8:54 a.m.
Hi,
We are using the fine-grained permissions for clients to control which group of users
could query and manage which clients. Therefore, we create a client role
"manage" for each of our clients and define a role-based policy, which includes
all users that have this "manage" role. This policy is then assigned to the view
and manage permissions of the client. The client role "manage" is assigned to
the group, which should manage the client.
This perfectly works if we only have few clients in our system. If we add some more (in
our system after ~700 clients) we got huge performance problems. E.g., the list viewable
clients operation (GET /<realm>/clients?viewableOnly=true ) in the context of a
user, which is allowed to see two of the 700 clients, takes more than 10 seconds. We also
facing performance issues when delete a single client by id (DELETE
/<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or performance tuning
possibilities, when using the fine-grained permissions at the documentation:
https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_...
I found some JIRA issues related to the performance tests
(https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having large number of
clients (https://issues.jboss.org/browse/KEYCLOAK-8275). So I created a new one to
especially not forget the fine-grained permissions:
https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for? If not, is there any
hint, how to use the fine-grained permissions feature in a correct way?
Are these performance impacts already known? If yes, are there any plans to improve these
issues?
Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert@bosch-si.com<mailto:Christoph.Leistert@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
9:35 a.m.
On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <
Christoph.Leistert(a)bosch-si.com> wrote:
Hi,
We are using the fine-grained permissions for clients to control which
group of users could query and manage which clients. Therefore, we create a
client role "manage" for each of our clients and define a role-based
policy, which includes all users that have this "manage" role. This policy
is then assigned to the view and manage permissions of the client. The
client role "manage" is assigned to the group, which should manage the
client.
This perfectly works if we only have few clients in our system. If we add
some more (in our system after ~700 clients) we got huge performance
problems. E.g., the list viewable clients operation (GET
/<realm>/clients?viewableOnly=true ) in the context of a user, which is
allowed to see two of the 700 clients, takes more than 10 seconds. We also
facing performance issues when delete a single client by id (DELETE
/<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or
performance tuning possibilities, when using the fine-grained permissions
at the documentation:
https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_...
I found some JIRA issues related to the performance tests (
https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having
large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275).
So I created a new one to especially not forget the fine-grained
permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for? If
not, is there any hint, how to use the fine-grained permissions feature in
a correct way?
Are these performance impacts already known? If yes, are there any plans
to improve these issues?
We had recently improved performance on keycloak authorization services but
not really the fine-grained permissions in admin console. What is the
Keycloak version you are using ?
From your description, it seems that to reproduce the problem we need
to
create clients, enable permission for each of them and define a policy for
any of the scope permissions (view, manage, etc), is that right ?
Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
| www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert@bosch-si.com<mailto:Christoph.Leistert@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2275
days inactive
2275
days old
1 comments
2 participants
participants (2)
-
Leistert Christoph (INST/ECS2) -
Pedro Igor Silva