[keycloak-user] running 2 different keycloak clusters sharing the same database ( 1 cluster to create new realms, and another for all other access)

Dmitry Telegin dt at acutus.pro
Wed Nov 21 10:58:11 EST 2018


Hello Madhu,

Technically, these don't need to be separate "clusters". Clustering in Keycloak assumes that all the nodes should be the members of the same Infinispan pool. But you can configure your loadbalancer so that requests to a special hostname (like eg. "admin.your-domain.tld") are dispatched to a subset of dedicated nodes.

But the overall approach seems suboptimal to me. While not performing admin tasks like creating realms, your dedicated nodes will stay idle and just eat RAM. I'd rather suggest that you consider the scenario where your loadbalancer should monitor node CPU load via e.g. SNMP, and use that metrics for dynamic round-robin load-balancing.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-11-21 at 04:06 +0000, Madhu wrote:
> Hi,
> Have a weird question,  I want to run 2 different keycloak clusters, one for creating realms and another for accessing realms/login and all other activity.
> Is this kind of setup possible, have any body tried it before?
> The 1st cluster just takes requests for provisioning new realms and any one time setup (like creating the admin user in realm, giving him specific access only etc)
> After that, all interactions login, token creating, provisioning further user etc will take place through the other cluster.. 
> I see that realm creation in my case ( realm has few user groups, client scopes, mappers (java script mapper), other custom mappers, about 10 clients, client specific roles etc) is a cpu intensive process and realm creation when we have about 80 to 100 relams(tenants) takes any where between 20 to 30 sec with cpu usage spiking to 100%.
> So, wanted to test if having a separate instance/cluster for realm creation will help and ease the load on other cluster which servers typical login/logout and all other requests. Any insights here will be much appreciated.
> - Would like to know if this could corrupt the keycloak schema?- I am ok if the new realms are not eagerly loaded in infispan cache (of the other cluster which handles regular request), but this should start loading the new realm the moment a login request comes ( i am ok for the first few logins to be slow).
> 
> RegardsMadhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list