[keycloak-user] Load testing and performance
Thelo Gaultier
thelo.gaultier at gmail.com
Thu Oct 19 03:49:19 EDT 2017
Hi,
Indeed the performance increased but this is not really recommended ( the
new nist guideline recommend at least 10K iterations, but this will only
increase over time). Has anyone tried to move the password hashing outside
of Keycloak ( AWS Lambda for example, or any scalable micro service) to
reduce the CPU usage of keycloak and allow it to deal with more request per
second ( the latency will be high but this might be ok) ?
@Meissa: You can reduce the number of iteration or switch to another
hashing algorithm, but once again if your database leaks, your password
might be more easily crackable.
@Marko: do you know if at some point the interaction between the different
node of a cluster might become a possible bottleneck in the case of a large
cluster?
Many thanks,
Thelo
2017-10-19 9:05 GMT+02:00 Meissa M'baye Sakho <msakho at redhat.com>:
> Is it possible disable it ?
>
> On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> The default hashing iterations is fairly high to safeguard for the case of
>> a leaked database.
>>
>> See:
>> http://www.keycloak.org/docs/latest/server_admin/topics/thre
>> at/password-db-compromised.html
>>
>> If you are comfortable with decreasing the number of iterations that's
>> definitely the first thing to try to increase performance.
>>
>>
>> On Oct 12, 2017 18:53, "Thelo" <thelo.gaultier at gmail.com> wrote:
>>
>> > Hi,
>> >
>> >
>> > As we are currently load testing Keycloak to see whether it could be a
>> good
>> > fit in our system, we experience trouble to reach good performance for
>> the
>> > user login.
>> >
>> > In our current set up we do direct login via password against Keycloak
>> and
>> > we get around 30 user logins per second.
>> >
>> > Here is our current set up:
>> > - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in
>> > Kubernetes)
>> > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
>> > memory
>> >
>> > As it is hard to believe that one instance can only handle 10 requests
>> per
>> > second we were wondering if someone had done similar tests and if you
>> would
>> > be willing to share the results / test configuration .
>> >
>> > Many thanks,
>> >
>> > Thelo
>> >
>> >
>> >
>> > --
>> > Sent from: http://keycloak-user.88327.x6.nabble.com/
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
More information about the keycloak-user
mailing list