2:22 a.m.
Other options that I see include also changing to querying ids only for making policy
decisions similarly to what Pedro did in https://github.com/keycloak/keycloak/pull/5576
One could also think about introducing groups for clients as well or maybe even for any
Keycloak domain entity that potentially exists very often (users, clients, ...?).
It could make management a little easier and especially using permissions to control
access to clients much more efficient...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Open Source Services (INST-CSS/BSV-OS)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Pedro Igor Silva
Sent: Freitag, 21. September 2018 01:18
To: Leistert Christoph (INST/ECS2) <Christoph.Leistert(a)bosch-si.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Performance impact when fine-grained permissions are active
Hi Leister,
One of the main issues with clients is that we don't paginate results there yet. Load
every single client from the database is scalable.
Regarding fine-grained permissions in admin, I think I have something that might improve
response time a bit. In a nutshell, currently, we evaluate permission on a per-client
basis (for every client returned from database) where the authorization API supports using
callbacks that are called during decisions. That means we can improve evaluation (even
without pagination) by filtering the list of clients based on decisions from the policy
evaluation engine.
Will update those JIRAs once I have something more concrete to share.
Regards.
Pedro Igor
On Thu, Sep 20, 2018 at 1:10 PM Leistert Christoph (INST/ECS2) <
Christoph.Leistert(a)bosch-si.com> wrote:
Currently we use Keycloak version 3.4.3, but we would like to change
to the latest 4.x version as soon as possible.
I did the same tests with Keycloak in version 4.4.0 and it is much
faster, but the number of clients before the performance is getting
slow is still not very high and we expect much more clients in our system.
Tested request: GET /<realm>/clients?viewableOnly=true
Measurement: average of 20 requests with different users after 2 warm
up requests
For 750 clients:
Version 3.4.3: 14193.35 ms
Version 4.4.0: 4078.1 ms
For 1000 clients:
Version 4.4.0: 9202.65 ms
That’s right.
Each client has permissions enabled and there is one role based policy
per client (Has role ‘manage’ of client ‘123’).
This policy is used for the view and manage permission of the client.
(Manage client ‘123’ is possible if the user has the role ‘manage’ of
client ‘123’)
Mit freundlichen Grüßen / Best regards
*Christoph Leistert *
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad |
GERMANY
| www.bosch-si.com
Christoph.Leistert(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
*Von:* Pedro Igor Silva <psilva(a)redhat.com>
*Gesendet:* Donnerstag, 20. September 2018 16:35
*An:* Leistert Christoph (INST/ECS2) <Christoph.Leistert(a)bosch-si.com>
*Cc:* keycloak-user <keycloak-user(a)lists.jboss.org>
*Betreff:* Re: [keycloak-user] Performance impact when fine-grained
permissions are active
On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <
Christoph.Leistert(a)bosch-si.com> wrote:
Hi,
We are using the fine-grained permissions for clients to control which
group of users could query and manage which clients. Therefore, we
create a client role "manage" for each of our clients and define a
role-based policy, which includes all users that have this "manage"
role. This policy is then assigned to the view and manage permissions
of the client. The client role "manage" is assigned to the group,
which should manage the client.
This perfectly works if we only have few clients in our system. If we
add some more (in our system after ~700 clients) we got huge
performance problems. E.g., the list viewable clients operation (GET
/<realm>/clients?viewableOnly=true ) in the context of a user, which
is allowed to see two of the 700 clients, takes more than 10 seconds.
We also facing performance issues when delete a single client by id
(DELETE /<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or
performance tuning possibilities, when using the fine-grained
permissions at the documentation:
https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_gra
in_permissions I found some JIRA issues related to the performance
tests (
https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for
having large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275).
So I created a new one to especially not forget the fine-grained
permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for?
If not, is there any hint, how to use the fine-grained permissions
feature in a correct way?
Are these performance impacts already known? If yes, are there any
plans to improve these issues?
We had recently improved performance on keycloak authorization
services but not really the fine-grained permissions in admin console.
What is the Keycloak version you are using ?
From your description, it seems that to reproduce the problem we need
to create clients, enable permission for each of them and define a
policy for any of the scope permissions (view, manage, etc), is that right ?
Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad |
GERMANY
| www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert@bosch-si.com<mailto:Christoph.Leistert@bosch-si.com
>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411
B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user