[keycloak-user] Performance impact when fine-grained permissions are active
Pedro Igor Silva
psilva at redhat.com
Thu Sep 20 19:18:17 EDT 2018
Hi Leister,
One of the main issues with clients is that we don't paginate results there
yet. Load every single client from the database is scalable.
Regarding fine-grained permissions in admin, I think I have something that
might improve response time a bit. In a nutshell, currently, we evaluate
permission on a per-client basis (for every client returned from database)
where the authorization API supports using callbacks that are called during
decisions. That means we can improve evaluation (even without pagination)
by filtering the list of clients based on decisions from the policy
evaluation engine.
Will update those JIRAs once I have something more concrete to share.
Regards.
Pedro Igor
On Thu, Sep 20, 2018 at 1:10 PM Leistert Christoph (INST/ECS2) <
Christoph.Leistert at bosch-si.com> wrote:
> Currently we use Keycloak version 3.4.3, but we would like to change to
> the latest 4.x version as soon as possible.
>
> I did the same tests with Keycloak in version 4.4.0 and it is much faster,
> but the number of clients before the performance is getting slow is still
> not very high and we expect much more clients in our system.
>
>
>
> Tested request: GET /<realm>/clients?viewableOnly=true
>
> Measurement: average of 20 requests with different users after 2 warm up
> requests
>
>
>
> For 750 clients:
>
> Version 3.4.3: 14193.35 ms
>
> Version 4.4.0: 4078.1 ms
>
>
>
> For 1000 clients:
>
> Version 4.4.0: 9202.65 ms
>
>
>
> That’s right.
>
> Each client has permissions enabled and there is one role based policy per
> client (Has role ‘manage’ of client ‘123’).
>
> This policy is used for the view and manage permission of the client.
> (Manage client ‘123’ is possible if the user has the role ‘manage’ of
> client ‘123’)
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
> *Christoph Leistert *
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
> | www.bosch-si.com
> Christoph.Leistert at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> *Von:* Pedro Igor Silva <psilva at redhat.com>
> *Gesendet:* Donnerstag, 20. September 2018 16:35
> *An:* Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Performance impact when fine-grained
> permissions are active
>
>
>
>
>
> On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <
> Christoph.Leistert at bosch-si.com> wrote:
>
> Hi,
> We are using the fine-grained permissions for clients to control which
> group of users could query and manage which clients. Therefore, we create a
> client role "manage" for each of our clients and define a role-based
> policy, which includes all users that have this "manage" role. This policy
> is then assigned to the view and manage permissions of the client. The
> client role "manage" is assigned to the group, which should manage the
> client.
> This perfectly works if we only have few clients in our system. If we add
> some more (in our system after ~700 clients) we got huge performance
> problems. E.g., the list viewable clients operation (GET
> /<realm>/clients?viewableOnly=true ) in the context of a user, which is
> allowed to see two of the 700 clients, takes more than 10 seconds. We also
> facing performance issues when delete a single client by id (DELETE
> /<realm>/clients/<id>).
> Unfortunately, I did not find any information about the limits or
> performance tuning possibilities, when using the fine-grained permissions
> at the documentation:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
> I found some JIRA issues related to the performance tests (
> https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having
> large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275).
> So I created a new one to especially not forget the fine-grained
> permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
> So my question additional questions are:
> Did we use the fine-grained permissions in a way there are built for? If
> not, is there any hint, how to use the fine-grained permissions feature in
> a correct way?
> Are these performance impacts already known? If yes, are there any plans
> to improve these issues?
>
>
>
> We had recently improved performance on keycloak authorization services
> but not really the fine-grained permissions in admin console. What is the
> Keycloak version you are using ?
>
>
>
> From your description, it seems that to reproduce the problem we need to
> create clients, enable permission for each of them and define a policy for
> any of the scope permissions (view, manage, etc), is that right ?
>
>
>
>
> Best regards
>
> Christoph Leistert
>
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
> | www.bosch-si.com<http://www.bosch-si.com>
> Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list