[keycloak-user] Performance impact when fine-grained permissions are active
Leistert Christoph (INST/ECS2)
Christoph.Leistert at bosch-si.com
Thu Sep 20 09:54:01 EDT 2018
Hi,
We are using the fine-grained permissions for clients to control which group of users could query and manage which clients. Therefore, we create a client role "manage" for each of our clients and define a role-based policy, which includes all users that have this "manage" role. This policy is then assigned to the view and manage permissions of the client. The client role "manage" is assigned to the group, which should manage the client.
This perfectly works if we only have few clients in our system. If we add some more (in our system after ~700 clients) we got huge performance problems. E.g., the list viewable clients operation (GET /<realm>/clients?viewableOnly=true ) in the context of a user, which is allowed to see two of the 700 clients, takes more than 10 seconds. We also facing performance issues when delete a single client by id (DELETE /<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or performance tuning possibilities, when using the fine-grained permissions at the documentation: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
I found some JIRA issues related to the performance tests (https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275). So I created a new one to especially not forget the fine-grained permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for? If not, is there any hint, how to use the fine-grained permissions feature in a correct way?
Are these performance impacts already known? If yes, are there any plans to improve these issues?
Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
More information about the keycloak-user
mailing list