[keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store.
Ushanas Shastri
ushanas.shastri at viteos.com
Thu Aug 4 10:31:56 EDT 2016
Classification: INTERNAL
I meant the Authorization features that have an auto-complete search on pages like Evaluate (under Authorization) and Add Policy User Based.
For e.g.
[cid:image001.png at 01D1EE8A.A1B86990]
If I just access this page, without initiating a search by typing something in Users, a call is made to /auth/admin/realms/servlet-authz/users, which loads all users
Here's a snippet of the response which shows 898 users returned.
[cid:image002.png at 01D1EE8A.DE2EC680]
I believe this user data should be fetched only based on a search criteria, and that too from the SQL cache, instead of going to AD.
Regards, Ushanas.
From: Bill Burke [mailto:bburke at redhat.com]
Sent: Thursday, August 04, 2016 7:46 PM
To: Ushanas Shastri; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store.
Again, are you just talking about the Admin Console? Please list exactly what actions load thousands of users.
* IN the admin console Users page, if you search for a user, LDAP will be queried once by username, email, or first+last name depending on the format of the search string.
* View All Users will *NOT* query LDAP. It will only show imported users aka users that have already be imported from LDAP.
I'm not sure about the new Authorization stuff. Is this what you mean by the Evaluation screen or in the User base Policy?
On 8/4/16 10:05 AM, Ushanas Shastri wrote:
Classification: INTERNAL
Not just when I manage Users.
Even in the Evaluation screen or in the User based Policy (any place we show a list of users), on page load, all users are fetched.
Even if users have to be queries from all providers, shouldn't we wait for the user to enter a search criteria, and only then query based on that search criteria? At the moment, if I have a 1000 users in AD, on each page load 1000 users are fetched from AD, without even me attempting a search.
Regards, Ushanas.
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Thursday, August 04, 2016 6:50 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store.
You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried.
On 8/4/16 7:54 AM, Ushanas Shastri wrote:
Classification: INTERNAL
Hello,
We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory.
Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only?
I'm seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don't know if it matters, but we do have an AD filter.
Regards, Ushanas.
Viteos Fund Services Ltd | www.viteos.com<http://www.viteosfundservices.com/>
Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240
Cell : +91-9820225580
Email : ushanas.shastri at viteos.com<mailto:ushanas.shastri at viteos.com>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit.
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d84a36a/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 20249 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d84a36a/attachment-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 52717 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d84a36a/attachment-0003.png
More information about the keycloak-user
mailing list