12:32 p.m.
Hi,
Recently there was a blog on cross dc support for keycloak
http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html
We have done something similar to that with one difference. In our
deployment we have keycloak in standalone mode rather than standalone-ha.
All keycloak instances are using same db. With this setup we are
successfully able to achieve HA across same dc and cross dc both.
Is there any benefit of using standalone-ha over standalone? since all
clustering requirement will be handled by external infinispan server.
Thanks!
2:27 p.m.
Putting aside cross DC, if you use default settings of caches in
standalone.xml, the objects within the caches would not be shared in
the cluster. That for example means that changes in realm settings
would not propagate to other nodes and node states would thus become
inconsistent, any node failure would lead to loss of state data stored
at that node, etc.
In cross DC, not all caches are shared between sites, e.g.
authentication session cache is usually local to the cluster, so using
cross-DC setup for "single-node clusters" you describe would not cure
all potential issues coming out of not using standalone-ha profile.
On Fri, Sep 15, 2017 at 12:32 PM, Vikrant Singh
<vikrant02.work(a)gmail.com> wrote:
Hi,
Recently there was a blog on cross dc support for keycloak
http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html
We have done something similar to that with one difference. In our
deployment we have keycloak in standalone mode rather than standalone-ha.
All keycloak instances are using same db. With this setup we are
successfully able to achieve HA across same dc and cross dc both.
Is there any benefit of using standalone-ha over standalone? since all
clustering requirement will be handled by external infinispan server.
Thanks!
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2:11 p.m.
Hi,
We have externalized all distributed/replicated cache mentioned in
standalone-ha under keycloak cache-container to a external infinispan which
is in a local and cross dc cluster. Following are the externalized caches
work, sessions, authenticationSessions, offlineSessions,
loginFailures, actionTokens.
Below is keycloak's infinispan configuration section
<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
<cache-container name="keycloak"
> module="org.keycloak.keycloak-model-infinispan"
> jndi-name="infinispan/Keycloak">
<local-cache name="realms">
<eviction strategy="LRU" max-entries="10000"/>
</local-cache>
<local-cache name="users">
<eviction strategy="LRU" max-entries="10000"/>
</local-cache>
<local-cache name="sessions">
<remote-store cache="sessions" remote-servers="remote-cache"
> fetch-state="false" passivation="false" preload="false"
purge="false"
> shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
</local-cache>
<local-cache name="offlineSessions">
<remote-store cache="offlineSessions"
remote-servers="remote-cache"
> fetch-state="false" passivation="false" preload="false"
purge="false"
> shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
</local-cache>
<local-cache name="loginFailures">
<remote-store cache="loginFailures" remote-servers="remote-cache"
> fetch-state="false" passivation="false" preload="false"
purge="false"
> shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
</local-cache>
<local-cache name="work">
<remote-store cache="work" remote-servers="remote-cache"
> fetch-state="false" passivation="false" preload="false"
purge="false"
> shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
</local-cache>
<local-cache name="authorization">
<eviction strategy="LRU" max-entries="100"/>
</local-cache>
<local-cache name="keys">
<eviction strategy="LRU" max-entries="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="authenticationSessions">
<remote-store cache="authenticationSessions"
remote-servers="remote-cache"
> fetch-state="false" passivation="false" preload="false"
purge="false"
> shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
<eviction strategy="NONE" max-entries="-1"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
<local-cache name="actionTokens">
<remote-store cache="actionTokens" remote-servers="remote-cache"
> fetch-state="false" passivation="false" preload="false"
purge="false"
> shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
<eviction strategy="NONE" max-entries="-1"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default"
> module="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation"
> module="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="persistent">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="false" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="ejb" aliases="sfsb"
default-cache="passivation"
> module="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="persistent">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="false" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" default-cache="local-query"
> module="org.hibernate.infinispan">
<local-cache name="entity">
<transaction mode="NON_XA"/>
<eviction strategy="LRU" max-entries="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<eviction strategy="LRU" max-entries="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
Do you see any issue with above config for local+cross dc cluster.
Thanks
On Fri, Sep 15, 2017 at 5:57 PM, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
Putting aside cross DC, if you use default settings of caches in
standalone.xml, the objects within the caches would not be shared in
the cluster. That for example means that changes in realm settings
would not propagate to other nodes and node states would thus become
inconsistent, any node failure would lead to loss of state data stored
at that node, etc.
In cross DC, not all caches are shared between sites, e.g.
authentication session cache is usually local to the cluster, so using
cross-DC setup for "single-node clusters" you describe would not cure
all potential issues coming out of not using standalone-ha profile.
On Fri, Sep 15, 2017 at 12:32 PM, Vikrant Singh
<vikrant02.work(a)gmail.com> wrote:
> Hi,
>
> Recently there was a blog on cross dc support for keycloak
> http://blog.keycloak.org/2017/09/cross-datacenter-support-
in-keycloak.html
>
> We have done something similar to that with one difference. In our
> deployment we have keycloak in standalone mode rather than standalone-ha.
> All keycloak instances are using same db. With this setup we are
> successfully able to achieve HA across same dc and cross dc both.
>
> Is there any benefit of using standalone-ha over standalone? since all
> clustering requirement will be handled by external infinispan server.
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2685
days inactive
2688
days old
2 comments
2 participants
participants (2)
-
Hynek Mlnarik -
Vikrant Singh