[keycloak-user] Performance issues with Federation provider enabled
Marek Posolda
mposolda at redhat.com
Wed Jun 8 06:28:19 EDT 2016
Hi,
what's the keycloak version used? Could you try latest keycloak and
check if performance is still the issue?
Marek
On 08/06/16 01:30, Fabricio Milone wrote:
> Hi all,
>
> I sent this email yesterday with 5 or more attachments, so I think it
> was blocked or something... here I go again :)
>
> I've been running load tests on our application during the last few
> weeks, and having some performance issues when my custom federator is
> enabled.
>
> The performance issue does not exist when the federator is disabled.
> *Configuration*:
>
> I have a cluster of 2 instances of Keycloak, with a standalone DB,
> we've verified the DB isn't an issue when the federator is disabled.
> Both instances have a quad core CPU and they are in the same network.
> We’ve left the memory at 512MB. The test script, database and API that
> connects to the federator are in separate machines.
> *Federator*:
>
> We have a simple custom federator that makes calls to a very
> performant api, which has been tested and is ok. Additionally, we've
> tested stubbing the API so the performance is not a problem there.
> This federator is using a jaxb marshaller to create a request, again
> tested in isolation and is performing well.
>
> As the federator is doing a lot of calls to the API (3 per login
> request), I've implemented a httpclient that uses a
> PoolingHttpClientConnectionManager with 1000 connections available to
> use, instead of using the standard apache httpclient from http
> components. That hasn't improved a bit the performance of the system.
> *Tests*:
> It is a gatling scala script that could generate around ~300 (or more)
> requests/second to the direct grants login endpoint using random
> usernames from a list (all of them already registered using KC). The
> script is doing a round robin across both instances of Keycloak with
> an even distribution to each KC instance.
> The idea is simulate a load of 300 to 1500 concurrent users trying to
> login into our systems.
> *Problem*:
>
> If I run the tests without using a federation I can see a very good
> performance, but when I try to run the tests with the custom
> federation code, the performance drops from ~150 requests/second to 22
> req/sec using both instances.
> Memory wise, it seems to be ok. I've never seen an error related to
> memory with this configuration, also if you take a look at the
> attached visualVM screenshot you'll see that memory is not a problem
> or it seems not to be.
> CPU utilisation is very low to my mind, I'd expect more than 80% of
> usage or something like that.
> There is a method that is leading the CPU samples on VisualVM called
> Semaphore.tryAcquire(). Not quite sure what's that for, still
> investigating.
>
> I can see that a lot of new threads are being created when the test
> starts, as it creates around 60requests/second to the direct grants
> login call, but it seems to be a bottleneck at some point.
>
> So I'm wondering if there is some configuration I'm missing on
> Keycloak side that could be affecting the cluster performance when a
> federator is enabled. Maybe something related to jpa connections,
> infinispan configuration or even wildfly.
>
> I'd really appreciate your help on this one as I'm out of ideas.
>
> I've attached some screenshots of visualVM and tests results from my
> last run today.
>
>
> Sorry for the long email and please let me know if you need further
> information.
>
> Thank you in advance,
>
> Regards,
> Fab
>
> --
> *Fabricio Milone*
> Developer
> *
> *
> *
> Shine Consulting *
>
> 30/600 Bourke Street
>
> Melbourne VIC 3000
>
> T: 03 8488 9939
>
> M: 04 3200 4006
>
>
> www.shinetech.com <http://www.shinetech.com/>/*a*/ passion for excellence
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/7fc66d20/attachment.html
More information about the keycloak-user
mailing list