[keycloak-user] Multi tenancy with realms
Gabriel Lavoie
glavoie at gmail.com
Thu Apr 13 09:51:21 EDT 2017
Hi Cesar,
Regarding the performance issues found in the mailing list thread you
referred to, I submitted 5 PRs. 3 have been merged and 2 are still pending
review.
https://github.com/keycloak/keycloak/pull/3561
https://github.com/keycloak/keycloak/pull/3557
https://github.com/keycloak/keycloak/pull/3558
https://github.com/keycloak/keycloak/pull/3572
https://github.com/keycloak/keycloak/pull/3573
You can look at
http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008439.html for
more details on the changes.
We are still running on a custom build of Keycloak with all those changes
applied and at the moment is supports our administrative load with over
1000 realms. Restart/use of the admin API/access to the admin console are
now fast enough not to generate complains from our operators. Most of the
issues with the large number of realms were related with the use of
NamedQueries (generates too many flush() within Hibernate) and the very
large number of child roles on the super admin composite role.
Upgrades are still considered problematic for us. I found other performance
issues within the Java based data migration code, mostly related with
explicit em.flush() statements, but I haven't digged into them.
I hope it helps,
Gabriel
2017-04-13 4:19 GMT-04:00 Mailing lists <lists at m3b.net>:
> >From the thread you linked to it looks like someone already laid out some
> ideas where optimization could work. (Appears to be something with loading
> reals, caching, and flushing).
>
>
> Furthermore, it would seem that a slow startup phase is (or should be) an
> infrequent event. As well as administration. These are not show-stoppers
> for me.
>
>
> If anything, perhaps a better work-around would be to architect a
> deployment where keycloak lives closer to the tenant application instances.
> Simply treat the keycloak as a microservice that is bundled with your apps,
> and have it automated to a point where it is more "code as configuration"
> rather than manually logging into keycloak and clicking around?
>
>
>
>
>
>
>
>
>
>
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> on behalf of Cesar Salazar <csalazar at devsu.com>
> Sent: Wednesday, April 12, 2017 6:39:44 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Multi tenancy with realms
>
> Hi. I'm looking to use keycloak for a SASS service, using realms for
> multi-tenancy. There's a discussion on a previous thread about performance
> issues when there are lots of realms:
> http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
>
> I wanted to ask if there is some work done in that direction. If not, where
> can I start looking at so I can contribute?
>
> Also, I was wondering what would be the implications of using a custom user
> attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
> make my microservices validate against it). I know it's not the ideal way,
> but would it be possible? Do you know of any considerations I should take
> into account?
>
> Thanks!
>
> --
> *Cesar Salazar*
> CTO - DEVSU | www.devsu.com<http://www.devsu.com>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Gabriel Lavoie
glavoie at gmail.com
More information about the keycloak-user
mailing list