Re: [keycloak-user] offlineSessions data in cache vs db

Looking to do some work with offline tokens and I had similar questions. Was there ever a response to this? Josh Cain Senior Software Applications Engineer, RHCE Red Hat North America jcain(a)redhat.com IRC: jcain On 11/21/2017 05:12 PM, Tonnis Wildeboer wrote: > Hello Keycloak Users, > > Ultimately, what we want to do is have three nodes in one Kubernetes > namespace that define a cluster. Then be able to add three more nodes to > the cluster in a new namespace that shares the same subnet and database, > then kill off the original three nodes, effectively migrating the > cluster to the new namespace and do all this without anyone being logged > out. The namespace distinction is invisible to Keycloak, as far as I can > tell. > > What we have tried: > * Start with 3 standalone-ha mode instances clustered with > JGroups/JDBC_PING. > * Set the number of cache owners for sessions to 6. > * Start the three new instances in the new Kubernetes namespace, > configured exactly the same as the first three - that is, same db, same > number of cache owners. > * Kill the original three > > But it seems this caused offlineSession tokens to be expired immediately. > > I found this in the online documentation > (http://www.keycloak.org/docs/latest/server_installation/index.html#server...): > > > The second type of cache handles managing user sessions, offline > tokens, and keeping track of login failures... The data held in these > caches is temporary, in memory only, but is possibly replicated across > the cluster. > > > The sessions, authenticationSessions, offlineSessions and > loginFailures caches are the only caches that may perform replication. > Entries are not replicated to every single node, but instead one or more > nodes is chosen as an owner of that data. If a node is not the owner of > a specific cache entry it queries the cluster to obtain it. What this > means for failover is that if all the nodes that own a piece of data go > down, that data is lost forever. By default, Keycloak only specifies one > owner for data. So if that one node goes down that data is lost. This > usually means that users will be logged out and will have to login again. > > It appears, based on these documentation comments and our experience, > that the "source of truth" regarding offlineSessions is the data in the > "owner" caches, is NOT the database, as I would have expected. It also > seems to be the case that if a node joins the cluster (as defined by > JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions > cache from the database, but must rely on replication from one of the > owner nodes. > > Questions: > 1. Is the above understanding regarding the db vs cache correct? > 2. If so, please explain the design/reasoning behind this behavior. > Otherwise, please correct my understanding. > 3. Is there a way to perform this simple migration without losing any > sessions? > > Thanks, > > --Tonnis > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user