11:19 a.m.
Hi,
As we are currently load testing Keycloak to see whether it could be a good
fit in our system, we experience trouble to reach good performance for the
user login.
In our current set up we do direct login via password against Keycloak and
we get around 30 user logins per second.
Here is our current set up:
- 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in
Kubernetes)
- 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
memory
As it is hard to believe that one instance can only handle 10 requests per
second we were wondering if someone had done similar tests and if you would
be willing to share the results / test configuration .
Many thanks,
Thelo
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
9:11 a.m.
The default hashing iterations is fairly high to safeguard for the case of
a leaked database.
See:
http://www.keycloak.org/docs/latest/server_admin/topics/threat/password-d...
If you are comfortable with decreasing the number of iterations that's
definitely the first thing to try to increase performance.
On Oct 12, 2017 18:53, "Thelo" <thelo.gaultier(a)gmail.com> wrote:
Hi,
As we are currently load testing Keycloak to see whether it could be a good
fit in our system, we experience trouble to reach good performance for the
user login.
In our current set up we do direct login via password against Keycloak and
we get around 30 user logins per second.
Here is our current set up:
- 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in
Kubernetes)
- 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
memory
As it is hard to believe that one instance can only handle 10 requests per
second we were wondering if someone had done similar tests and if you would
be willing to share the results / test configuration .
Many thanks,
Thelo
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:05 a.m.
Is it possible disable it ?
On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj <mstrukel(a)redhat.com> wrote:
The default hashing iterations is fairly high to safeguard for the
case of
a leaked database.
See:
http://www.keycloak.org/docs/latest/server_admin/topics/
threat/password-db-compromised.html
If you are comfortable with decreasing the number of iterations that's
definitely the first thing to try to increase performance.
On Oct 12, 2017 18:53, "Thelo" <thelo.gaultier(a)gmail.com> wrote:
> Hi,
>
>
> As we are currently load testing Keycloak to see whether it could be a
good
> fit in our system, we experience trouble to reach good performance for
the
> user login.
>
> In our current set up we do direct login via password against Keycloak
and
> we get around 30 user logins per second.
>
> Here is our current set up:
> - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in
> Kubernetes)
> - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
> memory
>
> As it is hard to believe that one instance can only handle 10 requests
per
> second we were wondering if someone had done similar tests and if you
would
> be willing to share the results / test configuration .
>
> Many thanks,
>
> Thelo
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:49 a.m.
Hi,
Indeed the performance increased but this is not really recommended ( the
new nist guideline recommend at least 10K iterations, but this will only
increase over time). Has anyone tried to move the password hashing outside
of Keycloak ( AWS Lambda for example, or any scalable micro service) to
reduce the CPU usage of keycloak and allow it to deal with more request per
second ( the latency will be high but this might be ok) ?
@Meissa: You can reduce the number of iteration or switch to another
hashing algorithm, but once again if your database leaks, your password
might be more easily crackable.
@Marko: do you know if at some point the interaction between the different
node of a cluster might become a possible bottleneck in the case of a large
cluster?
Many thanks,
Thelo
2017-10-19 9:05 GMT+02:00 Meissa M'baye Sakho <msakho(a)redhat.com>:
Is it possible disable it ?
On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj <mstrukel(a)redhat.com>
wrote:
> The default hashing iterations is fairly high to safeguard for the case of
> a leaked database.
>
> See:
> http://www.keycloak.org/docs/latest/server_admin/topics/thre
> at/password-db-compromised.html
>
> If you are comfortable with decreasing the number of iterations that's
> definitely the first thing to try to increase performance.
>
>
> On Oct 12, 2017 18:53, "Thelo" <thelo.gaultier(a)gmail.com> wrote:
>
> > Hi,
> >
> >
> > As we are currently load testing Keycloak to see whether it could be a
> good
> > fit in our system, we experience trouble to reach good performance for
> the
> > user login.
> >
> > In our current set up we do direct login via password against Keycloak
> and
> > we get around 30 user logins per second.
> >
> > Here is our current set up:
> > - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in
> > Kubernetes)
> > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
> > memory
> >
> > As it is hard to believe that one instance can only handle 10 requests
> per
> > second we were wondering if someone had done similar tests and if you
> would
> > be willing to share the results / test configuration .
> >
> > Many thanks,
> >
> > Thelo
> >
> >
> >
> > --
> > Sent from: http://keycloak-user.88327.x6.nabble.com/
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
4:21 a.m.
Thelo,
*do you know if at some point the interaction between the different node of
a cluster might become a possible bottleneck in the case of a large
cluster?*
It depends on how you cluster is configured particulary the server cache
configuration.
If you replicate everything accross your cluster nodes, you may encounter
performance issues.
You can change the number of nodes that replicate a piece of data by change
the owners attribute in the distributed-cache declaration.
take a look at the section 9.2 of the documentation below:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/...
Meissa
On Thu, Oct 19, 2017 at 9:49 AM, Thelo Gaultier <thelo.gaultier(a)gmail.com>
wrote:
Hi,
Indeed the performance increased but this is not really recommended ( the
new nist guideline recommend at least 10K iterations, but this will only
increase over time). Has anyone tried to move the password hashing outside
of Keycloak ( AWS Lambda for example, or any scalable micro service) to
reduce the CPU usage of keycloak and allow it to deal with more request per
second ( the latency will be high but this might be ok) ?
@Meissa: You can reduce the number of iteration or switch to another
hashing algorithm, but once again if your database leaks, your password
might be more easily crackable.
@Marko: do you know if at some point the interaction between the different
node of a cluster might become a possible bottleneck in the case of a large
cluster?
Many thanks,
Thelo
2017-10-19 9:05 GMT+02:00 Meissa M'baye Sakho <msakho(a)redhat.com>:
> Is it possible disable it ?
>
> On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj <mstrukel(a)redhat.com>
> wrote:
>
>> The default hashing iterations is fairly high to safeguard for the case
>> of
>> a leaked database.
>>
>> See:
>> http://www.keycloak.org/docs/latest/server_admin/topics/thre
>> at/password-db-compromised.html
>>
>> If you are comfortable with decreasing the number of iterations that's
>> definitely the first thing to try to increase performance.
>>
>>
>> On Oct 12, 2017 18:53, "Thelo" <thelo.gaultier(a)gmail.com> wrote:
>>
>> > Hi,
>> >
>> >
>> > As we are currently load testing Keycloak to see whether it could be a
>> good
>> > fit in our system, we experience trouble to reach good performance for
>> the
>> > user login.
>> >
>> > In our current set up we do direct login via password against Keycloak
>> and
>> > we get around 30 user logins per second.
>> >
>> > Here is our current set up:
>> > - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in
>> > Kubernetes)
>> > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
>> > memory
>> >
>> > As it is hard to believe that one instance can only handle 10
>> requests per
>> > second we were wondering if someone had done similar tests and if you
>> would
>> > be willing to share the results / test configuration .
>> >
>> > Many thanks,
>> >
>> > Thelo
>> >
>> >
>> >
>> > --
>> > Sent from: http://keycloak-user.88327.x6.nabble.com/
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
2626
days inactive
2633
days old
4 comments
4 participants
participants (4)
-
Marko Strukelj -
Meissa M'baye Sakho -
Thelo -
Thelo Gaultier