[keycloak-dev] Realm cache
Bill Burke
bburke at redhat.com
Thu Dec 3 10:10:07 EST 2015
On 12/3/2015 7:50 AM, Stian Thorgersen wrote:
> There's still some outstanding issues with the realm cache. It works,
> but can and should be improved for 1.8.
>
> One issue was that once the realm is updated any methods on clients,
> roles or groups returns the underlying adapter instead of the cache
> adapters. As a work around in 1.7 it now ejects all clients for a realm
> when it sees any changes.
>
Why is that a bad thing? Usually, roles groups, and clients are not
accessed in the same session as a realm update. Realms are usually not
updated. Client registration/unregistration is rare too for most apps.
The vast majority (90%+?) of access is read-only for realms and clients.
> We have a few potential ways to solve this:
>
> a) try to always return cache adapters - I went down this road attacking
> it from a few different approaches, but was never successful as there
> was always something that didn't work
See above, I don't think this is an issue. What we should do is
identify if any updates are performed on realms/clients per login/token
refresh and remove or isolate them so that the realm/client caches
aren't invalidated.
> b) only cache realms and have everything else hang off it - this is my
> preferred option for now. As long as updating clients requires
> invalidating the realm it seems a bit over the top to have separate
> caches for everything
Why can't you keep it as it is?
RealmAdapter.getDelegateForUpdate() always registers a realm
invalidation. add/remove client are methods on RealmModel so the realm
cache was always invalidated. The only time you need to invalidate the
realm is when clientId is changed.
> c) make the cache smarter - instead of invalidating a realm, make sure
> we add/remove the clients, etc..
>
Its an invalidation cache, so "C" won't work unless you have a separate
cache for the client list. So you'd need a realm cache, client list
cache, and client cache.
> We also need more automated testing around clustering. Late in 1.7
> release process I identified that caches where invalidated when other
> nodes loaded things to it, so effectively the cache wasn't working at
> all in a cluster.
>
> Thoughts?
>
I think this is a bit of effort for little gain. users will only see a
difference if there is a lot of realm adminstration happening.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list