[keycloak-user] offlineSessions data in cache vs db

Thu Jan 11 12:07:13 EST 2018

On 10/01/18 22:31, Josh Cain wrote:
> Thanks for the response!  Seem to have missed the reply.  A follow-up
> question:
>
> You mentioned that the choice to store in the Infinispan cache was made
> for performance purposes.  I understand that this will lead to faster
> retrieval speeds, however storing *every* offline session in the
> Infinispan cache could lead to a massive memory footprint if these
> sessions are used widely enough, right?
Just tried some very basic testing. I've tried to create 100K 
userSessions where every of them has 1 clientSession - so 100K 
userSessions + 100K clientSessions.

With 0 offlineSessions, I saw server consumes 100 MBytes in memory. With 
100K sessions (100K userSessions + 100K clientSessions) it was 230 
MBytes. With 200K sessions (200K userSessions + 200K clientSessions), it 
was 350 MBytes.

So every userSession+clientSession pair took around 1-2 KBytes in my 
test. In reality, it may be more as it depends on the amount of things 
in the sessions (roles, protocolMappers, notes etc). We have an existing 
JIRA to remove some stuff from sessions and save it on tokens itself, 
which should improve memory consumption [1] .

In cluster environment, the memory consumption will be smaller as every 
cluster node will have just those sessions, which he is owner (default 
setup of infinispan caches "offlineSessions" and "offlineClientSessions" 
is to use distributed cache with 1 owner).

If some more flexibility is needed, we may add support for 
offlineSessions to use infinispan cacheStores/cacheLoaders. This is 
pretty flexible SPI in infinispan 8 (which is the version we currently 
use). With this, customer may be able to choose if sessions should be 
preloaded on startup or lazy loaded. Also there may be some additional 
options around passivation etc, which may be good if customer prefers to 
save memory rather than CPU. Feel free to create another JIRA if you 
need this. Just not sure when it's done...

[1] https://issues.jboss.org/browse/KEYCLOAK-5006

Marek
>
> Am I understanding this correctly, or are the client sessions so light
> the impact is negligible?
>
> Josh Cain
> Senior Software Applications Engineer, RHCE
> Red Hat North America
> jcain at redhat.com IRC: jcain
>
> On 01/10/2018 03:13 PM, Marek Posolda wrote:
>> Yes, I've replied. It seems this thread was send to both "keycloak-dev"
>> and "keycloak-user" and I've replied to "keycloak-dev" . Answer is here:
>> http://lists.jboss.org/pipermail/keycloak-dev/2017-December/010249.html .
>>
>> Marek
>>
>> On 10/01/18 19:13, Josh Cain wrote:
>>> Looking to do some work with offline tokens and I had similar questions.
>>>    Was there ever a response to this?
>>>
>>> Josh Cain
>>> Senior Software Applications Engineer, RHCE
>>> Red Hat North America
>>> jcain at redhat.com IRC: jcain
>>>
>>> On 11/21/2017 05:12 PM, Tonnis Wildeboer wrote:
>>>> Hello Keycloak Users,
>>>>
>>>> Ultimately, what we want to do is have three nodes in one Kubernetes
>>>> namespace that define a cluster. Then be able to add three more nodes to
>>>> the cluster in a new namespace that shares the same subnet and database,
>>>> then kill off the original three nodes, effectively migrating the
>>>> cluster to the new namespace and do all this without anyone being logged
>>>> out. The namespace distinction is invisible to Keycloak, as far as I can
>>>> tell.
>>>>
>>>> What we have tried:
>>>> * Start with 3 standalone-ha mode instances clustered with
>>>> JGroups/JDBC_PING.
>>>> * Set the number of cache owners for sessions to 6.
>>>> * Start the three new instances in the new Kubernetes namespace,
>>>> configured exactly the same as the first three - that is, same db, same
>>>> number of cache owners.
>>>> * Kill the original three
>>>>
>>>> But it seems this caused offlineSession tokens to be expired
>>>> immediately.
>>>>
>>>> I found this in the online documentation
>>>> (http://www.keycloak.org/docs/latest/server_installation/index.html#server-cache-configuration):
>>>>
>>>>
>>>>    > The second type of cache handles managing user sessions, offline
>>>> tokens, and keeping track of login failures... The data held in these
>>>> caches is temporary, in memory only, but is possibly replicated across
>>>> the cluster.
>>>>
>>>>    > The sessions, authenticationSessions, offlineSessions and
>>>> loginFailures caches are the only caches that may perform replication.
>>>> Entries are not replicated to every single node, but instead one or more
>>>> nodes is chosen as an owner of that data. If a node is not the owner of
>>>> a specific cache entry it queries the cluster to obtain it. What this
>>>> means for failover is that if all the nodes that own a piece of data go
>>>> down, that data is lost forever. By default, Keycloak only specifies one
>>>> owner for data. So if that one node goes down that data is lost. This
>>>> usually means that users will be logged out and will have to login
>>>> again.
>>>>
>>>> It appears, based on these documentation comments and our experience,
>>>> that the "source of truth" regarding offlineSessions is the data in the
>>>> "owner" caches, is NOT the database, as I would have expected. It also
>>>> seems to be the case that if a node joins the cluster (as defined by
>>>> JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions
>>>> cache from the database, but must rely on replication from one of the
>>>> owner nodes.
>>>>
>>>> Questions:
>>>> 1. Is the above understanding regarding the db vs cache correct?
>>>> 2. If so, please explain the design/reasoning behind this behavior.
>>>> Otherwise, please correct my understanding.
>>>> 3. Is there a way to perform this simple migration without losing any
>>>> sessions?
>>>>
>>>> Thanks,
>>>>
>>>> --Tonnis
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>