[keycloak-user] Keycloak cross-dc standalone vs standalone-ha

Vikrant Singh vikrant02.work at gmail.com
Mon Sep 18 08:11:10 EDT 2017 

Hi,

We have externalized all distributed/replicated cache mentioned in
standalone-ha under keycloak cache-container to a external infinispan which
is in a local and cross dc cluster. Following are the externalized caches
work, sessions, authenticationSessions, offlineSessions,
loginFailures, actionTokens.

Below is keycloak's infinispan configuration section

<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>
> <cache-container name="keycloak"
>> module="org.keycloak.keycloak-model-infinispan"
>> jndi-name="infinispan/Keycloak">
>
> <local-cache name="realms">
>
> <eviction strategy="LRU" max-entries="10000"/>
>
> </local-cache>
>
> <local-cache name="users">
>
> <eviction strategy="LRU" max-entries="10000"/>
>
> </local-cache>
>
> <local-cache name="sessions">
>
> <remote-store cache="sessions" remote-servers="remote-cache"
>> fetch-state="false" passivation="false" preload="false" purge="false"
>> shared="true">
>
> <property name="rawValues">
>
> true
>
> </property>
>
> <property name="marshaller">
>
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
> </property>
>
> </remote-store>
>
> </local-cache>
>
> <local-cache name="offlineSessions">
>
> <remote-store cache="offlineSessions" remote-servers="remote-cache"
>> fetch-state="false" passivation="false" preload="false" purge="false"
>> shared="true">
>
> <property name="rawValues">
>
> true
>
> </property>
>
> <property name="marshaller">
>
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
> </property>
>
> </remote-store>
>
> </local-cache>
>
> <local-cache name="loginFailures">
>
> <remote-store cache="loginFailures" remote-servers="remote-cache"
>> fetch-state="false" passivation="false" preload="false" purge="false"
>> shared="true">
>
> <property name="rawValues">
>
> true
>
> </property>
>
> <property name="marshaller">
>
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
> </property>
>
> </remote-store>
>
> </local-cache>
>
> <local-cache name="work">
>
> <remote-store cache="work" remote-servers="remote-cache"
>> fetch-state="false" passivation="false" preload="false" purge="false"
>> shared="true">
>
> <property name="rawValues">
>
> true
>
> </property>
>
> <property name="marshaller">
>
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
> </property>
>
> </remote-store>
>
> </local-cache>
>
> <local-cache name="authorization">
>
> <eviction strategy="LRU" max-entries="100"/>
>
> </local-cache>
>
> <local-cache name="keys">
>
> <eviction strategy="LRU" max-entries="1000"/>
>
> <expiration max-idle="3600000"/>
>
> </local-cache>
>
> <local-cache name="authenticationSessions">
>
> <remote-store cache="authenticationSessions" remote-servers="remote-cache"
>> fetch-state="false" passivation="false" preload="false" purge="false"
>> shared="true">
>
> <property name="rawValues">
>
> true
>
> </property>
>
> <property name="marshaller">
>
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
> </property>
>
> </remote-store>
>
> <eviction strategy="NONE" max-entries="-1"/>
>
> <expiration interval="300000" max-idle="-1"/>
>
> </local-cache>
>
> <local-cache name="actionTokens">
>
> <remote-store cache="actionTokens" remote-servers="remote-cache"
>> fetch-state="false" passivation="false" preload="false" purge="false"
>> shared="true">
>
> <property name="rawValues">
>
> true
>
> </property>
>
> <property name="marshaller">
>
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
> </property>
>
> </remote-store>
>
> <eviction strategy="NONE" max-entries="-1"/>
>
> <expiration interval="300000" max-idle="-1"/>
>
> </local-cache>
>
> </cache-container>
>
> <cache-container name="server" default-cache="default"
>> module="org.wildfly.clustering.server">
>
> <local-cache name="default">
>
> <transaction mode="BATCH"/>
>
> </local-cache>
>
> </cache-container>
>
> <cache-container name="web" default-cache="passivation"
>> module="org.wildfly.clustering.web.infinispan">
>
> <local-cache name="passivation">
>
> <locking isolation="REPEATABLE_READ"/>
>
> <transaction mode="BATCH"/>
>
> <file-store passivation="true" purge="false"/>
>
> </local-cache>
>
> <local-cache name="persistent">
>
> <locking isolation="REPEATABLE_READ"/>
>
> <transaction mode="BATCH"/>
>
> <file-store passivation="false" purge="false"/>
>
> </local-cache>
>
> </cache-container>
>
> <cache-container name="ejb" aliases="sfsb" default-cache="passivation"
>> module="org.wildfly.clustering.ejb.infinispan">
>
> <local-cache name="passivation">
>
> <locking isolation="REPEATABLE_READ"/>
>
> <transaction mode="BATCH"/>
>
> <file-store passivation="true" purge="false"/>
>
> </local-cache>
>
> <local-cache name="persistent">
>
> <locking isolation="REPEATABLE_READ"/>
>
> <transaction mode="BATCH"/>
>
> <file-store passivation="false" purge="false"/>
>
> </local-cache>
>
> </cache-container>
>
> <cache-container name="hibernate" default-cache="local-query"
>> module="org.hibernate.infinispan">
>
> <local-cache name="entity">
>
> <transaction mode="NON_XA"/>
>
> <eviction strategy="LRU" max-entries="10000"/>
>
> <expiration max-idle="100000"/>
>
> </local-cache>
>
> <local-cache name="local-query">
>
> <eviction strategy="LRU" max-entries="10000"/>
>
> <expiration max-idle="100000"/>
>
> </local-cache>
>
> <local-cache name="timestamps"/>
>
> </cache-container>
>
> </subsystem>
>
>
Do you see any issue with above config for local+cross dc cluster.

Thanks

On Fri, Sep 15, 2017 at 5:57 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> Putting aside cross DC, if you use default settings of caches in
> standalone.xml, the objects within the caches would not be shared in
> the cluster. That for example means that changes in realm settings
> would not propagate to other nodes and node states would thus become
> inconsistent, any node failure would lead to loss of state data stored
> at that node, etc.
>
> In cross DC, not all caches are shared between sites, e.g.
> authentication session cache is usually local to the cluster, so using
> cross-DC setup for "single-node clusters" you describe would not cure
> all potential issues coming out of not using standalone-ha profile.
>
> On Fri, Sep 15, 2017 at 12:32 PM, Vikrant Singh
> <vikrant02.work at gmail.com> wrote:
> > Hi,
> >
> > Recently there was a blog on cross dc support for keycloak
> > http://blog.keycloak.org/2017/09/cross-datacenter-support-
> in-keycloak.html
> >
> > We have done something similar to that with one difference. In our
> > deployment we have keycloak in standalone mode rather than standalone-ha.
> > All keycloak instances are using same db. With this setup we are
> > successfully able to achieve HA across same dc and cross dc both.
> >
> > Is there any benefit of using standalone-ha over standalone? since all
> > clustering requirement will be handled by external infinispan server.
> >
> > Thanks!
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>

More information about the keycloak-user mailing list