Hi, We are using Policy Enforcer in Java client (JBOSS FUSE) to send the permission ticket to Keycloak PDP for evaluating a pre-configured Javascript policy rule. We are using Keycloak version 2.5.5. Is that evaluation in Keycloak PDP occur in-memory, or does it perform a DB access each time?

Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png@01D2C8DE.BFF33E10] “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Thanks Pedro for the quick response. I am not sure the high DB CPU load is only because of authorization requests. We need to do further analyzing. We are using the RedHat SSO version, hence it would be difficult to try latest Keycloak version now. Will we see any improvement when trying RHSSO version 7.2 (currently latest)? Thanks, *Ori Doolman* Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [image: cid:image001.png@01D2C8DE.BFF33E10] *From:* Pedro Igor Silva <psilva(a)redhat.com&gt; *Sent:* Wednesday, August 22, 2018 15:11 *To:* Ori Doolman <Ori.Doolman(a)Amdocs.com&gt; *Cc:* keycloak-user(a)lists.jboss.org *Subject:* Re: [keycloak-user] Authorization services performance On Wed, Aug 22, 2018 at 8:38 AM, Ori Doolman <Ori.Doolman(a)amdocs.com&gt; wrote: Hi, We are using Policy Enforcer in Java client (JBOSS FUSE) to send the permission ticket to Keycloak PDP for evaluating a pre-configured Javascript policy rule. We are using Keycloak version 2.5.5. Is that evaluation in Keycloak PDP occur in-memory, or does it perform a DB access each time? If cache is warm, it should not happen any database hits. We cache not only entities (resources, policies, etc) but also specific queries that are executed during evaluation. In latest version, 4.3.0.Final, we delivered quite a few performance improvements to the evaluation engine like removal of redundant code and refactoring to optimize execution and decision cache on a per authorization request basis. We are still working on some other improvements as this is one of our main goals for future releases. I would recommend you to try latest version. There are other improvements too that I think you may benefit. Things like being able to define response format (if just a decision, list of granted permissions or standard oauth2 response), limit the number of permissions that the server should process, pushed claims (with or without permission tickets), additional methods to the evaluation api, etc. Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png@01D2C8DE.BFF33E10] “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user *“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.*