Re: [keycloak-user] offlineSessions data in cache vs db

Yes, I've replied. It seems this thread was send to both "keycloak-dev" and "keycloak-user" and I've replied to "keycloak-dev" . Answer is here: http://lists.jboss.org/pipermail/keycloak-dev/2017-December/010249.html . Marek On 10/01/18 19:13, Josh Cain wrote: > Looking to do some work with offline tokens and I had similar questions. >   Was there ever a response to this? > > Josh Cain > Senior Software Applications Engineer, RHCE > Red Hat North America > jcain(a)redhat.com IRC: jcain > > On 11/21/2017 05:12 PM, Tonnis Wildeboer wrote: >> Hello Keycloak Users, >> >> Ultimately, what we want to do is have three nodes in one Kubernetes >> namespace that define a cluster. Then be able to add three more nodes to >> the cluster in a new namespace that shares the same subnet and database, >> then kill off the original three nodes, effectively migrating the >> cluster to the new namespace and do all this without anyone being logged >> out. The namespace distinction is invisible to Keycloak, as far as I can >> tell. >> >> What we have tried: >> * Start with 3 standalone-ha mode instances clustered with >> JGroups/JDBC_PING. >> * Set the number of cache owners for sessions to 6. >> * Start the three new instances in the new Kubernetes namespace, >> configured exactly the same as the first three - that is, same db, same >> number of cache owners. >> * Kill the original three >> >> But it seems this caused offlineSession tokens to be expired >> immediately. >> >> I found this in the online documentation >> (http://www.keycloak.org/docs/latest/server_installation/index.html#server...): >> >> >>   > The second type of cache handles managing user sessions, offline >> tokens, and keeping track of login failures... The data held in these >> caches is temporary, in memory only, but is possibly replicated across >> the cluster. >> >>   > The sessions, authenticationSessions, offlineSessions and >> loginFailures caches are the only caches that may perform replication. >> Entries are not replicated to every single node, but instead one or more >> nodes is chosen as an owner of that data. If a node is not the owner of >> a specific cache entry it queries the cluster to obtain it. What this >> means for failover is that if all the nodes that own a piece of data go >> down, that data is lost forever. By default, Keycloak only specifies one >> owner for data. So if that one node goes down that data is lost. This >> usually means that users will be logged out and will have to login >> again. >> >> It appears, based on these documentation comments and our experience, >> that the "source of truth" regarding offlineSessions is the data in the >> "owner" caches, is NOT the database, as I would have expected. It also >> seems to be the case that if a node joins the cluster (as defined by >> JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions >> cache from the database, but must rely on replication from one of the >> owner nodes. >> >> Questions: >> 1. Is the above understanding regarding the db vs cache correct? >> 2. If so, please explain the design/reasoning behind this behavior. >> Otherwise, please correct my understanding. >> 3. Is there a way to perform this simple migration without losing any >> sessions? >> >> Thanks, >> >> --Tonnis >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user