[keycloak-user] Performance
Rainer-Harbach Marian
marian.rainer-harbach at apa.at
Wed Mar 28 11:58:48 EDT 2018
Hi Daniel!
On 2018-03-27 09:57, Hammarberg, Daniel wrote:
> Our main concern right now, except that we run on much smaller machines, is that the initial user import takes too long time to finish. It starts out fast and then quite soon, it runs slower and slower.
How are you importing the users and how long is "too long"? I created my
five million test users using the admin REST API in one overnight run
(even when Keycloak was configured to use the default of 27500 hashing
iterations). I didn't observe any slowdown during the course of that run.
> Do you think it would help to radically reduce the number of hashing iterations (to, say one) during import? We force the users to change password on the first login anyway, so I guess that it would not affect security?
Well, it would be problematic if your database was stolen before every
user really did change their password.
If you force users to do a password reset anyway an alternative might be
to import the users without any credentials. Then there would be nothing
to hash. Users would gain access to their accounts by using the
forgotten password feature.
Best regards,
Marian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3853 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180328/46c2b58f/attachment.bin
More information about the keycloak-user
mailing list