提问人:Neelesh Gurjar 提问时间:5/4/2023 更新时间:5/4/2023 访问量:281
Keycloak 版本 21.x 是否支持 x-Protostream 编码
Is x-Protostream encoding supported in Keycloak version 21.x
问:
我已经在 Kubernetes 和 Infinispan v14.x 上设置了 Keyclock v21.x。
在 Infinispan 中,我创建了名为 、 、 ,, , 的分布式缓存和名为 的复制缓存。sessionsofflineSessionsofflineClientSessionsactionTokensloginFailuresauthenticationSessionsclientSessionswork
我已将编码媒体类型配置为所有缓存。"application/x-jboss-marshalling"
例如。会话缓存。
"sessions": {
"distributed-cache": {
"owners": "2",
"mode": "SYNC",
"statistics": true,
"encoding": {
"media-type": "application/x-jboss-marshalling"
},
"locking": {
"isolation": "REPEATABLE_READ"
}
}
}
}
这在Keycloak v20.0中工作正常。在这一点上,我遇到了不同的问题,所以切换到Keyclock v21.x。
在 Keyclock 21,x 中,我们得到转码错误,如下所示2023-05-04 04:03:29,630 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.commons.dataconversion.EncodingException: ISPN000492: Cannot find transcoder between 'application/x-protostream' to 'application/x-jboss-marshalling'
这说明 Cache 正在使用 jboss-marshelling,但从 keycloak 获取数据 x-protostream。
因此,在此尝试将缓存编码更新为之后,但是我遇到了以下错误:sessionsx-protostreamjavax.security.sasl.SaslException: ELY05087: Client selected realm not offered by server (AllowScriptManager)
那么在infinispan中应该配置什么样的缓存编码呢?
同样在 中,为所有缓存配置了远程存储。
例如。cache-ispn-remote.xml
<distributed-cache name="sessions" owners="2">
<expiration lifespan="-1"/>
<remote-store cache="sessions" xmlns="urn:infinispan:config:store:remote:13.0"
fetch-state="false"
purge="false"
preload="false"
shared="true" segmented="false"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
<property name="rawValues">true</property>
<property name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
和内容keycloak-values.yaml
logging:
level: DEBUG
replicaCount: 2
image:
registry: docker.io
repository: bitnami/keycloak
tag: 21.0.2-debian-11-r0
production: true
resources:
limits:
cpu: 700m
memory: 2048Mi
requests:
cpu: 700m
memory: 2048Mi
tls:
enabled: true
autoGenerated: true
extraVolumeMounts: |
- name: quarkus
mountPath: /opt/bitnami/keycloak/conf/quarkus.properties
subPath: quarkus.properties
- name: keycloak
mountPath: /opt/bitnami/keycloak/conf/cache-ispn.xml
subPath: cache-ispn-remote.xml
extraVolumes: |
- name: quarkus
configMap:
name: quarkus
defaultMode: 0777
- name: keycloak
configMap:
name: keycloak
defaultMode: 0777
extraEnvVars:
- name: KC_CACHE_STACK
value: kubernetes
- name: KC_PROXY
value: edge
- name: KEYCLOAK_PROXY
value: edge
- name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
value: "true"
- name: QUARKUS_INFINISPAN_CLIENT_SERVER_LIST
value: infinispan.keycloak.svc.cluster.local:11222
- name: INFINISPAN_SERVER
value: infinispan.keycloak.svc.cluster.local
- name: KC_DB
value: postgres
- name: KC_DB_URL_HOST
value: <RDS endpoint>
- name: KC_DB_URL_DATABASE
value: keycloak
- name: KC_DB_USERNAME
value: postgres
- name: KC_DB_PASSWORD
value: <RDS Password>
- name: KEYCLOAK_REMOTE_ISPN_USERNAME
value: developer
- name: KEYCLOAK_REMOTE_ISPN_PASSWORD
value: <Infinispan developer password>
- name: KC_CACHE
value: ispn
- name: JAVA_OPTS_APPEND
value: -Djboss.site.name=site1 -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local -Dinfinispan.deserialization.allowlist.classes=org.keycloak.cluster.infinispan.WrapperClusterEvent -Dinfinispan.deserialization.allowlist.regexps=.*
- name: KEYCLOAK_PRODUCTION
value: "true"
- name: KEYCLOAK_ENABLE_HTTPS
value: "false"
- name: KC_CACHE_CONFIG_FILE
value: cache-ispn.xml
cache:
enabled: true
postgresql:
enabled: false
externalDatabase:
host: <RDS endpoint>
port: 5432
user: postgres
password: <RDS Password>
database: keycloak
auth:
adminUser: admin
adminPassword: admin
service:
type: ClusterIP
ingress:
enabled: true
ingressClassName: "alb"
pathType: "Prefix"
hostname: "kcauth.example.com"
annotations:
#kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/target-type: 'ip'
alb.ingress.kubernetes.io/certificate-arn: "<ARN of ACM>"
alb.ingress.kubernetes.io/subnets: <SUBNETS IDs>
alb.ingress.kubernetes.io/conditions.keycloak: |
[{"Field":"host-header","HostHeaderConfig":{"Values":["*.example.com"]}}]
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01
答:
0赞
Neelesh Gurjar
5/4/2023
#1
找到了解决此问题的办法。 编号: https://github.com/keycloak/keycloak/issues/20031
现在Keycloak版本21正在使用Infinispan缓存。
现在我的缓存-ispn-remote.xml 看起来像:
<?xml version="1.0" encoding="UTF-8"?>
<infinispan
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd"
xmlns="urn:infinispan:config:14.0">
<cache-container name="keycloak">
<transport lock-timeout="60000" site="site1"/>
<local-cache name="realms">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<memory max-count="10000"/>
</local-cache>
<local-cache name="users">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<memory max-count="10000"/>
</local-cache>
<local-cache name="keys">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<expiration max-idle="3600000"/>
<memory max-count="1000"/>
</local-cache>
<local-cache name="authorization">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<memory max-count="10000"/>
</local-cache>
<distributed-cache name="sessions" owners="2">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="sessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="authenticationSessions" owners="2">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="authenticationSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="offlineSessions" owners="2">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="offlineSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="clientSessions" owners="2">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="clientSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="offlineClientSessions" owners="2">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="offlineClientSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="loginFailures" owners="2">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="loginFailures"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="actionTokens" owners="2">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="actionTokens"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<replicated-cache name="work">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="actionTokens"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory"
connect-timeout="${env.KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT:2000}">
<remote-server host="${env.INFINISPAN_SERVER}" port="${infinispan.bind.port:11222}"/>
<security>
<authentication>
<digest username="${env.KEYCLOAK_REMOTE_ISPN_USERNAME:keycloak}"
password="${env.KEYCLOAK_REMOTE_ISPN_PASSWORD:password}"
realm="default"/>
</authentication>
</security>
</remote-store>
</replicated-cache>
</cache-container>
</infinispan>
评论
0赞
Eduardo
9/14/2023
顺便说一句,您可能需要修复“工作”缓存: ''' <replicated-cache name=“work”> <remote-store xmlns=“urn:infinispan:config:store:remote:14.0” cache=“actionTokens” ''' 它将远程存储配置为“actionTokens”
评论