opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

Research: Transactional deprovisioning in combination with keycloak for OC [ 6pd ]

Open db-ot opened this issue 5 months ago • 2 comments

Description

User Stories

  • As a DEV, I want to know how the transactional deprovision-handling with Keycloak in Opencloud.

The complexity here lies in the following:

  • while it is possible to implement a Keycloak plugin that hooks a step into the Keycloak transaction manager, which
    • should allow us to make the user deletion operation fail in Keycloak if e.g. our OpenCloud user deprovisioning endpoint is not reachable,
    • can call our plugin to perform a corrective operation when rolling back when an issue occurred within KeyCloak or its storage,
  • the complexity really lies in how to handle the rollback situation within OpenCloud, e.g.
    • by marking users as "pre-deleted", which can easily be reverted as a rollback operation if the KeyCloak transaction fails
    • by effectively deleting users in a second step, either as a scheduled job that runs at a latter point in time, e.g. "this user is pre-deleted since 1h => delete for real", or as a second step within the KeyCloak transaction (provided that it is possible to influence the order of operation, which does not seem to be the case)

Acceptance Criteria

  • We want the ability to keep a consistent state regarding the existence of a user between the IDM and our data storage, to avoid situations where the user's files, shares, mails, calendars and all other data have been deleted but the user still exists in the IDM, which would probably also mean that that user would be auto-re-created upon next login, but without any of its data, and with a different user ID.

Definition of ready

  • [ ] Everybody needs to understand the value written in the user story
  • [ ] Acceptance criteria have to be defined
  • [ ] All dependencies of the user story need to be identified
  • [ ] Feature should be seen from an end user perspective
  • [ ] Story has to be estimated
  • [ ] Story points need to be less than 20

Definition of done

  • Functional requirements
    • [ ] Functionality described in the user story works
    • [ ] Acceptance criteria are fulfilled
  • Quality
    • [ ] Code review happened
    • [ ] CI is green (that includes new and existing automated tests)
    • [ ] Critical code received unit tests by the developer
  • Non-functional requirements
    • [ ] No sonar cloud issues
  • Configuration changes
    • [ ] The next branch of the OpenCloud charts is compatible

db-ot avatar Jul 30 '25 11:07 db-ot

@pbleser-oc please can you put more information / details inside

db-ot avatar Jul 30 '25 11:07 db-ot

Updated the story with more details.

pbleser-oc avatar Jul 30 '25 11:07 pbleser-oc