From 9d1a5e27690d48c39df9002285473483b2671522 Mon Sep 17 00:00:00 2001
From: Oleksandr Andriienko <oandriie@redhat.com>
Date: Tue, 23 Jul 2024 12:05:17 +0300
Subject: [PATCH 1/2] fix(rbac): don't start transaction if there no group
 policies

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>
---
 plugins/rbac-backend/src/service/enforcer-delegate.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/rbac-backend/src/service/enforcer-delegate.ts b/plugins/rbac-backend/src/service/enforcer-delegate.ts
index 3ba15fba83..f65e75b4fb 100644
--- a/plugins/rbac-backend/src/service/enforcer-delegate.ts
+++ b/plugins/rbac-backend/src/service/enforcer-delegate.ts
@@ -156,12 +156,12 @@ export class EnforcerDelegate {
     roleMetadata: RoleMetadataDao,
     externalTrx?: Knex.Transaction,
   ): Promise<void> {
-    const trx = externalTrx ?? (await this.knex.transaction());
-
     if (policies.length === 0) {
       return;
     }
 
+    const trx = externalTrx ?? (await this.knex.transaction());
+
     try {
       const currentRoleMetadata =
         await this.roleMetadataStorage.findRoleMetadata(

From 9fbb0e10ddf553cc0115b3ee508f28639d310944 Mon Sep 17 00:00:00 2001
From: Patrick <pknight@redhat.com>
Date: Mon, 22 Jul 2024 08:34:32 -0400
Subject: [PATCH 2/2] fix(rbac): reduce number of transactions for admin role

---
 .../rbac-backend/src/service/permission-policy.ts    | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/plugins/rbac-backend/src/service/permission-policy.ts b/plugins/rbac-backend/src/service/permission-policy.ts
index a1eb379e43..61cd54f9c8 100644
--- a/plugins/rbac-backend/src/service/permission-policy.ts
+++ b/plugins/rbac-backend/src/service/permission-policy.ts
@@ -90,6 +90,7 @@ const useAdminsFromConfig = async (
     await roleMetadataStorage.findRoleMetadata(ADMIN_ROLE_NAME);
 
   const trx = await knex.transaction();
+  let addedRoleMembers;
   try {
     if (!adminRoleMeta) {
       // even if there are no user, we still create default role metadata for admins
@@ -101,15 +102,20 @@ const useAdminsFromConfig = async (
         trx,
       );
     }
+
+    addedRoleMembers = Array.from<string[]>(newGroupPolicies.entries());
+    await enf.addGroupingPolicies(
+      addedRoleMembers,
+      getAdminRoleMetadata(),
+      trx,
+    );
+
     await trx.commit();
   } catch (error) {
     await trx.rollback(error);
     throw error;
   }
 
-  const addedRoleMembers = Array.from<string[]>(newGroupPolicies.entries());
-  await enf.addGroupingPolicies(addedRoleMembers, getAdminRoleMetadata());
-
   await auditLogger.auditLog<RoleAuditInfo>({
     actorId: RBAC_BACKEND,
     message: `Created or updated role`,