Re: [keycloak-user] Performance impact when fine-grained permissions are active
by Leistert Christoph (INST/ECS2)
Currently we use Keycloak version 3.4.3, but we would like to change to the latest 4.x version as soon as possible.
I did the same tests with Keycloak in version 4.4.0 and it is much faster, but the number of clients before the performance is getting slow is still not very high and we expect much more clients in our system.
Tested request: GET /<realm>/clients?viewableOnly=true
Measurement: average of 20 requests with different users after 2 warm up requests
For 750 clients:
Version 3.4.3: 14193.35 ms
Version 4.4.0: 4078.1 ms
For 1000 clients:
Version 4.4.0: 9202.65 ms
That’s right.
Each client has permissions enabled and there is one role based policy per client (Has role ‘manage’ of client ‘123’).
This policy is used for the view and manage permission of the client. (Manage client ‘123’ is possible if the user has the role ‘manage’ of client ‘123’)
Mit freundlichen Grüßen / Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert(a)bosch-si.com<mailto:Christoph.Leistert@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
Von: Pedro Igor Silva <psilva(a)redhat.com>
Gesendet: Donnerstag, 20. September 2018 16:35
An: Leistert Christoph (INST/ECS2) <Christoph.Leistert(a)bosch-si.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Betreff: Re: [keycloak-user] Performance impact when fine-grained permissions are active
On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <Christoph.Leistert(a)bosch-si.com<mailto:Christoph.Leistert@bosch-si.com>> wrote:
Hi,
We are using the fine-grained permissions for clients to control which group of users could query and manage which clients. Therefore, we create a client role "manage" for each of our clients and define a role-based policy, which includes all users that have this "manage" role. This policy is then assigned to the view and manage permissions of the client. The client role "manage" is assigned to the group, which should manage the client.
This perfectly works if we only have few clients in our system. If we add some more (in our system after ~700 clients) we got huge performance problems. E.g., the list viewable clients operation (GET /<realm>/clients?viewableOnly=true ) in the context of a user, which is allowed to see two of the 700 clients, takes more than 10 seconds. We also facing performance issues when delete a single client by id (DELETE /<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or performance tuning possibilities, when using the fine-grained permissions at the documentation: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_...
I found some JIRA issues related to the performance tests (https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275). So I created a new one to especially not forget the fine-grained permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for? If not, is there any hint, how to use the fine-grained permissions feature in a correct way?
Are these performance impacts already known? If yes, are there any plans to improve these issues?
We had recently improved performance on keycloak authorization services but not really the fine-grained permissions in admin console. What is the Keycloak version you are using ?
From your description, it seems that to reproduce the problem we need to create clients, enable permission for each of them and define a policy for any of the scope permissions (view, manage, etc), is that right ?
Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.com>
Christoph.Leistert(a)bosch-si.com<mailto:Christoph.Leistert@bosch-si.com><mailto:Christoph.Leistert@bosch-si.com<mailto:Christoph.Leistert@bosch-si.com>>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 3 months
Retrieve name of login theme for a realm?
by Jack Kenefick
Hi,
I need to retrieve the name of the login them for a particular realm.
Is there anything in the REST/Java API that would let me do this?
Best regards,
Jack.
6 years, 3 months
Is WebAuthn planned ?
by GARDAIS Ionel
Hi,
Is WebAuthn integration is planned to be integrated in the browser workflow (like OTP) ?
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
6 years, 3 months
To post
by Amey
iameymahajan5(a)gmail.com
Sent from Mail for Windows 10
6 years, 3 months
Simultaneous SAML and OAuth for same resources?
by Craig Setera
Reading the documentation, there is a statement that makes it appear that
it is not possible to support *both* OAuth and SAML simultaneously to the same
resources? Is that really the case? We would like to allow both OAuth and
SAML authentication to access our API (along with appropriate differences
in functionality). Is that possible?
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
*415-324-5861**craig(a)baseventure.com <craig(a)baseventure.com>*
6 years, 3 months
Performance impact when fine-grained permissions are active
by Leistert Christoph (INST/ECS2)
Hi,
We are using the fine-grained permissions for clients to control which group of users could query and manage which clients. Therefore, we create a client role "manage" for each of our clients and define a role-based policy, which includes all users that have this "manage" role. This policy is then assigned to the view and manage permissions of the client. The client role "manage" is assigned to the group, which should manage the client.
This perfectly works if we only have few clients in our system. If we add some more (in our system after ~700 clients) we got huge performance problems. E.g., the list viewable clients operation (GET /<realm>/clients?viewableOnly=true ) in the context of a user, which is allowed to see two of the 700 clients, takes more than 10 seconds. We also facing performance issues when delete a single client by id (DELETE /<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or performance tuning possibilities, when using the fine-grained permissions at the documentation: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_...
I found some JIRA issues related to the performance tests (https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275). So I created a new one to especially not forget the fine-grained permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for? If not, is there any hint, how to use the fine-grained permissions feature in a correct way?
Are these performance impacts already known? If yes, are there any plans to improve these issues?
Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert(a)bosch-si.com<mailto:Christoph.Leistert@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
6 years, 3 months
Users and bearer tokens managment
by Rocco G.
Hi,
I read all the doc but still can't understand how bearer tokens generation
works. Every user should generate/manage personal bearer tokens, is this
possibile? I should create a "client" for every user?
PS: If is not clear if user 1 generates the token "abcd" and make a request
to api.mysite.com I should know that the token belongs to user 1.
Thanks,
Rocco
6 years, 3 months
Uncaught server error: java.lang.OutOfMemoryError: Java heap space
by Arun Velayudhan
Hello,
We ran keycloak with some basic load (like auth, gettoken) for few hours at
theand after sometime Keycloak threw an Out-of-memory error. Has anyone
faced similar kind of problem. Would be keen to know what was done to
mitigate.
Version of Keycloak -> 4.0.0.Final.
=====
18:32:47,716 WARN [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state RUN
18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-199) Uncaught server error: java.lang.OutOfMemoryError: Java
heap space
18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-219) Uncaught server error: java.lang.OutOfMemoryError: Java
heap space
18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-505) Uncaught server error: java.lang.OutOfMemoryError: Java
heap space
===============
Pls find with the startup configuration
===
19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM
Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
-Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/standalone/log/server.log
-Dlogging.configuration=file:/DG/activeRelease/keycloak/standalone/configuration/logging.properties
==================
Arun
6 years, 3 months