Filtering organization groups when managing or processing groups#30590
Conversation
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.organization.exportimport.OrganizationExportTest#testExport |
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabledKeycloak CI - FIPS IT (strict) |
f7d3eda to
385945d
Compare
vramik
left a comment
There was a problem hiding this comment.
@pedroigor Thank you for preparing the PR. I have few comments/questions, please see below.
Overall it seems good. Conceptually I'm not convinced about the fact that a Group and an Organization would share the same ID in the database to simulate @OneToOne relationship without explicitly defining it in the entity. I believe it could bring several issues and overall it's not very good practice.
There are several points in general why I believe so:
- Data integrity: it violates the entity uniqueness.
- Lack of referential integrity: FK constrains, cascading operations
- ORM Tooling Limitations like annotations, without them the ORM cannot manage relationships correctly
- Personally I find it more error prone and less readable
I am not saying we suffer from any of those, but IMO it'd be safer to discuss this matter in broader team to get an agreement that Keycloak wants to go this route.
There is no data integrity violation because IDs for organizations and groups are still unique.
We already lack FKs and cascading in other places. I'm not changing that now. Please, consider we have already discussed this with others in the team.
We already have places where we don't use relationships like
I guess you are used to the same approach in other places where we don't have relationships defined explicitly. And I think that is fine.
If we don't suffer from any of those, why we are discussing it :) |
|
@vramik Do you know how we can fix https://github.com/keycloak/keycloak/actions/runs/9678438075/job/26702457200?pr=30590? |
6269657 to
afe2410
Compare
vramik
left a comment
There was a problem hiding this comment.
I am leaving the decision about the IDs up to you.
|
@vramik The decision has been taken since I opened the PR :) Please, consider it as OK from my side. |
|
I've changed the PR to not share the same ID anymore as I found another issue when migrating (also had to update group attributes table). |
Closes keycloak#30589 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
vramik
left a comment
There was a problem hiding this comment.
@pedroigor I didn't have a chance to look at the latest changes of the PR. but I believe it goes to the right direction, approving now to unblock merging.
|
Added #30919 as a follow-up. |
mposolda
left a comment
There was a problem hiding this comment.
Approving. I did not review very deeply. Relying on the review by @vramik . But the ideas behind the PRs look good to me per our discussion with @pedroigor
typeto groups to filter organization groups from group queries. The reason for using a type is to avoid a nullable column and potentially impact database indexes and also eventually leverage groups for purposes other than realm and organizationORG_DOMAINfor theORG_ID. Queries run a lot faster when listing organizations. For instance, fromExecution Time: 129.512 mstoExecution Time: 0.084 msin a database with 100k organizations each one with 10 domains.