[keycloak-user] Performance with a large number of resources
Pedro Igor Silva
psilva at redhat.com
Fri May 5 07:51:13 EDT 2017
On Thu, Apr 20, 2017 at 3:38 PM, Scott Elliott <scottpelliott at gmail.com>
wrote:
> Using the photoz application as an example, what is the expected
> performance if there are a very large (say, 5M) number of albums? What
> about if there are multiple resources per album? You quickly get a very
> large number of resources. The OIDC adapters cache some number of these, so
> what effect will that have on the resource server?
>
Right now we cache things based on a very simple LRU cache with some
expiration of entries. Number of cached entries is fixed though. Something
we can expose via configuration.
>
> Ideally there would be a way to authorize any resource associated with an
> album, so if /album/vacation were authorized by /album/{id},
> /album/vacation/photo/1 was also authorized, i.e., the URI that selects the
> resource to be authorized would always be /album/vacation.
>
All depends on how fined grained you want your config. For instance, if you
define a path "/album/{id}/*", the same resource (and associated
permissions) will also be related with resources like "/album/vacation" and
"/album/vacation/photo/1". However, if you have a resource on the server
with a path "/album/vacation/photo/1", the enforcer is going to use this
resource to check whether the user has access or not.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list