11:17 a.m.
Hi,
According to Infinispan, when passivation is disabled, every update to the
cache should always write to the store.
But I can't manage to get it work with Keycloak. If I disable passivation,
my SQL store (Postgres) stays empty, even if the cache is full.
So, if passivation is needed for Keycloak to write to the DB, it means that
the use of a shared DB is not possible...
But this leads to another issue for me. Enable passivation without a shared
DB seems to imply that either 'fetch-state' or 'purge' should be enabled
on
startup, in order for the cache to not contain stale entries.
15:27:44,626 WARN
[org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC
service thread 1-6) ISPN000149: Fetch persistent state and purge on startup
are both disabled, cache may contain stale entries on startup
As I need to keep millions of sessions, this will considerably slow down
the startup of my node (when started again after a crash for instance).
So, is shared datastore allowed in Keycloak? If yes, how to enable it?
Otherwise what other options do I have to improve my startup time, if
millions of sessions are in the store?
Thanks
--nick
10:35 a.m.
My requirements are the following: store tokens emitted by KC during one
year.
I don't know how many users there are, but here are the number I get:
* the number of connections a week is about 700k.
* the number of session refresh a week is about 200k.
I approximated around 1M of sessions a week, thus 52M a year.
In memory, a user session has been estimated around 4KB (about 1KB in
file/DB).
But I guess a refresh does not create another session isn't it? And maybe
it's possible to ask KC to delete previous emitted tokens when a new one is
created for a same user?
If yes, my estimation is probably a little bit too high here, but I
certainly have several millions of tokens to keep (and maybe dozens of
millions).
Thanks
--nick
Le mer. 7 nov. 2018 à 18:17, Nicolas Ocquidant <nocquidant(a)gmail.com> a
écrit :
Hi,
According to Infinispan, when passivation is disabled, every update to the
cache should always write to the store.
But I can't manage to get it work with Keycloak. If I disable passivation,
my SQL store (Postgres) stays empty, even if the cache is full.
So, if passivation is needed for Keycloak to write to the DB, it means
that the use of a shared DB is not possible...
But this leads to another issue for me. Enable passivation without a
shared DB seems to imply that either 'fetch-state' or 'purge' should be
enabled on startup, in order for the cache to not contain stale entries.
15:27:44,626 WARN
[org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC
service thread 1-6) ISPN000149: Fetch persistent state and purge on startup
are both disabled, cache may contain stale entries on startup
As I need to keep millions of sessions, this will considerably slow down
the startup of my node (when started again after a crash for instance).
So, is shared datastore allowed in Keycloak? If yes, how to enable it?
Otherwise what other options do I have to improve my startup time, if
millions of sessions are in the store?
Thanks
--nick
11:33 a.m.
So I think there are at least two ways to address this problem. This first
one is to use Offline Tokens [1]. I'm not sure if that fits into your
application since it requires your client applications to store the token.
In other words you can simply delegate this problem one layer below in your
system.
If that doesn't work for you, yes passivation is a way to go. Frankly, I
haven't used passivation but from the manual I see it works hand in hand
with eviction [2][3]. Will (on CC) can probably correct me here, but my
understanding is that whenever an entry gets evicted, the passivation
mechanism picks it up and stores somewhere.
[1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
[2]
http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passiv...
[3]
https://github.com/infinispan/infinispan/blob/master/core/src/test/java/o...
On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant <nocquidant(a)gmail.com>
wrote:
My requirements are the following: store tokens emitted by KC during
one
year.
I don't know how many users there are, but here are the number I get:
* the number of connections a week is about 700k.
* the number of session refresh a week is about 200k.
I approximated around 1M of sessions a week, thus 52M a year.
In memory, a user session has been estimated around 4KB (about 1KB in
file/DB).
But I guess a refresh does not create another session isn't it? And maybe
it's possible to ask KC to delete previous emitted tokens when a new one is
created for a same user?
If yes, my estimation is probably a little bit too high here, but I
certainly have several millions of tokens to keep (and maybe dozens of
millions).
Thanks
--nick
Le mer. 7 nov. 2018 à 18:17, Nicolas Ocquidant <nocquidant(a)gmail.com> a
écrit :
> Hi,
>
> According to Infinispan, when passivation is disabled, every update to
the
> cache should always write to the store.
>
> But I can't manage to get it work with Keycloak. If I disable
passivation,
> my SQL store (Postgres) stays empty, even if the cache is full.
>
> So, if passivation is needed for Keycloak to write to the DB, it means
> that the use of a shared DB is not possible...
>
> But this leads to another issue for me. Enable passivation without a
> shared DB seems to imply that either 'fetch-state' or 'purge' should
be
> enabled on startup, in order for the cache to not contain stale entries.
>
> 15:27:44,626 WARN
> [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder]
(MSC
> service thread 1-6) ISPN000149: Fetch persistent state and purge on
startup
> are both disabled, cache may contain stale entries on startup
>
> As I need to keep millions of sessions, this will considerably slow down
> the startup of my node (when started again after a crash for instance).
>
> So, is shared datastore allowed in Keycloak? If yes, how to enable it?
> Otherwise what other options do I have to improve my startup time, if
> millions of sessions are in the store?
>
> Thanks
> --nick
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:05 a.m.
----- Original Message -----
From: "Sebastian Laskawiec" <slaskawi(a)redhat.com>
To: "Nicolas Ocquidant" <nocquidant(a)gmail.com>
Cc: keycloak-user(a)lists.jboss.org, "Will Burns Rosenquist Burns"
<wburns(a)redhat.com>
Sent: Thursday, November 8, 2018 12:33:47 PM
Subject: Re: [keycloak-user] Shared datastore?
So I think there are at least two ways to address this problem. This first
one is to use Offline Tokens [1]. I'm not sure if that fits into your
application since it requires your client applications to store the token.
In other words you can simply delegate this problem one layer below in your
system.
If that doesn't work for you, yes passivation is a way to go. Frankly, I
haven't used passivation but from the manual I see it works hand in hand
with eviction [2][3]. Will (on CC) can probably correct me here, but my
understanding is that whenever an entry gets evicted, the passivation
mechanism picks it up and stores somewhere.
It does and it works, the problem is that passivation doesn't play well with shared
stores in Infinispan. We prevent this configuration in 9.4 or newer even.
I recommended that Nicolas just use eviction and a shared store without passivation.
However it seems that entries are not written to the store in this configuration. My guess
is that KeyCloak performs write operations with the SKIP_CACHE_STORE flag and assumes
entries will only be written to the store due to passivation. Is there a reason for that?
[1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
[2]
http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passiv...
[3]
https://github.com/infinispan/infinispan/blob/master/core/src/test/java/o...
On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant <nocquidant(a)gmail.com>
wrote:
> My requirements are the following: store tokens emitted by KC during one
> year.
>
> I don't know how many users there are, but here are the number I get:
> * the number of connections a week is about 700k.
> * the number of session refresh a week is about 200k.
>
> I approximated around 1M of sessions a week, thus 52M a year.
> In memory, a user session has been estimated around 4KB (about 1KB in
> file/DB).
>
> But I guess a refresh does not create another session isn't it? And maybe
> it's possible to ask KC to delete previous emitted tokens when a new one is
> created for a same user?
>
> If yes, my estimation is probably a little bit too high here, but I
> certainly have several millions of tokens to keep (and maybe dozens of
> millions).
>
> Thanks
> --nick
>
> Le mer. 7 nov. 2018 à 18:17, Nicolas Ocquidant <nocquidant(a)gmail.com> a
> écrit :
>
> > Hi,
> >
> > According to Infinispan, when passivation is disabled, every update to
> the
> > cache should always write to the store.
> >
> > But I can't manage to get it work with Keycloak. If I disable
> passivation,
> > my SQL store (Postgres) stays empty, even if the cache is full.
> >
> > So, if passivation is needed for Keycloak to write to the DB, it means
> > that the use of a shared DB is not possible...
> >
> > But this leads to another issue for me. Enable passivation without a
> > shared DB seems to imply that either 'fetch-state' or 'purge'
should be
> > enabled on startup, in order for the cache to not contain stale entries.
> >
> > 15:27:44,626 WARN
> > [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder]
> (MSC
> > service thread 1-6) ISPN000149: Fetch persistent state and purge on
> startup
> > are both disabled, cache may contain stale entries on startup
> >
> > As I need to keep millions of sessions, this will considerably slow down
> > the startup of my node (when started again after a crash for instance).
> >
> > So, is shared datastore allowed in Keycloak? If yes, how to enable it?
> > Otherwise what other options do I have to improve my startup time, if
> > millions of sessions are in the store?
> >
> > Thanks
> > --nick
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
4:43 a.m.
On 08/11/18 17:35, Nicolas Ocquidant wrote:
My requirements are the following: store tokens emitted by KC during
one
year.
I don't know how many users there are, but here are the number I get:
* the number of connections a week is about 700k.
* the number of session refresh a week is about 200k.
I approximated around 1M of sessions a week, thus 52M a year.
In memory, a user session has been estimated around 4KB (about 1KB in
file/DB).
But I guess a refresh does not create another session isn't it? And maybe
it's possible to ask KC to delete previous emitted tokens when a new one is
created for a same user?
No, it doesn't. It just updates lastSessionRefresh
field on userSession
and possibly timestamp on clientSession.
If yes, my estimation is probably a little bit too high here, but I
certainly have several millions of tokens to keep (and maybe dozens of
millions).
Thanks
--nick
Le mer. 7 nov. 2018 à 18:17, Nicolas Ocquidant <nocquidant(a)gmail.com> a
écrit :
> Hi,
>
> According to Infinispan, when passivation is disabled, every update to the
> cache should always write to the store.
>
> But I can't manage to get it work with Keycloak. If I disable passivation,
> my SQL store (Postgres) stays empty, even if the cache is full.
>
> So, if passivation is needed for Keycloak to write to the DB, it means
> that the use of a shared DB is not possible...
>
> But this leads to another issue for me. Enable passivation without a
> shared DB seems to imply that either 'fetch-state' or 'purge' should
be
> enabled on startup, in order for the cache to not contain stale entries.
>
> 15:27:44,626 WARN
> [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC
> service thread 1-6) ISPN000149: Fetch persistent state and purge on startup
> are both disabled, cache may contain stale entries on startup
>
> As I need to keep millions of sessions, this will considerably slow down
> the startup of my node (when started again after a crash for instance).
>
> So, is shared datastore allowed in Keycloak? If yes, how to enable it?
> Otherwise what other options do I have to improve my startup time, if
> millions of sessions are in the store?
>
> Thanks
> --nick
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2233
days inactive
2241
days old
4 comments
4 participants
participants (4)
-
Marek Posolda -
Nicolas Ocquidant -
Sebastian Laskawiec -
William Burns