, you are right - I also noticed that the admin-console (currently) fetches the user roles in a separate step. I can rework the PR to not return the roles by default when asking for a user by id such that existing clients will continue to see the same performance characteristic as before. However I think controlling the returned representation with a A different approach would be to differentiate the representations by using dedicated media-types, perhaps something like:
|
|
I don't like using different media-types for it and it's often quite fiddly to do from different frameworks. For example AngularJS $resource defaults to json and also knows how to parse json, while wouldn't know how to deal with a custom media-type. Maybe fields is not the right name. What about "expand=roles" or "include=roles"? I can see it being useful for other things as well in the future. For example ability to fetch just the user. Ability to fetch the user with all roles, credential information, social links, federation link, etc.. |
|
Yes |
|
Sure - can you start a thread on mailing list? |
|
@thomasdarimont I suggest we remove the addition of roles to the response, then we can merge this PR. Then create a separate JIRA to have roles included with the response and start a discussion on the mailing list how it should be done proposing include=roles as the way to go. WDYT? |
|
Okay, good idea. I'll update the PR (now) by not adding the roles in the response. Cheers, |
Previously creating a new user with a set of initial realm and client roles involved sending multiple requests. We now honor the provided realmRoles and clientRoles information in the UserRepresentation sent to the UserResource#create endpoint. This reduces the number of requests needed to create a user with inital roles to 1. For symmetry reasons we also return realmRole and clientRole information via the UserResource#getUser(..) endpoint. We also reduced the visibility of the UsersResource#updateUserFromRep to private and removed changed it to be an instance method. Wasn't called anywhere in the codebase - and shouldn't be called by user code anyways. Signed-off-by: Thomas Darimont <thomas.darimont@gmail.com>
thomasdarimont
force-pushed
the
issue/KEYCLOAK-3410-ease-creating-user-with-roles-via-rest
branch
from
82a0451
to
c2ec862
Compare
This commit explicitly removes the realm-role / client-role information from UserRepresentation. The reasoning behind this is that returning all role mappings for a user could lead to unexpected performance problems. See discussion in PR keycloak#3120.
thomasdarimont
force-pushed
the
issue/KEYCLOAK-3410-ease-creating-user-with-roles-via-rest
branch
from
c2ec862
to
2afec29
Compare
|
I removed the role information in the Problem is that the |
|
Missed that the tests where added to the old testsuite, could you add the test to: If you call close() on the response that creates the user the roles should be available when you send the request to fetch the roles. It's a bit annoying, but all methods that return a response in the admin client lib needs to be closed, otherwise the tx is not always done and also the http connection is not released back to the pool. |
|
Meeeh Doesn't help - the roles are still not returned by: |
|
Hmm... it should work, unless you've actually found a cache issue. Can you try disabling the realm and user caches and see if it works? If that doesn't work maybe the roles aren't added? Or not fetched properly? |
|
@thomasdarimont Currently I am using keycloak 2.4 libarary. Will you please help me know, what to do To fetch user(s) with it roles? |
|
The docs say it's possible, but this issue says it's not. |
|
Are you planing to finish this enhancement? |
|
Why was this abandoned? I don't get how this is not priority :( |
|
hello from September 2022 |
Previously creating a new user with a set of initial realm
and client roles involved sending multiple requests.
We now honor the provided realmRoles and clientRoles
information in the UserRepresentation sent to the
UserResource#create endpoint. This reduces the number of requests
needed to create a user with inital roles to 1.
For symmetry reasons we also return realmRole and clientRole
information via the UserResource#getUser(..) endpoint.
We also reduced the visibility of the UsersResource#updateUserFromRep to
private and removed changed it to be an instance method.
Wasn't called anywhere in the codebase - and shouldn't be called
by user code anyways.
Signed-off-by: Thomas Darimont thomas.darimont@gmail.com