[keycloak-user] Supporting sticky sessions

Marek Posolda mposolda at redhat.com
Mon Mar 7 05:46:07 EST 2016 

On 04/03/16 16:34, Bill Burke wrote:
> There's a minimum of 4 Http Requests.  There is about 6 SQL queries to 
> load a user.  So, if there is 2 nodes, you have minimum 12 queries for 
> an uncached user. It really all depends how big the cache can be.  
> Couldn't a million users be cached on a pretty inexpensive box?  My 
> laptop has 32 gig ram.  10K per user is 10 gigs for a million users.
>
> Then, depending on UserSession ownership setting, you have 
> pulling/grabbing/replication of the client sessions as you hop between 
> nodes.  This is the one that can't be fixed.  I don't know how much of 
> a big deal it is.
Just one important thing about how distributed infinispan caches work by 
default. I think it's quite important and may not be obvious, so writing 
it here just for case. Feel free to ignore if you're already aware of it.

If you have numOwners=1 in configuration and on node1 you call:

cache.put("session-id1", userSession1);

It doesn't mean that session is automatically saved on the local node 
(node1 in this case). Session can be saved internally on node2 and when 
you call on node1:

cache.get("session-id1");

you may always have some remote cluster calls to lookup session from node2.

It seems by default infinispan decides just based on the hash of key 
(sessionId in our case). Hopefully it's possible to change this 
behaviour by use some custom hash factory : 
http://infinispan.org/docs/8.2.x/user_guide/user_guide.html#_hashing_algorithms 
. IMO we should first investigate this, otherwise we may end with 
situation when we implement sticky sessions support, but there won't be 
any performance gain regarding userSessions lookup because of this 
infinispan behaviour.

Marek
>
> On 3/4/2016 10:18 AM, Stian Thorgersen wrote:
>> Users are cached so that helps + it's possible to load balance based 
>> on source address. Do you really think that a lot of people will run 
>> that many nodes in either case?
>>
>> On 4 March 2016 at 14:52, Bill Burke <bburke at redhat.com 
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     I"m not sure how well keycloak would scale without this.
>>
>>
>>     On 3/4/2016 7:15 AM, Stian Thorgersen wrote:
>>>     Eventually it would be nice to support the ability for load
>>>     balancers to send all requests for a particular user session to
>>>     the same node (browser as well as client requests).
>>>
>>>     More details here: https://issues.jboss.org/browse/KEYCLOAK-2352
>>>
>>>     Is this a high priority for 1.9 or should it be 2.x? We may be
>>>     able to put it into 1.9.2 if required.
>>>
>>>     I'd like feedback on how useful folks think it would be as well
>>>     as feedback on the proposed implementation.
>>>
>>>
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>     -- 
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/263081b2/attachment.html

More information about the keycloak-user mailing list