[keycloak-user] Load testing and performance

Meissa M'baye Sakho msakho at redhat.com
Thu Oct 19 05:21:02 EDT 2017


Thelo,


*do you know if at some point the interaction between the different node of
a cluster might become a possible bottleneck in the case of a large
cluster?*
It depends on how you cluster is configured particulary the server cache
configuration.
If you replicate everything accross your cluster nodes, you may encounter
performance issues.


You can change the number of nodes that replicate a piece of data by change
the owners attribute in the distributed-cache declaration.

take a look at the section 9.2 of the documentation below:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/server_installation_and_configuration_guide/server_cache_configuration

Meissa

On Thu, Oct 19, 2017 at 9:49 AM, Thelo Gaultier <thelo.gaultier at gmail.com>
wrote:

> Hi,
>
> Indeed the performance increased but this is not really recommended ( the
> new nist guideline recommend at least 10K iterations, but this will only
> increase over time). Has anyone tried to move the password hashing outside
> of Keycloak ( AWS Lambda for example, or any scalable micro service) to
> reduce the CPU usage of keycloak and allow it to deal with more request per
> second ( the latency will be high but this might be ok) ?
>
> @Meissa: You can reduce the number of iteration or switch to another
> hashing algorithm, but once again if your database leaks, your password
> might be more easily crackable.
>
>
> @Marko: do you know if at some point the interaction between the different
> node of a cluster might become a possible bottleneck in the case of a large
> cluster?
>
> Many thanks,
>
> Thelo
>
>
> 2017-10-19 9:05 GMT+02:00 Meissa M'baye Sakho <msakho at redhat.com>:
>
>> Is it possible disable it ?
>>
>> On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>>
>>> The default hashing iterations is fairly high to safeguard for the case
>>> of
>>> a leaked database.
>>>
>>> See:
>>> http://www.keycloak.org/docs/latest/server_admin/topics/thre
>>> at/password-db-compromised.html
>>>
>>> If you are comfortable with decreasing the number of iterations that's
>>> definitely the first thing to try to increase performance.
>>>
>>>
>>> On Oct 12, 2017 18:53, "Thelo" <thelo.gaultier at gmail.com> wrote:
>>>
>>> > Hi,
>>> >
>>> >
>>> > As we are currently load testing Keycloak to see whether it could be a
>>> good
>>> > fit in our system, we experience trouble to reach good performance for
>>> the
>>> > user login.
>>> >
>>> > In our current set up we do direct login via password against Keycloak
>>> and
>>> > we get around 30 user logins per second.
>>> >
>>> > Here is our current set up:
>>> > - 4 instances of Keycloak ( 1 CPU  / 800MB of memory each, running in
>>> > Kubernetes)
>>> > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
>>> > memory
>>> >
>>> > As it is hard to believe that one instance can only handle  10
>>> requests per
>>> > second we were wondering if someone had done similar tests and if you
>>> would
>>> > be willing to share the results / test configuration .
>>> >
>>> > Many thanks,
>>> >
>>> > Thelo
>>> >
>>> >
>>> >
>>> > --
>>> > Sent from: http://keycloak-user.88327.x6.nabble.com/
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>


More information about the keycloak-user mailing list