[keycloak-user] Persist Keycloak session cache into JDBC store, no data is written into table
Nicolas Ocquidant
nocquidant at gmail.com
Tue Nov 13 10:34:16 EST 2018
Hi Cedric
I experimented the same... For me, the only way to get data in the jdbc
store is to enable passivation in Keycloak.
But then, set shared=false as passivation doesn't play well with shared
stores in Infinispan.
See http://lists.jboss.org/pipermail/keycloak-user/2018-November/016214.html
--nick
Le lun. 12 nov. 2018 à 13:30, Röck, Cedric <Cedric.Roeck at senacor.com> a
écrit :
> Hi,
>
> we are currently trying to persist the in-memory session cache of our
> Keycloak (9.5.0.Final) deployment into a persistent store, preferably JDBC
> based.
>
> In order to achieve this, we already updated the configuration and ended
> up with this config for the Infinispan subsystem:
>
> <subsystem xmlns="urn:jboss:domain:infinispan:6.0">
> <cache-container name="keycloak">
> <transport lock-timeout="60000"/>
> <local-cache name="realms">
> <object-memory size="10000"/>
> </local-cache>
> <local-cache name="users">
> <object-memory size="10000"/>
> </local-cache>
> <local-cache name="authorization">
> <object-memory size="10000"/>
> </local-cache>
> <local-cache name="keys">
> <object-memory size="1000"/>
> <expiration max-idle="3600000"/>
> </local-cache>
> <replicated-cache name="work"/>
> <distributed-cache name="sessions" statistics-enabled="true"
> owners="${env.CACHE_OWNERS:1}">
> <jdbc-store data-source="KeycloakDS" dialect="SQL_SERVER"
> fetch-state="true" passivation="false" preload="true" purge="false"
> shared="true" singleton="false">
> <property name="dropTableOnExit">
> false
> </property>
> <property name="createTableOnStart">
> true
> </property>
> <table/>
> </jdbc-store>
> </distributed-cache>
> <distributed-cache name="clientSessions" statistics-enabled="true"
> owners="${env.CACHE_OWNERS:1}"/>
> <distributed-cache name="authenticationSessions"
> statistics-enabled="true" owners="${env.CACHE_OWNERS:1}"/>
> [...]
> </cache-container>
> [...]
> </subsystem>
>
> Even though the table „ispn_entry_sessions“ gets created once Keycloak
> starts, no data is being persisted there. Not after 5min and also not once
> several hours passed. To exclude batch sizes and alike as error cause, our
> test creates 300 users and performs repeated logins for all of them, so
> there should also be enough load on the system.
>
> Some more details:
>
> * The statistics already show more than 600 cache-loader-misses for
> the jdbc store, but no successful load.
> * Our deployment consists of three Keycloak instances running in
> Kubernetes pods / docker containers.
> * Target JDBC Database is an Azure managed SQL DB / SQL Server
> * We can’t see any errors in the logs and also the cache distribution
> appears to still work amongst all nodes in the cluster.
>
>
> If you need more details, log excerpts, the full config, …, just give me a
> ping.
>
> What are we missing? Any help is very much appreciated.
>
> Thanks and kind regards
> Cedric
>
> Cedric Röck
> ______________________________
> Senacor Technologies AG
> Äußere Cramer-Klett-Str. 21
> 90489 Nürnberg
>
> M +49 (170) 2274 878
>
> Cedric.Roeck at senacor.com
> www.senacor.com
>
>
> Senacor Technologies Aktiengesellschaft - Sitz: Eschborn - Amtsgericht
> Frankfurt am Main - Reg.-Nr.: HRB 110482
> Vorstand: Matthias Tomann, Marcus Purzer - Aufsichtsratsvorsitzender:
> Daniel Grözinger
>
> Diese E-Mail inklusive Anlagen enthält vertrauliche und/oder rechtlich
> geschützte Informationen. Wenn Sie
> nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten,
> informieren Sie bitte den Absender
> und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die
> unbefugte Weitergabe dieser E-Mail ist
> nicht gestattet.
>
> This e-mail including any attachments may contain confidential and/or
> privileged information. If you are
> not the intended recipient (or have received this e-mail in error) please
> notify the sender immediately and
> destroy this e-mail. Any unauthorized copying, disclosure or distribution
> of the materials in this e-mail is
> strictly forbidden.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list