Cross-DC Support - keycloak-dev - Jboss List Archives

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Cross-DC Support

GoLang Adapter

Compilation error in master...

Pedro Igor Silva

Friday, 5 May 2017 Fri, 5 May '17

8:51 p.m.

Hey All, Is it fair to say that using invalidation events via ClusterProvider is enough to get Cross-DC support ? Regards. Pedro Igor

Reply

Show replies by date

Stian Thorgersen

Monday, 8 May Mon, 8 May

1:26 a.m.

Marek can probably answer that in more detail. However, IMO the caches for authorization services should be done exactly as the other invalidation caches. We've done a lot of tweaks here to get it to work properly and it's complex stuff so we don't want to have two different approaches in the code. On 6 May 2017 at 03:51, Pedro Igor Silva <psilva(a)redhat.com> wrote:

Hey All, Is it fair to say that using invalidation events via ClusterProvider is enough to get Cross-DC support ? Regards. Pedro Igor _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

Reply

Pedro Igor Silva

6:08 a.m.

That is why I'm asking. I have been working with some changes to authz cache layer to get it aligned with the rest of the project. I've a PR already with some initial changes at this regard, where I'm basically pushing usage of invalidation events via cluster provider. Besides, I have also changed cache mode for authz cache to local. We don't really need to replicate/distribute entries across nodes, but cache things locally and invalidate these same accordingly. On Mon, May 8, 2017 at 3:26 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote:

Marek can probably answer that in more detail. However, IMO the caches for authorization services should be done exactly as the other invalidation caches. We've done a lot of tweaks here to get it to work properly and it's complex stuff so we don't want to have two different approaches in the code. On 6 May 2017 at 03:51, Pedro Igor Silva <psilva(a)redhat.com> wrote: > Hey All, > > Is it fair to say that using invalidation events via ClusterProvider is > enough to get Cross-DC support ? > > Regards. > Pedro Igor > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

Reply

Marek Posolda

Tuesday, 9 May Tue, 9 May

1:44 a.m.

I think that should be sufficient for Cross-DC support. Pedro, if you want to try some basic testing of cross-dc, here are some simple instructions: https://github.com/keycloak/keycloak/blob/master/misc/CrossDataCenter.md For the development, there is even easier way to test with 2 embedded KeycloakServer instances (class KeycloakServer from the old testsuite) if you run the KeycloakServer with the properties like this (replace with your shared DB): -Dkeycloak.connectionsJpa.url=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.remoteStoreEnabled=true -Dkeycloak.connectionsInfinispan.remoteStoreHost=localhost -Dkeycloak.connectionsInfinispan.remoteStorePort=11322 You just need to run 2 servers on different ports, which is argument like "-p 8081" . Marek On 08/05/17 13:08, Pedro Igor Silva wrote:

That is why I'm asking. I have been working with some changes to authz cache layer to get it aligned with the rest of the project. I've a PR already with some initial changes at this regard, where I'm basically pushing usage of invalidation events via cluster provider. Besides, I have also changed cache mode for authz cache to local. We don't really need to replicate/distribute entries across nodes, but cache things locally and invalidate these same accordingly. On Mon, May 8, 2017 at 3:26 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote: > Marek can probably answer that in more detail. However, IMO the caches for > authorization services should be done exactly as the other invalidation > caches. We've done a lot of tweaks here to get it to work properly and it's > complex stuff so we don't want to have two different approaches in the code. > > On 6 May 2017 at 03:51, Pedro Igor Silva <psilva(a)redhat.com> wrote: > >> Hey All, >> >> Is it fair to say that using invalidation events via ClusterProvider is >> enough to get Cross-DC support ? >> >> Regards. >> Pedro Igor >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

Reply

Pedro Igor Silva

6:33 a.m.

Thanks, Marek. Will follow instructions there to check how things are working when enabling a remote store with JDG. I've also changed the authz cache mode to local, what I think makes more sense than use a distributed cache as it stands today. We basically want to cache things locally and invalidate entries accordingly to avoid stale entries across nodes. On Tue, May 9, 2017 at 3:44 AM, Marek Posolda <mposolda(a)redhat.com> wrote:

I think that should be sufficient for Cross-DC support. Pedro, if you want to try some basic testing of cross-dc, here are some simple instructions: https://github.com/keycloak/ke ycloak/blob/master/misc/CrossDataCenter.md For the development, there is even easier way to test with 2 embedded KeycloakServer instances (class KeycloakServer from the old testsuite) if you run the KeycloakServer with the properties like this (replace with your shared DB): -Dkeycloak.connectionsJpa.url=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.remoteStoreEnabled=true -Dkeycloak.connectionsInfinispan.remoteStoreHost=localhost -Dkeycloak.connectionsInfinispan.remoteStorePort=11322 You just need to run 2 servers on different ports, which is argument like "-p 8081" . Marek On 08/05/17 13:08, Pedro Igor Silva wrote: > That is why I'm asking. I have been working with some changes to authz > cache layer to get it aligned with the rest of the project. I've a PR > already with some initial changes at this regard, where I'm basically > pushing usage of invalidation events via cluster provider. Besides, I have > also changed cache mode for authz cache to local. We don't really need to > replicate/distribute entries across nodes, but cache things locally and > invalidate these same accordingly. > > On Mon, May 8, 2017 at 3:26 AM, Stian Thorgersen <sthorger(a)redhat.com> > wrote: > > Marek can probably answer that in more detail. However, IMO the caches for >> authorization services should be done exactly as the other invalidation >> caches. We've done a lot of tweaks here to get it to work properly and >> it's >> complex stuff so we don't want to have two different approaches in the >> code. >> >> On 6 May 2017 at 03:51, Pedro Igor Silva <psilva(a)redhat.com> wrote: >> >> Hey All, >>> >>> Is it fair to say that using invalidation events via ClusterProvider is >>> enough to get Cross-DC support ? >>> >>> Regards. >>> Pedro Igor >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> >> _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

Reply

Marek Posolda

7 a.m.

On 09/05/17 13:33, Pedro Igor Silva wrote:

Thanks, Marek. Will follow instructions there to check how things are working when enabling a remote store with JDG. I've also changed the authz cache mode to local, what I think makes more sense than use a distributed cache as it stands today. We basically want to cache things locally and invalidate entries accordingly to avoid stale entries across nodes.

+1 I left some minor comment in your PR regarding this. We have more places in the distribution where the infinispan caches needs to be configured for various distributions (server-dist, demo-dist, overlay, domain mode etc) and looks you forgot one of the locations. Maybe we can improve this to have single place where infinispan caches are configured for non-clustered or clustered mode and all the distribution builds will use this. This will help to avoid potential consistency issues like this. But that's not the case for now... Marek

On Tue, May 9, 2017 at 3:44 AM, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: I think that should be sufficient for Cross-DC support. Pedro, if you want to try some basic testing of cross-dc, here are some simple instructions: https://github.com/keycloak/keycloak/blob/master/misc/CrossDataCenter.md <https://github.com/keycloak/keycloak/blob/master/misc/CrossDataCenter.md> For the development, there is even easier way to test with 2 embedded KeycloakServer instances (class KeycloakServer from the old testsuite) if you run the KeycloakServer with the properties like this (replace with your shared DB): -Dkeycloak.connectionsJpa.url=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.remoteStoreEnabled=true -Dkeycloak.connectionsInfinispan.remoteStoreHost=localhost -Dkeycloak.connectionsInfinispan.remoteStorePort=11322 You just need to run 2 servers on different ports, which is argument like "-p 8081" . Marek On 08/05/17 13:08, Pedro Igor Silva wrote: That is why I'm asking. I have been working with some changes to authz cache layer to get it aligned with the rest of the project. I've a PR already with some initial changes at this regard, where I'm basically pushing usage of invalidation events via cluster provider. Besides, I have also changed cache mode for authz cache to local. We don't really need to replicate/distribute entries across nodes, but cache things locally and invalidate these same accordingly. On Mon, May 8, 2017 at 3:26 AM, Stian Thorgersen <sthorger(a)redhat.com <mailto:sthorger@redhat.com>> wrote: Marek can probably answer that in more detail. However, IMO the caches for authorization services should be done exactly as the other invalidation caches. We've done a lot of tweaks here to get it to work properly and it's complex stuff so we don't want to have two different approaches in the code. On 6 May 2017 at 03:51, Pedro Igor Silva <psilva(a)redhat.com <mailto:psilva@redhat.com>> wrote: Hey All, Is it fair to say that using invalidation events via ClusterProvider is enough to get Cross-DC support ? Regards. Pedro Igor _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev> _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>

Reply

3251

days inactive

3254

days old

keycloak-dev@lists.jboss.org

Manage subscription

5 comments

3 participants

tags (0)

participants (3)

Marek Posolda
Pedro Igor Silva
Stian Thorgersen