[keycloak-user] Performance impact when fine-grained permissions are active
Pedro Igor Silva
psilva at redhat.com
Thu Sep 20 10:35:27 EDT 2018
On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <
Christoph.Leistert at bosch-si.com> wrote:
> Hi,
> We are using the fine-grained permissions for clients to control which
> group of users could query and manage which clients. Therefore, we create a
> client role "manage" for each of our clients and define a role-based
> policy, which includes all users that have this "manage" role. This policy
> is then assigned to the view and manage permissions of the client. The
> client role "manage" is assigned to the group, which should manage the
> client.
> This perfectly works if we only have few clients in our system. If we add
> some more (in our system after ~700 clients) we got huge performance
> problems. E.g., the list viewable clients operation (GET
> /<realm>/clients?viewableOnly=true ) in the context of a user, which is
> allowed to see two of the 700 clients, takes more than 10 seconds. We also
> facing performance issues when delete a single client by id (DELETE
> /<realm>/clients/<id>).
> Unfortunately, I did not find any information about the limits or
> performance tuning possibilities, when using the fine-grained permissions
> at the documentation:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
> I found some JIRA issues related to the performance tests (
> https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having
> large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275).
> So I created a new one to especially not forget the fine-grained
> permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
> So my question additional questions are:
> Did we use the fine-grained permissions in a way there are built for? If
> not, is there any hint, how to use the fine-grained permissions feature in
> a correct way?
> Are these performance impacts already known? If yes, are there any plans
> to improve these issues?
>
We had recently improved performance on keycloak authorization services but
not really the fine-grained permissions in admin console. What is the
Keycloak version you are using ?
>From your description, it seems that to reproduce the problem we need to
create clients, enable permission for each of them and define a policy for
any of the scope permissions (view, manage, etc), is that right ?
>
> Best regards
>
> Christoph Leistert
>
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
> | www.bosch-si.com<http://www.bosch-si.com>
> Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list