Hi,
I have just finished some testing on 1.1.0 Final and found that the core problem was that
through an abundance of caution we have configured hash iterations to 100,000 (which I of
course typoed to 1M on Beta 2 when I configured it). The performance delta between 1.0 and
1.1 is explained by the typo there. However, even with the change to 100K in place I found
the end point was still too slow (600~800ms) and discovered that it scaled linearly down
as I reduced the iterations.
So I guess the question now is how many iterations is the default and how many would be a
recommended "overly cautious" amount of iterations. I understand that keycloak
defaults to Bcrypt hashing which is designed explicitly to be computationally expensive so
I imagine iterations in the scope of 10-50 is probably sufficient to keep the passwords
safe.
- Daniel
-----Original Message-----
From: Stian Thorgersen [mailto:stian@redhat.com]
Sent: Thursday, January 15, 2015 7:37 AM
To: Daniel Baxter
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
Just ran some perf tests with default settings, 10 users and 10000 requests:
Version Average (ms) Throughput
-------------------------------------------------
1.0.4.Final 18 468
1.1.0.Beta2 19 470
1.1.0.Final-SNAPSHOT 20 426
----- Original Message -----
From: "Daniel Baxter" <daniel.baxter(a)cira.ca>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 14 January, 2015 3:56:03 PM
Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
Honestly I don't know how to check what is being used. I assume it
would be whatever Keycloak Appliance defaults to. I checked with the
guy who configured 1.0.4 for the other application and he doesn't know
what we are using or how to configure it either. Sorry.
- Daniel
-----Original Message-----
From: Stian Thorgersen [mailto:stian@redhat.com]
Sent: Wednesday, January 14, 2015 9:19 AM
To: Daniel Baxter
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
What user session provider are you using?
----- Original Message -----
> From: "Daniel Baxter" <daniel.baxter(a)cira.ca>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, 14 January, 2015 3:01:17 PM
> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
>
> I am working with our ops team to configure 1.1.x with the same
> level of hardware as our development 1.0.4 system (right now it is
> running locally on a XEON workstation with piles of RAM).
>
> Both are connected to postgres databases and I am the only person
> working on this portion of the project so it is just 1 user at a
> time right now for 1.1.x. I have tested the database connection and
> there is no real discernable performance irregularities for anything
> that runs against that database.
>
> For Keycloak itself, it is mostly straight out of the box appliance
> install for both 1.0.4 and 1.1.x and it runs on a single machine for
> development use (I believe our prod deployment is/will be clustered).
> The performance I am seeing is timeable on a stop watch for 1.1 and
> near enough to instant for
> 1.0.4 (under 500 ms). Easily an order of magnitude. Given the
> response I got (regarding the unexpectedness of the slow behaviour)
> I want to make sure I have a completely fair comparison and am
> working to set up
> 1.1 on a dedicated development server to make the comparison
> completely fair.
>
> - Daniel
>
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian@redhat.com]
> Sent: Wednesday, January 14, 2015 8:46 AM
> To: Daniel Baxter
> Cc: keycloak-dev(a)lists.jboss.org
> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
>
> Direct grants are expected to be a little bit slower in 1.1.x due to
> the requirement to persist more, but should certainly not be seconds.
>
> Can you give some more details please? Including
>
> * What DB are you using?
> * Are you using mem, infinispan or jpa user session provider?
> * Clustered?
> * How many concurrent requests/users are you testing with?
>
> Any more accurate performance stats would also be helpful
>
> ----- Original Message -----
> > From: "Daniel Baxter" <daniel.baxter(a)cira.ca>
> > To: keycloak-dev(a)lists.jboss.org
> > Sent: Monday, 12 January, 2015 9:23:42 PM
> > Subject: [keycloak-dev] Slow Direct Grants API endpoint
> >
> >
> >
> > Hi,
> >
> >
> >
> > I am attempting to integrate Keycloak into an existing application
> > to replace the homegrown user management system in place. We have
> > a new project built from the ground up on Keycloak 1.0.4.Final
> > which is exhibiting good performance. However this app that I am
> > porting has a remoting component that connects to the server with
> > bare username/password credentials over the EJB Remoting
> > framework. I was hoping to use 1.1.0 (currently Beta2) which
> > provides a DirectAccessGrantsLoginModule which does exactly what I
> > want (turns username and password into a KeycloakPrincipal).
> > However, the turn around time from Keycloak is on the order of several
seconds.
> >
> >
> >
> > I have used a bare REST client to execute the POSTs to both our
> > 1.0.4 Keycloak and 1.1.0 Keycloak instances and have noted an
> > order of magnitude difference in getting a response. Is this a
> > known issue (I cannot find anything in the public bugs/tasks
> > list)? Or is this due to the Beta status leaving additional
> > performance affecting logging or instrumentation in place?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Daniel
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>