[keycloak-dev] Cache policies and cache clearing

[Stian Thorgersen]

On 25 August 2016 at 16:31, Bill Burke <bburke at redhat.com> wrote:

> I found out that if you call cache.clear() with a invalidation cache, it
> only clears locally and not the entire cluster.  I was thinking that we
> could set a realm attribute of "not-valid-before" with a timestamp.
> When something is accessed, check the timestamp vs. the time the thing
> was inserted into the cache.
>

You 100% sure? I thought I checked that it worked.


>
> This is also important for the fine-grain cache policies I want to
> implement for users.  I want cache policies for users. Scheduled
> evictions and/or max time in the cache.  There could be realm-level
> policies for all users everywhere, and per storage provider.  I also
> want the ability to clear the cache for a specific provider manually.
> Using the Infinispan stream() api, IMO, is just not feasible.  We don't
> want to be iterating over thousands of users in the cache to see if they
> should be invalidated or not.  There's also the issue of making sure
> this happens cluster-wide.  So instead, just do a simple timestamp check
> when the user is accessed.
>

That's not going to be sufficient as we want a mechanism to completely
clear the caches. It's required for example if there's a memory problem or
another issue where you want to just start fresh. I think it's just a nice
fail-safe to have.

I don't honestly see what the purpose of a "not-valid-before" timestamp
would be. It doesn't seem to cover the use-case of clearing the cache if
there's an issue, so not sure what problem it's trying to solve.


>
> Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160826/fdc97dbb/attachment.html