1:39 p.m.
Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?
Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?
Thanks!
--
*Cesar Salazar*
CTO - DEVSU | www.devsu.com
3:19 a.m.
From the thread you linked to it looks like someone already laid out
some ideas where optimization could work. (Appears to be something with loading reals,
caching, and flushing).
Furthermore, it would seem that a slow startup phase is (or should be) an infrequent
event. As well as administration. These are not show-stoppers for me.
If anything, perhaps a better work-around would be to architect a deployment where
keycloak lives closer to the tenant application instances. Simply treat the keycloak as a
microservice that is bundled with your apps, and have it automated to a point where it is
more "code as configuration" rather than manually logging into keycloak and
clicking around?
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Cesar Salazar <csalazar(a)devsu.com>
Sent: Wednesday, April 12, 2017 6:39:44 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Multi tenancy with realms
Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?
Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?
Thanks!
--
*Cesar Salazar*
CTO - DEVSU | www.devsu.com<http://www.devsu.com>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:51 a.m.
Hi Cesar,
Regarding the performance issues found in the mailing list thread you
referred to, I submitted 5 PRs. 3 have been merged and 2 are still pending
review.
https://github.com/keycloak/keycloak/pull/3561
https://github.com/keycloak/keycloak/pull/3557
https://github.com/keycloak/keycloak/pull/3558
https://github.com/keycloak/keycloak/pull/3572
https://github.com/keycloak/keycloak/pull/3573
You can look at
http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008439.html for
more details on the changes.
We are still running on a custom build of Keycloak with all those changes
applied and at the moment is supports our administrative load with over
1000 realms. Restart/use of the admin API/access to the admin console are
now fast enough not to generate complains from our operators. Most of the
issues with the large number of realms were related with the use of
NamedQueries (generates too many flush() within Hibernate) and the very
large number of child roles on the super admin composite role.
Upgrades are still considered problematic for us. I found other performance
issues within the Java based data migration code, mostly related with
explicit em.flush() statements, but I haven't digged into them.
I hope it helps,
Gabriel
2017-04-13 4:19 GMT-04:00 Mailing lists <lists(a)m3b.net>:
>From the thread you linked to it looks like someone already laid
out some
ideas where optimization could work. (Appears to be something with loading
reals, caching, and flushing).
Furthermore, it would seem that a slow startup phase is (or should be) an
infrequent event. As well as administration. These are not show-stoppers
for me.
If anything, perhaps a better work-around would be to architect a
deployment where keycloak lives closer to the tenant application instances.
Simply treat the keycloak as a microservice that is bundled with your apps,
and have it automated to a point where it is more "code as configuration"
rather than manually logging into keycloak and clicking around?
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists.
jboss.org> on behalf of Cesar Salazar <csalazar(a)devsu.com>
Sent: Wednesday, April 12, 2017 6:39:44 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Multi tenancy with realms
Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?
Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?
Thanks!
--
*Cesar Salazar*
CTO - DEVSU | www.devsu.com<http://www.devsu.com>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Gabriel Lavoie
glavoie(a)gmail.com
5:28 p.m.
Hello Cesar,
We also struggled with these decisions in our first implementation. I am just now
starting to think about transitioning to a ‘Keycloak' multi-tenant architecture.
Currently, we are running a Spring Cloud Microservice Architecture fronted by several SPA
sites leveraging a single realm Keycloak instance. This is done by storing a user
attribute ‘tenant_id’ when creating a user which is done by a user microservice that
delegates to Keycloak. In fact Keycloak is only directly accessed as part of the login
flow. User creation is done via an admin SPA web module and user-service.
This design has brought a few challenges, such as restricting resources per tenant, paging
users across tenant, etc (need for a better admin api here). Fortunately by considering
Keycloak as just another service within our cloud platform and proxying through a user or
tenant service, we have reduced that tight coupling to the Keycloak rest API.
No performance issues yet, but one memory leak was found with the way Keycloak logs events
with Spring Framework.
-dana
On Apr 13, 2017, at 1:19 AM, Mailing lists
<lists@m3b.net<mailto:lists@m3b.net>> wrote:
From the thread you linked to it looks like someone already laid out some ideas where
optimization could work. (Appears to be something with loading reals, caching, and
flushing).
Furthermore, it would seem that a slow startup phase is (or should be) an infrequent
event. As well as administration. These are not show-stoppers for me.
If anything, perhaps a better work-around would be to architect a deployment where
keycloak lives closer to the tenant application instances. Simply treat the keycloak as a
microservice that is bundled with your apps, and have it automated to a point where it is
more "code as configuration" rather than manually logging into keycloak and
clicking around?
________________________________
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
on behalf of Cesar Salazar <csalazar@devsu.com<mailto:csalazar@devsu.com>>
Sent: Wednesday, April 12, 2017 6:39:44 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] Multi tenancy with realms
Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?
Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?
Thanks!
--
*Cesar Salazar*
CTO - DEVSU |
www.devsu.com<http://www.devsu.com/><http://www.devsu.com<htt...
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
3290
days inactive
3296
days old
3 comments
4 participants
participants (4)
-
Cesar Salazar -
Dana Danet -
Gabriel Lavoie -
Mailing lists